WatchGuard XTM with two external IP subnets on single interface


I am after some clarification here as WatchGuard support are about as useful as chocolate fireguard!

I have a customer who has a Fortigate 110C which is connecting them to their BT Fibre  - 50/100

Due to issues with their client VPN, and because it is our preferred firewall/router option we are looking to replace this device with a WatchGuard XTM 330.  I have done this a lot in the past few years for shapes and sizes of companies so it should have been straight forward.

However, just before the change over I noticed that the Fortigate had a VDOM interface with an external IP range on it, but its physical interface on the device had an external IP on a different range.  Now I know this is fairly typical of BT to do - you have an IP for internet access but your range of IP's is delivered on a different subnet, all of the natted services are on the second subnet range.  

So I adjusted the external IP settings on the watchguard so that the primary interface was the external IP on the physical interface on the watchguard and put the secondary range of IP addresses on the secondary tab of the same interface.  Now despite them being listed here, the internet works on the watchguard but none of the IP's on the secondary tab are accessible.

In a nutshell I belive the only way I am going to get this working is to stick another router in front of the watchguard, and then set secondary range on the watchguard external interface - not ideal as I only have Draytek to hand.  The Fortigate didn't need it because the VDOM feature allows the creation of a router within a router, therefore eliminating the need for another physical routing device.

So, the question is - has anyone actually had a second public IP range assigned from an ISP (on a different subnet from the current range) and got it working just by assigning it to the secondary tab of the WatchGuard? (without another router involved, directly connected to BT kit)

Does the BT kit allow the route to be added to it to remove the need to add your own router?

LVL 12
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yes. I have had this working several times.

to confirm:

the external interface has a valid external IP/subnet/gateway listed
the external interface also has additional external IPs/subnets listed on the 'secondary' tab.

what element of this doesnt work? if you try to setup a rule for one of the secondary IPs what happens? is it outbound or inbound traffic that's an issue?
Typically we create secondary networks as you have already done; but the routing part has to be done by the ISP, BT in this case.
They must send all traffic on secondary IP subnet to WG; please check with them if this is not happening.

You can open traffic monitor and send some junk traffic on random TCP ports on secondary IP subnet and you should some entries; if none, BT is to blame.
Once you see the entries we can configure firewall policies and relevant NAT policies to get the traffic in.

Thank you.
DLeaverAuthor Commented:
So to clarify further

The service is on a 21CM BT appliance, 50/100mb fibre

the "External Router Pair" is ( is on the WAN IP of the current fortigate)

The "Network range" is

I stuck a Draytek in front of the WatchGuard this morning with the external pair on the WAN interface and the IP's from the network range on the LAN.  The WatchGuard used IP's on the network range - again I got internet access but nothing from the network range?.....When I went to I got the external interface IP from the Draytek!!

If you had an unmanaged fibre line service from BT and a WatchGuard router what is the proper configuration?...
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

you should have an IP address provided with the fibre line, a subnet mask & a default gateway.
whack these in the WAN interface of the watchguard and connect the interface directly to the fibre endpoint device.

if you have also purchased additional IPs add them to the 'secondary' section of the WAN interface. you'll also need to setup policies to control which traffic uses which external IP address, or use the natting options from the config to specify which subnet uses each external IP.

if youre additional IPs are not within the same subnet as the 'main' one that came with your fibre line you'll need to ensure your ISP is routing this subnet to the primary IP you gave the WAN interface.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DLeaverAuthor Commented:

Thanks for the response - I understand what you are saying - given that the ISP is Talk, Talk I wanted to implement a workaround for now.  Plus as its classed as an unmanaged solution they might take longer sorting

I have attached a diagram outlining the setup - IP's are made up but SNM apply.

So my workaround is to drop a Draytek into the mix to route the IP range to the WAN block - can you see any reason why this wouldn't work?  Its effectively what the Fortigate is doing
bit confused mate. don't you already have the ip/subnet & gateway? why put a workaround in? just set it up as it should be and drop the draytek?

yea, the example in the diagram should work but the draytek shouldn't be necessary.
DLeaverAuthor Commented:
Time really, I don't have direct access to the ISP so waiting on confirmation is taking ages

When I tried with the Draytek I had the same issue, although its just a workaround I wanted to confirm my logic was good
DLeaverAuthor Commented:
Dawned on me that actually the incoming route must already be in place for the public IP through to the WAN block, otherwise the current router wouldn't work.

Rebooting the ISP kit (the BT21CN) will clear out its ARP cache and resolve the issue.  So adding the secondary IP range on the external interface should be all that is needed to get the incoming SNAT's to work.  

Onsite tomorrow to carry this out so I will confirm for completeness
DLeaverAuthor Commented:
Well, the solution, for completeness, was that because the ISP couldn't ping the external interface of the WG it meant it affected there IP SLA's and this effects the routing of the secondary subnet

So frustrating!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.