Can I add a 2nd external connection as a custom interface?

Using XTMv fireware 12.1.3.
We already have an external connection connected to the firebox using an external interface is WSM. I need to add a 2nd connection which has a different IP but is on the same subnet as the 1st external connection (from a range of IP's provided by our ISP). This 2nd connection will be used for a very specific purpose and no other internet traffic needs to go out or come in on it. Can i just add this 2nd external connection as a custom interface in WSM and create appropriate NAT policies as required?


  • If the traffic is to go to/from a single internal IP addr, the better method is to set up a 1-to-1 NAT for the external and internal IP addrs.

    WG does not encourage doing what you asked.

    If the traffic is to go to/from more than a single internal IP addr, please provide more details.

  • edited November 2020

    Hi Bruce. Its to a single internal IP. So the recommendation would be to add the 2nd line as type External then (after which I can setup the 1-to-1 NAT)? Many of our existing policies have the 'To' set to 'Any-External'. Should I then change these to the specific name of the current external interface which is 'External'?

  • You should not add a 2nd interface.
    Just add a 1-to-1 NAT for the secondary public IP addr to the private IP addr.
    If you have previously added that public IP addr as a Secondary on external, remove it.

    Where do you have To: Any-external ?
    If on outgoing policies - nothing to change, as the default Dynamic NAT processing will cause packets to go out using the primary external interface IP addr.
    If on incoming policies, you should already be using a SNAT - so nothing to change here.

  • Hi Bruce - sorry i'm a little confused. My current interfaces are as shown in this photo:

    So I don't have the new public line connected to the Firebox at all at the moment. It is also not listed as a secondary IP in the External interface either.

    So my question is whether I should add the new public line as another external interface, or whether it is ok to add it as a custom interface instead of an external one?

    I can't add a 1-to-1 NAT without linking it to an interface:

    Apologies if I didn't make this clear.

  • You use your existing external interface for this.
    It will work.
    Just do it.
    Add the 1-to-1 NAT to External.
    Trust me.

  • ok thanks - I think I found an article with what your are describing :

    Does it matter if there is a standard layer 1 switch between the Firebox and the ISP supplied router ?

  • awesome got it all working Bruce - thanks very much

Sign In to comment.