I am after some clarification here as WatchGuard support are about as useful as chocolate fireguard!
I have a customer who has a Fortigate 110C which is connecting them to their BT Fibre - 50/100
Due to issues with their client VPN, and because it is our preferred firewall/router option we are looking to replace this device with a WatchGuard XTM 330. I have done this a lot in the past few years for shapes and sizes of companies so it should have been straight forward.
However, just before the change over I noticed that the Fortigate had a VDOM interface with an external IP range on it, but its physical interface on the device had an external IP on a different range. Now I know this is fairly typical of BT to do - you have an IP for internet access but your range of IP's is delivered on a different subnet, all of the natted services are on the second subnet range.
So I adjusted the external IP settings on the watchguard so that the primary interface was the external IP on the physical interface on the watchguard and put the secondary range of IP addresses on the secondary tab of the same interface. Now despite them being listed here, the internet works on the watchguard but none of the IP's on the secondary tab are accessible.
In a nutshell I belive the only way I am going to get this working is to stick another router in front of the watchguard, and then set secondary range on the watchguard external interface - not ideal as I only have Draytek to hand. The Fortigate didn't need it because the VDOM feature allows the creation of a router within a router, therefore eliminating the need for another physical routing device.
So, the question is - has anyone actually had a second public IP range assigned from an ISP (on a different subnet from the current range) and got it working just by assigning it to the secondary tab of the WatchGuard? (without another router involved, directly connected to BT kit)
Does the BT kit allow the route to be added to it to remove the need to add your own router?