Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Two WAN Ports with identical next hop?

Hello,
Q:

Is it a problem running different WAN ports with the same "next hop" for different purposes at the same time? 

Expanation:
I have to move another Firewall from UTM to XGS.
Unfortunately there is still no comfortable option to switch on and off vNICs like it was always possible wit astaro/UTM I had to pre-configure all our pblic IPs on an unplugged or inactive Port. (*) I confirgured all the DNAT/SNAT-rules I need for access to costumer systems on "port4" which is unplugged.

Meanwhile I had to implement and test a lot of other things e.g. IPSEC LAN2LAN with big companies, IPSEC Access VPN, L2TP Access VPN, RADIUS and AD-Authentication, routing in all cases, a.s.o. 

Therefore I needed at least one active public IP and I configured one on the active "port2". What I was forced to do, too, is to define a "new gateway".
I configured the same "next hop" from my ISP I used during configuration of "port3" earlier.  

Now everything seems fine - but I am really concerned about activating "port3" with all our well known public IPs:

Will the XGS do fine with 2 WAN ports to the same next hop-IP - or will there be a lot of trouble with a confused routing table?

I have configured a SD-WAN-profile for both ports but I not sure if this is neccessary. 



port2: => 1 public IP, used for LAN2LAN, VPN-Access, outgoing websurfing

port4: => tons of public IPs, used for WAN-access to systems in the DMZ 

Both ports are connected to the same switch whre the ISPs cisco router is connected, too. (Yes, the cisco does bgp itself)

Thank you - Chris

(*) PS:
No, creating a firewall rule with policy DROP does not the same like switch off a vNIC - the port will still anwser the "who has...?" from the WAN switch and this can kill access to all the live machines behind the still existing UTM. 



Added TAGs
[edited by: Raphael Alganes at 2:48 PM (GMT -8) on 13 Feb 2025]