Secondary ip configuration cause routing mayhem

Hi everyone.
I have a /21 network, let's say 10.10.150.0/21 for example.

This network is used only as nat addresses, so my devices within my trusted network can use theese ips as nat through the external interface ext1.

The fact is that I have to segment this /21 so I have set as secondary ip on the external interface, ext the segment, 10.10.150.1/26.
Now I need to add 10.10.151.1/24 thus giving me another 254 addresses available.

This configuration when applied, makes all static routes set to ext1 unavailable.
Even reapplying the previous configuration, routing to these networks is compromised.

Only waiting an hour or so the situation returns to normal.

What am I doing wrong?
I feel that something obvious is escaping me.

Comments

  • edited May 2023

    Exactly what IP addrs/subnets are defined to external here?
    10.10.150.1/21 and 10.10.150.1/26 and 10.10.151.1/24 ?

    Are any of the external IP addrs used any place else, such as for internal devices?

  • Also, what Fireware version are you running?

  • Hey Bruce, I am running version 12.9.2.

    On my external is defined a segment of this 10.10.150.1/21.

    secondary ip : 10.10.150.1/26

    I want to add

    10.10.151.1/24

    But when i do, well the routing table goes bananas, as mentioned above.

  • So external primary is 10.10.150.1/21 ?

    If so, why do you need these secondary subnet entries?

    FYI, V12.9.3 is now out, but I doubt that the results would be different.

    Consider opening a support case on this.

  • edited May 2023

    The external primary ip is a different ip.
    This interface allow us to communicate with a regional network.

    On this regional network each entinty has a segment or multiple segments of a wider network. The segment assigned to us is 10.10.150.1/21 which we can segment ourselves how we want.

    So the use case of theese subnets is to assign a native ip or to NAT our internal devices to communicate with this regional network if needed.

    I hope that's clear now.

    I did open a support case, but in the end, after giving them all the informations needed they told me to reset the firewalls.... I dont want to reset the firewalls, they have been configured like 2 months ago, and i believe that resetting them would not solve my problem.

    So i tried to get answers here

  • I would try not overlapping the primary subnet and the secondaries.

    What is the purpose of adding secondary subnets?

Sign In to comment.