This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two WAN interfaces in the same subnet

 Hi,

we need a solution for the following issue:

  1. We started with one WAN interface on our UTM 9. All incoming VPNs (site-to-site and client) are configured to it.
  2. China seems to now block this IP. We can’t bring up the site-to-site VPN or client VPNs to this IP.
  3. As a workaround we configured an additional interface as 2nd WAN interface with a different IP from our WAN IP range. (unfortunately additional IPs on the WAN interface can’t be used as VPN endpoint). The site-to-site VPN from China comes up on this interface/IP.
  4. Now the problems start. The ISP router sometimes gets the wrong MAC for some of our IPs.

 

So .. two WAN interfaces in the same network subnet/segment aren’t supported.

Changing the IP on the primary WAN link is barely possible because of all the client VPNs we have out.

Can someone advice on a different approach?



This thread was automatically locked due to age.
Parents
  • If you have only a single ISP, put a small Layer 2 switch in between the ISP and the UTM.  Configure the new IP as the primary one on another interface and connect both interfaces to the switch.  Did that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what we did. This started the mess. Both interfaces are responding to ARP requests with their own MAC. So sometimes, depending on who responds faster, the ARP table of the ISP router contains the wrong MAC.

    We now solved it by setting up a 2nd router and route the new IP. Would have liked to not set up an additional router.

    So a solution to the issue that the wrong interface responds to ARP requests for IPs not bound to it would be great. 

Reply
  • That's what we did. This started the mess. Both interfaces are responding to ARP requests with their own MAC. So sometimes, depending on who responds faster, the ARP table of the ISP router contains the wrong MAC.

    We now solved it by setting up a 2nd router and route the new IP. Would have liked to not set up an additional router.

    So a solution to the issue that the wrong interface responds to ARP requests for IPs not bound to it would be great. 

Children
No Data