WatchGuard XTM with two external IP subnets on single interface

Posted on 2014-08-03
Medium Priority
Last Modified: 2014-08-14

I am after some clarification here as WatchGuard support are about as useful as chocolate fireguard!

I have a customer who has a Fortigate 110C which is connecting them to their BT Fibre  - 50/100

Due to issues with their client VPN, and because it is our preferred firewall/router option we are looking to replace this device with a WatchGuard XTM 330.  I have done this a lot in the past few years for shapes and sizes of companies so it should have been straight forward.

However, just before the change over I noticed that the Fortigate had a VDOM interface with an external IP range on it, but its physical interface on the device had an external IP on a different range.  Now I know this is fairly typical of BT to do - you have an IP for internet access but your range of IP's is delivered on a different subnet, all of the natted services are on the second subnet range.  

So I adjusted the external IP settings on the watchguard so that the primary interface was the external IP on the physical interface on the watchguard and put the secondary range of IP addresses on the secondary tab of the same interface.  Now despite them being listed here, the internet works on the watchguard but none of the IP's on the secondary tab are accessible.

In a nutshell I belive the only way I am going to get this working is to stick another router in front of the watchguard, and then set secondary range on the watchguard external interface - not ideal as I only have Draytek to hand.  The Fortigate didn't need it because the VDOM feature allows the creation of a router within a router, therefore eliminating the need for another physical routing device.

So, the question is - has anyone actually had a second public IP range assigned from an ISP (on a different subnet from the current range) and got it working just by assigning it to the secondary tab of the WatchGuard? (without another router involved, directly connected to BT kit)

Does the BT kit allow the route to be added to it to remove the need to add your own router?

Question by:DLeaver
  • 5
  • 3
LVL 27

Expert Comment

ID: 40240056
yes. I have had this working several times.

to confirm:

the external interface has a valid external IP/subnet/gateway listed
the external interface also has additional external IPs/subnets listed on the 'secondary' tab.

what element of this doesnt work? if you try to setup a rule for one of the secondary IPs what happens? is it outbound or inbound traffic that's an issue?
LVL 32

Expert Comment

ID: 40240465
Typically we create secondary networks as you have already done; but the routing part has to be done by the ISP, BT in this case.
They must send all traffic on secondary IP subnet to WG; please check with them if this is not happening.

You can open traffic monitor and send some junk traffic on random TCP ports on secondary IP subnet and you should some entries; if none, BT is to blame.
Once you see the entries we can configure firewall policies and relevant NAT policies to get the traffic in.

Thank you.
LVL 12

Author Comment

ID: 40241033
So to clarify further

The service is on a 21CM BT appliance, 50/100mb fibre

the "External Router Pair" is ( is on the WAN IP of the current fortigate)

The "Network range" is

I stuck a Draytek in front of the WatchGuard this morning with the external pair on the WAN interface and the IP's from the network range on the LAN.  The WatchGuard used IP's on the network range - again I got internet access but nothing from the network range?.....When I went to www.whatismyip.com I got the external interface IP from the Draytek!!

If you had an unmanaged fibre line service from BT and a WatchGuard router what is the proper configuration?...

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 27

Accepted Solution

Steve earned 2000 total points
ID: 40242529
you should have an IP address provided with the fibre line, a subnet mask & a default gateway.
whack these in the WAN interface of the watchguard and connect the interface directly to the fibre endpoint device.

if you have also purchased additional IPs add them to the 'secondary' section of the WAN interface. you'll also need to setup policies to control which traffic uses which external IP address, or use the natting options from the config to specify which subnet uses each external IP.

if youre additional IPs are not within the same subnet as the 'main' one that came with your fibre line you'll need to ensure your ISP is routing this subnet to the primary IP you gave the WAN interface.
LVL 12

Author Comment

ID: 40243637

Thanks for the response - I understand what you are saying - given that the ISP is Talk, Talk I wanted to implement a workaround for now.  Plus as its classed as an unmanaged solution they might take longer sorting

I have attached a diagram outlining the setup - IP's are made up but SNM apply.

So my workaround is to drop a Draytek into the mix to route the IP range to the WAN block - can you see any reason why this wouldn't work?  Its effectively what the Fortigate is doing
LVL 27

Expert Comment

ID: 40244986
bit confused mate. don't you already have the ip/subnet & gateway? why put a workaround in? just set it up as it should be and drop the draytek?

yea, the example in the diagram should work but the draytek shouldn't be necessary.
LVL 12

Author Comment

ID: 40246341
Time really, I don't have direct access to the ISP so waiting on confirmation is taking ages

When I tried with the Draytek I had the same issue, although its just a workaround I wanted to confirm my logic was good
LVL 12

Author Comment

ID: 40258066
Dawned on me that actually the incoming route must already be in place for the public IP through to the WAN block, otherwise the current router wouldn't work.

Rebooting the ISP kit (the BT21CN) will clear out its ARP cache and resolve the issue.  So adding the secondary IP range on the external interface should be all that is needed to get the incoming SNAT's to work.  

Onsite tomorrow to carry this out so I will confirm for completeness
LVL 12

Author Comment

ID: 40261165
Well, the solution, for completeness, was that because the ISP couldn't ping the external interface of the WG it meant it affected there IP SLA's and this effects the routing of the secondary subnet

So simple.......so frustrating!!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question