Skip to main content
Dustin
Dustin
New Member
January 22, 2016
Solved

Additional WAN interfaces

  • January 22, 2016
  • 2 replies
  • 11624 views

Hello,

 

High level, I have a 100D running OS 5.4, 2 ISPs with multiple public static IPs.

WAN 1 and WAN 2 are setup in WLLB so traffic uses WAN1 with Failover to WAN2. 

I have configured 2 Hardware Switches grouping ports 1-8 for LAN and ports 9-12 for VoIP.

My configuration is setup where the LAN in on a separate subnet (and internal switch) from the VoIP.

I use WLLB Rules to route VoIP traffic out WAN2 and rely on the WLLB to control failover support.

 

Now, I would like to setup an additional port (port 15) as another WAN port with a static IP from my WAN1 ISP provider.

I'll use this port as my endpoint for site to site IPSec VPN tunnels and would like to route the traffic to the LAN subnet.

When I try to configure the port (which is in interface mode) to an external IP, I get an error message that the subnet conflicts with WAN1. 

 

Am I missing a step or is there a better way to configure an additional WAN port on the same external subnet?

Other suggestions?

 

Thanks

Best answer by ede_pfau

You can't.

The FGT (in routing mode) is a router, each interface connects to a different network. Which in other words means that no 2 interfaces can be in the same network.

What you can do is create a VIP (virtual IP address) on the WAN interface with the second public IP. The FGT will then respond on behalf of the VIP. Physically, this would use only one port.

2 replies

Dustin
DustinAuthor
New Member
January 22, 2016

Follow up I found something related to the issue, 

 

config sys settings set allow-subnet-overlap enable end

 

Is there a down side to this?

ede_pfau
SuperUser
ede_pfauAnswer
SuperUser
January 22, 2016

You can't.

The FGT (in routing mode) is a router, each interface connects to a different network. Which in other words means that no 2 interfaces can be in the same network.

What you can do is create a VIP (virtual IP address) on the WAN interface with the second public IP. The FGT will then respond on behalf of the VIP. Physically, this would use only one port.

Dustin
DustinAuthor
New Member
January 22, 2016

Thank you for the reply.

 

I was digging around and found a CLI command which looks like what I need; 

 

allow-subnet-overlap Enable/disable

= allow one interface subnet overlap with other interfaces.

 

Have you used this feature?

ede_pfau
SuperUser
ede_pfau
SuperUser
January 23, 2016

I was hoping you wouldn't find it...honestly.

This command will allow overlapping address ranges at the expense of nullifying the built-in anti-spoof feature. In my opinion it covers up flaws in the scheme by giving up one of the principle protections of a firewall.

You should be aware of this before going down that road. There are alternatives I think.

Terms & ConditionsAccessibility statement