Add a Secondary Network IP Address
When you configure a Firebox interface, you can add secondary network IP addresses to the interface. Each IP address you add can be on the same subnet or on a different subnet from the primary IP address of the interface.
Secondary network IP address on the same subnet
For an internal interface, you can use a secondary IP address on the same subnet if an internal host must use that IP address as its default gateway.
For an external interface, a common reason to use a secondary IP address on the same subnet is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as traffic from an SMTP server, must appear to come from the same secondary IP address, use the policy-based dynamic NAT Set source IP option in an outgoing policy.
For an example of this type of configuration, see the configuration example Use NAT for Public Access to Servers with Private IP Addresses, available at https://www.watchguard.com/help/configuration-examples/.
For more information about policy-based dynamic NAT, see Configure Policy-Based Dynamic NAT.
Secondary network IP address on a different subnet
If the secondary IP address is on a different subnet from the primary IP address of the interface, it tells the Firebox that there is one more network on the Firebox interface. When you add a secondary network on a different subnet, the Firebox creates a route from any IP address on the secondary network to the IP address of the Firebox interface.
For an external interface, you would use a secondary network on a different subnet if your ISP gives you multiple IP addresses on different subnets, and the ISP gateway can route traffic to and from the different subnets.
For a trusted or optional interface, you define a secondary network on a different subnet when you want to connect the interface to more than one internal network. An example is described in the next section.
If you configure a Firebox in drop-in mode, each interface uses the same primary IP address. However, you probably use a different set of IP addresses on your trusted network. You can add this private network as a secondary network to the trusted interface of your Firebox.
When you configure a secondary network IP address on a different subnet, the new subnet is part of the same logical network as the original subnet. The Firebox cannot apply firewall policies to traffic between different computers in the same logical network.
For you to configure a secondary network IP address for an interface, your Firebox must use a routed or drop-in network configuration. You can add secondary network IP addresses to an external interface of a Firebox even if that external interface is configured to get its primary IP address through PPPoE or DHCP.
You cannot remove a secondary network if it is specified in the gateway settings for a BOVPN or BOVPN virtual interface configuration.
Configure a Secondary Network
Use these steps to add a secondary network. In this example, the secondary network is on a trusted interface.
To define a secondary network address, you must have an unused IP address on the secondary network to assign to the Firebox interface.
- Select Network > Interfaces.
The Network Interfaces page appears.
- Select the interface for the secondary network and click Edit.
- Select the Secondary tab.
- Type an unassigned host IP address in slash notation from the secondary network. Click Add. Repeat this step to add additional secondary networks.
- Click Save.
- Select Network > Configuration.
The Network Configuration dialog box appears.
- Select the interface for the secondary network and click Configure.
The Interface Settings dialog box appears.
- Select the Secondary tab.
- Click Add. Type an unassigned host IP address from the secondary network.
- Click OK.
- Click OK again.
Make sure to add secondary network addresses carefully. The Firebox does not tell you if you have configured an IP address that could cause an IP address conflict. We recommend that you do not add a subnet as a secondary network on one interface that is a component of a larger network on a different interface. If you do this, the Firebox could identify this traffic as spoofing a network that it expects to exist on another interface, and the network could fail to operate correctly. The Firebox might not ARP to the same network on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and bridged VLANs).