Add a Secondary Network IP Address

When you configure a Firebox interface, you can add secondary network IP addresses to the interface. Each IP address you add can be on the same subnet or on a different subnet from the primary IP address of the interface.

When you add a secondary network, you create a specific IP address on which the Firebox listens for requests. The Firebox is also part of the specified subnet on that IP address.

Secondary network IP address on the same subnet

For an internal interface, you can use a secondary IP address on the same subnet if an internal host must use that IP address as its default gateway.

For an external interface, a common reason to use a secondary IP address on the same subnet is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as traffic from an SMTP server, must appear to come from the same secondary IP address, use the policy-based dynamic NAT Set source IP option in an outgoing policy.

For an example of this type of configuration, go to the configuration example Use NAT for Public Access to Servers with Private IP Addresses, available at https://www.watchguard.com/help/configuration-examples/.

For more information about policy-based dynamic NAT, go to Configure Policy-Based Dynamic NAT.

Secondary network IP address on a different subnet

If the secondary IP address is on a different subnet from the primary IP address of the interface, it tells the Firebox that there is one more network on the Firebox interface. When you add a secondary network on a different subnet, the Firebox creates a route from any IP address on the secondary network to the IP address of the Firebox interface.

For an external interface, you would use a secondary network on a different subnet if your ISP gives you multiple IP addresses on different subnets, and the ISP gateway can route traffic to and from the different subnets.

For a trusted or optional interface, you define a secondary network on a different subnet when you want to connect the interface to more than one internal network. An example is described in the next section.

If you configure a Firebox in drop-in mode, each interface uses the same primary IP address. However, you probably use a different set of IP addresses on your trusted network. You can add this private network as a secondary network to the trusted interface of your Firebox.

When you configure a secondary network IP address on a different subnet, the new subnet is part of the same logical network as the original subnet.
In Fireware v12.8 or higher, you can enable intra-interface inspection on physical and link aggregation interfaces. You can then apply policies to traffic between networks configured on the same physical interface of the firebox as primary and secondary networks. For more information go to, Intra-Interface Traffic Inspection.

For you to configure a secondary network IP address for an interface, your Firebox must use a routed or drop-in network configuration. You can add secondary network IP addresses to an external interface of a Firebox even if that external interface is configured to get its primary IP address through PPPoE or DHCP.

Network diagram example of a Secondary Network configuration

You cannot remove a secondary network if it is specified in the gateway settings for a BOVPN or BOVPN virtual interface configuration.

Here are some examples of situations when secondary networks can be useful:

Network Consolidation

If you want to remove a router from your network, you can add the router IP address as a secondary IP address on the firewall when the router is shut down. Any hosts or routers that are still sending traffic to the old router IP address would then send traffic to the firewall.

Network Migration

Secondary addresses can help you avoid a network outage if you want to migrate your trusted network from one subnet to another. For example, if you currently use 192.168.1.1/24 as the primary interface IP address, and you change the interface IP address to 10.0.10.1/24, this could cause a network outage while the devices that use DHCP get an IP address on the new subnet. Also, any devices that use a static IP address cannot connect until you reconfigure them with an IP address on the new subnet. To avoid the outage, add the old IP address as a secondary network, so that devices can still use IP addresses on the old subnet during the migration.

When you configure a secondary network, the devices that use DHCP get an IP address on the new subnet when they renew their DHCP lease, without an outage. Devices that use a static IP address can continue to use the old subnet until you have time to update their IP addresses. After all devices have been migrated to the new subnet, you can remove the secondary IP address from the interface.

You might want to migrate to a different local network range in these cases:

  • You inherit a network that uses the 192.168.0.1/24 or 192.168.1.1/24 networks. Because these network ranges conflict with many home network ranges, your mobile VPN users cannot access local resources on your network.
  • You have two sites with the same local network range, and you want to connect the sites with a BOVPN.

Static NAT to Multiple Servers

If your Firebox uses a static external IP address, you can add a secondary network IP address. You can then configure static NAT rules to send traffic to the appropriate devices on that network.

For example, configure an external secondary network with a second public IP address if you have two public web servers and you want to configure a static NAT rule for each server.

Configure a Secondary Network

Use these steps to add a secondary network. In this example, the secondary network is on a trusted interface.

To define a secondary network address, you must have an unused IP address on the secondary network to assign to the Firebox interface.

Make sure to add secondary network addresses carefully. The Firebox does not tell you if you have configured an IP address that could cause an IP address conflict. We recommend that you do not add a subnet as a secondary network on one interface that is a component of a larger network on a different interface. If you do this, the Firebox could identify this traffic as spoofing a network that it expects to exist on another interface, and the network could fail to operate correctly. The Firebox might not ARP to the same network on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and bridged VLANs).

Related Topics

Migrate to a New Local Network Range

About Network Modes and Interfaces

Configure an External Interface

Configure Static NAT (SNAT)