Description

Adding additional IP addresses to an interface in the Firewall is described in the following KB:

https://kb.clavister.com/324735780/adding-an-additional-ip-address-to-an-ethernet-interface

It is recommended to use the “core” route method. And one of the reason for that recommendation is that non-core routed IP addresses that is to be used by the Firewall for a server function such as SSL-VPN, OneConnect, IPsec, WebUI, SSH etc. may not function properly unless the IP address is core routed.

In versions before 13.00.09 it was possible to configure and use the SSL-VPN server on a non-core routed IP address. But changes in 13.00.09 now aligns the SSL-VPN server with other server types which cause any existing configured SSL-VPN servers to stop working unless the IP address for the server is core routed.

Solution

The solution to the problem is to follow the above mentioned KB article and instead of using “ARP publish”, create and use a core route + ProxyARP to publish the additional IP address on the Firewall. Doing this change on existing Firewall configurations may require updates to any IP Policy (or rule) that is specifically configured towards a non-core interface used towards the additional IP address. An example on needed changes to IP polices/rules:

Before:

Allow Wan all-nets Wan IP_Wan_2 Service=HTTP SetDest=192.168.50.50

After:

Allow Wan all-nets Core IP_Wan_2 Service=HTTP SetDest=192.168.50.50

Related articles