Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hello,
Q:
Is it a problem running different WAN ports with the same "next hop" for different purposes at the same time?
Expanation:
I have to move another Firewall from UTM to XGS.
Unfortunately there is still no comfortable option to switch on and off vNICs like it was always possible wit astaro/UTM I had to pre-configure all our pblic IPs on an unplugged or inactive Port. (*) I confirgured all the DNAT/SNAT-rules I need for access to costumer systems on "port4" which is unplugged.
Meanwhile I had to implement and test a lot of other things e.g. IPSEC LAN2LAN with big companies, IPSEC Access VPN, L2TP Access VPN, RADIUS and AD-Authentication, routing in all cases, a.s.o.
Therefore I needed at least one active public IP and I configured one on the active "port2". What I was forced to do, too, is to define a "new gateway".
I configured the same "next hop" from my ISP I used during configuration of "port3" earlier.
Now everything seems fine - but I am really concerned about activating "port3" with all our well known public IPs:
Will the XGS do fine with 2 WAN ports to the same next hop-IP - or will there be a lot of trouble with a confused routing table?
I have configured a SD-WAN-profile for both ports but I not sure if this is neccessary.
port2: => 1 public IP, used for LAN2LAN, VPN-Access, outgoing websurfing
port4: => tons of public IPs, used for WAN-access to systems in the DMZ
Both ports are connected to the same switch whre the ISPs cisco router is connected, too. (Yes, the cisco does bgp itself)
Thank you - Chris
(*) PS:
No, creating a firewall rule with policy DROP does not the same like switch off a vNIC - the port will still anwser the "who has...?" from the WAN switch and this can kill access to all the live machines behind the still existing UTM.
Quote