Secondary IPs get routed to Access Portal

Hello all,

we have received a fiber optic line which is connected via a VLAN tag, via DHCP client to the firewall as an external interface or the external interface has a VLAN.

The whole thing worked without any problems. With the connection we have also received a 28 subnet. I added these within the VLAN on the firewall as secondary IPs.

I then connected these to our internal services as SNAT
Any-External, Any-Trusted > (SNAT)->internal IP (Port 443)

Now it is like this: We have the Access Portal and also independent of this, two services within the VPN are routed to the Access Portal although they should actually call the internal services via name resolution - however, this is not the case.

I have adjusted the SSL VPN rule so that only one IP address is available for selection, not Firebox.

Any-External > (Port 443)

I assumed that this would fix the error, since it explicitly states which IP address to connect through 443. Or should I set up a NAT in the Advanced tab with the source IP address >

Best regards,


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @dankoon

    The firewall uses the "WatchGuard SSLVPN" policy for SSLVPN and Access Portal's webservers. If you put your other rules above that, they should take precidence.

    Changing the rule as you did should also work. However, since it's an auto generated policy, any changes to SSLVPN or Access Portal will change it back.

    -James Carson
    WatchGuard Customer Support

  • Options

    Hi @james.carson thank you for the fast reply. Actually auto order mode is disabled and the policy is above the WatchGuard SSLVPN Policy.

    And i also changed to Policy as described above, but it still doesn't work.
    The external IP Address translates to an internal IP Address which is a Nginx Reverse Proxy. 2 out of 11 services don't work, they all resolve to the Access Portal.

    If I try accessing those to while I'm logged into the VPN (IKEv2) it also does not know the destination IP-Address.

    Best regards,

  • Options

    Okay i think i got it myself. I had in mind that the virtual IP Address Pools are marked as trusted which as i've just read is not the case. After adding the virtual IP Address Pool it started to work.

    Thanks for your help

    Best regards,

Sign In to comment.