In this article, we would like to highlight a common customers misconfiguration or misunderstanding regarding virtual interfaces.
1. Wrong configuration
Many customers do believe that it is needed to configure a virtual WAN interface for each public IP their ISP assigned to them.
It is not needed to create a virtual interface to use it in your IPSec VPN phase 1 (IPsec gateway) or in your NAT/port forwarding rules.
If you configure a virtual interface to use it in your NAT rule or in your IPsec Gateway like this:
You did it wrong!
2. Using your additional public IPs right
Let´s imagine you have a public subnet of 18.104.22.168/29, which means you have 6 public IPs you can use freely.
Using your desired public IP in your IPsec VPN Phase 1
Instead of using the option "Interface", please use "Domain name / IPv4" and type in the IP:
In order to use your desired public IP in your NAT rules, please use 1:1 NAT: Click here for the guide
If you are using a NAT load balancer (firewalls with firmware 5.x and above) , there is actually no way to do the misconfiguration and use a virtual WAN interface, as the load balancer asks you to type in your public IPs. In addition, the virtual WAN interface is not even choosable in the interface drop-down menu:
3. When to actually use virtual interfaces?
Now let´s look at two possible scenarios where it actually makes sense to use virtual interfaces.
real use case virtual LAN interface - one scenario is superscope or legacy devices where you can not change IP and gateway config
For some reason, you might be having devices in your network with different IP ranges out of the configured subnet of your firewalls LAN interface. Two reasons could be:
- DHCP Superscope
- Old devices in your network which have a different gateway / IP configuration and you do not know the login credentials to change it
This is a valid reason to use virtual interfaces. Simply create a new virtual LAN interface with the IP configuration needed by heading to Network > Interface > Ethernet:
But please note that it is better to actually use VLANs to separate your broadcast domains!