Can I add a 2nd external connection as a custom interface?

Using XTMv fireware 12.1.3.
We already have an external connection connected to the firebox using an external interface is WSM. I need to add a 2nd connection which has a different IP but is on the same subnet as the 1st external connection (from a range of IP's provided by our ISP). This 2nd connection will be used for a very specific purpose and no other internet traffic needs to go out or come in on it. Can i just add this 2nd external connection as a custom interface in WSM and create appropriate NAT policies as required?


  • Options

    If the traffic is to go to/from a single internal IP addr, the better method is to set up a 1-to-1 NAT for the external and internal IP addrs.

    WG does not encourage doing what you asked.

    If the traffic is to go to/from more than a single internal IP addr, please provide more details.

  • Options
    edited November 2020

    Hi Bruce. Its to a single internal IP. So the recommendation would be to add the 2nd line as type External then (after which I can setup the 1-to-1 NAT)? Many of our existing policies have the 'To' set to 'Any-External'. Should I then change these to the specific name of the current external interface which is 'External'?

  • Options

    You should not add a 2nd interface.
    Just add a 1-to-1 NAT for the secondary public IP addr to the private IP addr.
    If you have previously added that public IP addr as a Secondary on external, remove it.

    Where do you have To: Any-external ?
    If on outgoing policies - nothing to change, as the default Dynamic NAT processing will cause packets to go out using the primary external interface IP addr.
    If on incoming policies, you should already be using a SNAT - so nothing to change here.

  • Options

    Hi Bruce - sorry i'm a little confused. My current interfaces are as shown in this photo: https://ibb.co/5xzbHC6

    So I don't have the new public line connected to the Firebox at all at the moment. It is also not listed as a secondary IP in the External interface either.

    So my question is whether I should add the new public line as another external interface, or whether it is ok to add it as a custom interface instead of an external one?

    I can't add a 1-to-1 NAT without linking it to an interface: https://ibb.co/qCNfWpj

    Apologies if I didn't make this clear.

  • Options

    You use your existing external interface for this.
    It will work.
    Just do it.
    Add the 1-to-1 NAT to External.
    Trust me.

  • Options

    ok thanks - I think I found an article with what your are describing : https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/example_1-to-1_NAT.html

    Does it matter if there is a standard layer 1 switch between the Firebox and the ISP supplied router ?

  • Options

    awesome got it all working Bruce - thanks very much

Sign In to comment.