Hello,
Q:
Is it a problem running different WAN ports with the same "next hop" for different purposes at the same time?
Expanation:
I have to move another Firewall from UTM to XGS.
Unfortunately there is still no comfortable option to switch on and off vNICs like it was always possible wit astaro/UTM I had to pre-configure all our pblic IPs on an unplugged or inactive Port. (*) I confirgured all the DNAT/SNAT-rules I need for access to costumer systems on "port4" which is unplugged.
Meanwhile I had to implement and test a lot of other things e.g. IPSEC LAN2LAN with big companies, IPSEC Access VPN, L2TP Access VPN, RADIUS and AD-Authentication, routing in all cases, a.s.o.
Therefore I needed at least one active public IP and I configured one on the active "port2". What I was forced to do, too, is to define a "new gateway".
I configured the same "next hop" from my ISP I used during configuration of "port3" earlier.
Now everything seems fine - but I am really concerned about activating "port3" with all our well known public IPs:
Will the XGS do fine with 2 WAN ports to the same next hop-IP - or will there be a lot of trouble with a confused routing table?
I have configured a SD-WAN-profile for both ports but I not sure if this is neccessary.
port2: => 1 public IP, used for LAN2LAN, VPN-Access, outgoing websurfing
port4: => tons of public IPs, used for WAN-access to systems in the DMZ
Both ports are connected to the same switch whre the ISPs cisco router is connected, too. (Yes, the cisco does bgp itself)
Thank you - Chris
(*) PS:
No, creating a firewall rule with policy DROP does not the same like switch off a vNIC - the port will still anwser the "who has...?" from the WAN switch and this can kill access to all the live machines behind the still existing UTM.
Added TAGs
[edited by: Raphael Alganes at 2:48 PM (GMT -8) on 13 Feb 2025]