Port forwarding with secondary IP on wan1

Both primary and secondary IP are on the same subnet.

By default, IP addresses cannot be part of the same subnet. Did you enable overlapping ? (global)# set allow-interface-subnet-overlap enable I will use VIPs instead. Regards,. !!

Hracio - I suspect he means the second IP from his range, being used via an VIP. NOT an secondary IP on the interface itself. is that correct Benedict Patrick.S? Multiple incoming VIPs are allowed, however just note that only one ext ip can be used when the internal host itself makes an connection.

if the ' second' ip you are referring too is in the same ip subnet range, then this is incorrect, you do not need to do that. The only time you use ' secondary' ip function on the physical interfaces is when you have two different ip subnets on the one physical ports (like two ISP connections to the same physical port.) So presuming you are using the one IP subnet, you do not need the secondary ip, so get rid of it. then specify that IP in the VIP and the firewall takes care of the ' magic' :)

but client has other servers also port-forwarded with the secondary IP.

mm, Is it working that way??? If its the same provider and you are addressing two ips in the same range to wan1 interface.. you are just wasting ip resources.. (or im missing something in the scenario)... Regards,. !

absolutely. this is exactly why you wouldnt have two external ips in the same range por-forwared to the same server - totally pointless.

ooops - meant to add :- if you had 5 ip' s off your provider there is no reason why you cannot have all of them natting to the same server. but its pointless except to pacify existing DNS records that may reference different IP' s generally, you assign an external IP to an particular service, like a mail server, or an web server. so that the outbound traffic from that internal server also uses that ext ip, as opposed to the firewalls main IP. like; ip1 - firewall ip2 - mail ip3 - website ip4 - portal the above is a typical setup.