When you configure an XTM device interface, you can add secondary network IP addresses to the interface. Each IP address you add can be on the same subnet or on a different subnet from the primary IP address of the interface.
Secondary network IP address on the same subnet
For an internal interface, you can use a secondary IP address on the same subnet if an internal host must use that IP address as its default gateway.
For an external interface, a common reason to use a secondary IP address on the same subnet is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as traffic from an SMTP server, must appear to come from the same secondary IP address, use the policy-based dynamic NAT Set source IP option in an outgoing policy.
For an example of this type of configuration, see the configuration example Use NAT for Public Access to Servers with Private IP Addresses, available at http://www.watchguard.com/help/configuration-examples/.
For more information about policy-based dynamic NAT, see Configure Policy-Based Dynamic NAT.
Secondary network IP address on a different subnet
If the secondary IP address is on a different subnet from the primary IP address of the interface, it tells the XTM device that there is one more network on the XTM device interface. When you add a secondary network on a different subnet, the XTM device creates a route from any IP address on the secondary network to the IP address of the XTM device interface.
For an external interface, you would use a secondary network on a different subnet if your ISP gives you multiple IP addresses on different subnets, and the ISP gateway can route traffic to and from the different subnets.
For a trusted or optional interface, you would define a secondary network on a different subnet when you want to connect the interface to more than one internal network. An example is described in the subsequent section.
If you configure an XTM device in drop-in mode, each XTM device interface uses the same primary IP address. However, you probably use a different set of IP addresses on your trusted network. You can add this private network as a secondary network to the trusted interface of your XTM device.
For you to configure a secondary network IP address for an interface, your XTM device must use a routed or drop-in network configuration. You can add secondary network IP addresses to an external interface of an XTM device even if that external interface is configured to get its primary IP address through PPPoE or DHCP.
Use these steps to add a secondary network. In this example, the secondary network is on a trusted interface.
To define a secondary network address, you must have an unused IP address on the secondary network to assign to the XTM device interface.
To define a secondary network:
Make sure to add secondary network addresses correctly. The XTM device does not tell you if the address is correct. We recommend that you do not create a subnet as a secondary network on one interface that is a component of a larger network on a different interface. If you do this, the XTM device could identify this traffic as spoofing a network that it expects to exist on another interface, and the network could fail to operate correctly. The XTM device might not ARP to the same network on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and bridged VLANs).
About Network Interface Setup
Configure an External Interface
Configure Static NAT