Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IceCheck
Explorer
Jump to solution

Secondary public IP on Wan interface

Dear All,

 

We are using ClusterXL configuration with 3600 in R80.40.

 

Currently our provider is giving us two IPs subnet. The default one is /30 and the second one is /29

I did not find how to add a secondary IP on the Wan interface . Could you please  tell me if is it possible to do it directly on the firewall?

 

Or do we need to use a L3 switch between  ISP router and Firewall ? Ideally we have to use switch due to the cluster config but want to have L2 only.

 

After that same question if we are using two ISPs , will it be possible to have on both secondary IPs ?

 

Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You cannot use a secondary IPs/LANs with ClusterXL--this is not supported.
The correct way to do this is to have your /29 routed to your cluster IP by the ISP router.
You can either use the /29 for NAT rules OR you can assign it to a physical interface (different from WAN).
If you're using clustering, assume L3 (Switches) are required on all connected interfaces.

In the case of sharing the /29 you got from one ISP with another...not possible.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You cannot use a secondary IPs/LANs with ClusterXL--this is not supported.
The correct way to do this is to have your /29 routed to your cluster IP by the ISP router.
You can either use the /29 for NAT rules OR you can assign it to a physical interface (different from WAN).
If you're using clustering, assume L3 (Switches) are required on all connected interfaces.

In the case of sharing the /29 you got from one ISP with another...not possible.

0 Kudos
IceCheck
Explorer

Thank you for your message and explanation.

Effectively due to clustering we are using Swicthes, ideally L2 but due to this configuration L3.

This feature is not supported for all devices and all version ? Or is it specific to this version and device ?

 

Thanks

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As PhoneBoy said above it's not the recommend way to do it regardless.

If your ISP cannot route the network towards your Firewalls existing WAN IP (VIP) than you may need to consider dynamic routing to advertise it.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

Using multiple IPs on a ClusterXL interface? Not supported on any version.

0 Kudos
Bob_Zimmerman
Authority
Authority

Multiple ISPs should be handled with multiple separate external interfaces. These can be tagged subinterfaces of a physical interface, or they can be multiple physical interfaces. You would then configure ISP Redundancy in the cluster object.

As for multiple public blocks from one ISP, how is that supposed to work? Are both of these networks on a single broadcast domain?

If they're both on one broadcast domain and you don't need the firewall itself to initiate new connections out from one of the IPs, you can always just add a proxy ARP statement for it. That will get the traffic from the broadcast domain to the firewall, where you can apply NAT or whatever.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events