Secondary ip configuration cause routing mayhem

Hi everyone.
I have a /21 network, let's say for example.

This network is used only as nat addresses, so my devices within my trusted network can use theese ips as nat through the external interface ext1.

The fact is that I have to segment this /21 so I have set as secondary ip on the external interface, ext the segment,
Now I need to add thus giving me another 254 addresses available.

This configuration when applied, makes all static routes set to ext1 unavailable.
Even reapplying the previous configuration, routing to these networks is compromised.

Only waiting an hour or so the situation returns to normal.

What am I doing wrong?
I feel that something obvious is escaping me.


  • Options
    edited May 2023

    Exactly what IP addrs/subnets are defined to external here? and and ?

    Are any of the external IP addrs used any place else, such as for internal devices?

  • Options

    Also, what Fireware version are you running?

  • Options

    Hey Bruce, I am running version 12.9.2.

    On my external is defined a segment of this

    secondary ip :

    I want to add

    But when i do, well the routing table goes bananas, as mentioned above.

  • Options

    So external primary is ?

    If so, why do you need these secondary subnet entries?

    FYI, V12.9.3 is now out, but I doubt that the results would be different.

    Consider opening a support case on this.

  • Options
    edited May 2023

    The external primary ip is a different ip.
    This interface allow us to communicate with a regional network.

    On this regional network each entinty has a segment or multiple segments of a wider network. The segment assigned to us is which we can segment ourselves how we want.

    So the use case of theese subnets is to assign a native ip or to NAT our internal devices to communicate with this regional network if needed.

    I hope that's clear now.

    I did open a support case, but in the end, after giving them all the informations needed they told me to reset the firewalls.... I dont want to reset the firewalls, they have been configured like 2 months ago, and i believe that resetting them would not solve my problem.

    So i tried to get answers here

  • Options

    I would try not overlapping the primary subnet and the secondaries.

    What is the purpose of adding secondary subnets?

Sign In to comment.