Assigning Public IP to a VLAN

Is it possible to assign a public IP address to a VLAN that uses a separate router?

We manage service offices and at the moment, we use VLANs to manage the network. If a client wants to use their own router and have a public IP address, we create a policy to forward all traffic to an IP address within their VLAN and get them to set up their router this way.

Example: Client A
Static IP: (made up IP)

Incoming Policy
ANY traffic to, route to

The client sets up their router IP to with the gateway as and everything works perfectly fine.

My question is, how can I set this up so that the client will use the public IP address on their routers WAN interface as opposed to using the VLAN Internal IP?


  • Options
    _WGSupport_ChrisC_WGSupport_ChrisC WatchGuard Representative

    If I'm understanding the current setup correctly, you have external static IP's NATted to client routers on internal VLANs, which use private addressing.

    It sounds like you want to switch to an arrangement where they have their own public range per VLAN. I think that's technically doable, assuming you have enough public address space. You would need to subdivide that into /30's at minimum to create circuit subnets with each client. As long as the overall public address space is being routed to a firewall external IP, it could in turn allow that traffic in to the more specific client subnets by policy configuration.

    A diagram of what you have in mind might be helpful.

  • Options

    Another possible option is to use drop-in mode.
    There are a number of limitations to drop-in mode, but it does support non-tagged VLANs.
    With drop-in mode, you can assign a unused public IP addr to an internal device, such as a server or internal firewall.

    Review this:
    Drop-In Mode

  • Options

    The Drop-In mode doesn't really work because we need to be able to assign VLANs to customers who doesn't want static public IPs.

    As for supernetting, I wonder if adding the supernetted subnet as a secondary IP to the VLAN would allow me to achieve what I want. Otherwise, I think an L3 switch may be required for this.

  • Options
    _WGSupport_ChrisC_WGSupport_ChrisC WatchGuard Representative
    edited November 2022

    If you have a public range, you could assign it to a single VLAN (though you may need to work out a new non-overlapping range from the ISP for the Firebox external IP), then perhaps have customer NAT routers on that VLAN, each with a different IP. Their routers' external interfaces will all be on the same broadcast domain however. Not sure if that would be considered a problem or not in this setup, at your discretion.

Sign In to comment.