Configuring multiple networks behind the same interface

Last modified on 21 Oct, 2022. Revision 9
Configuring multiple networks behind the same interface (mainly Ethernet or VLAN)
Up to date for
Supported since
Status OK
Peter Nilsson


I want to add a second network behind one of my Ethernet interfaces. How can i achieve this?


Lets say we have the following IP and network used on our Dmz interface:

Dmz_IP =
Dmz_Network =

Now we want to add a second IP and network behind the Dmz interface. We want the users behind the new network to be able to use as their default gateway.

Dmz_IP_2 =
Dmz_Network_2 =

In order to achieve this we only need to add one single route in the routing table that looks like this:

Route Dmz Dmz_Network_2 LocalIP=Dmz_IP_2

Local IP is very important to use here. Local IP does **two ** important things:

  1. It ARP publishes the defined IP address on the selected interface.
  2. It uses the defined IP address as sender when doing ARP queries towards the defined network.

Machines in the new network would reasonably want to use as their default gateway, and this will work fine as we have ARP published it using Local IP.

It also works in the other way around. When the Firewall wants to perform an ARP query towards e.g. it will use as sender IP for this ARP query. And since the source IP then will be part of the network, the client will respond without any problems.

What happens if Local IP is not used?

Lets assume that we forgot to set the Local IP on the route. That would mean that when the Firewall performs an ARP query to find it will use the defined IP address on the Dmz interface ( as sender. The client will get very confused by this as it’s a request from an IP address that is not part of it’s own network, and will reject it.

Also, unless we have manually ARP published on the Dmz interface to make the Firewall responds to ARP queries towards this IP, the clients will be unable to ARP query their “default gateway” and will be unable to reach anything past their local network segment.

To configure multiple IP addresses behind the same interface, see:

Core route the IP address used as Local IP

It is recommended to also Core route the IP address used as Local IP by adding another route looking like this:

Route Core Dmz_IP_2

The reason for this recommendation is because the new IP (Dmz_IP_2 in the example) will then behave the same as an interface IP that belongs to the firewall when it comes to configure IP policies, VPN tunnels, OneConnect and more. It could cause some confusion as why a non-core routed IP must be configured/used differently and there is no disadvantage of Core routing the IP in this scenario.

Related articles

Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
cOS Core IKEv2 split tunneling with Windows and local user database.
28 Mar, 2023 ikev2 windows vpn routing splittunneling
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Setting up OSPF with IPsec in cOS Core
16 Apr, 2024 core routing ospf ipsec
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing
Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp
Troubleshooting cOS Core rules/routes with ping simulation
17 Mar, 2023 core routing rules ping icmp cli
Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover
Public network transparency using cOS Core Proxy ARP instead of subnetting
18 Apr, 2023 core routing transparentmode proxyarp