Urgent! Security Advisory Notification - Firmware Upgrade advise for optimal protection & VPN and GUI Stability Issues

Read Article
English Български Čeština Dansk Deutsch Español Suomi Français Magyar Italiano Nederlands Norsk Polski Română Русский Slovenčina svenska Türkçe

USG FLEX / ATP / VPN Series: Using Virtual Interfaces Interfaces icon

Avatar
  • Updated
Back to top

In this article, we would like to highlight a common customers misconfiguration or misunderstanding regarding virtual interfaces.

 

1. Wrong configuration

2. Using your additional public IPs right

3. When to actually use virtual interfaces?

 

 

1.  Wrong configuration

Many customers do believe that it is needed to configure a virtual WAN interface for each public IP their ISP assigned to them.

It is not needed to create a virtual interface to use it in your IPSec VPN phase 1 (IPsec gateway) or in your NAT/port forwarding rules.

If you configure a virtual interface to use it in your NAT rule or in your IPsec Gateway like this:

mceclip0.png

You did it wrong!

 

2.  Using your additional public IPs right

Let´s imagine you have a public subnet of 212.13.45.6/29, which means you have 6 public IPs you can use freely.

Using your desired public IP in your IPsec VPN Phase 1

Instead of using the option "Interface", please use "Domain name / IPv4" and type in the IP:

mceclip3.png

 

In order to use your desired public IP in your NAT rules, please use 1:1 NAT: Click here for the guide

mceclip2.png

If you are using a NAT load balancer (firewalls with firmware 5.x and above) , there is actually no way to do the misconfiguration and use a virtual WAN interface, as the load balancer asks you to type in your public IPs. In addition, the virtual WAN interface is not even choosable in the interface drop-down menu:

mceclip1.png

3. When to actually use virtual interfaces?

Now let´s look at two possible scenarios where it actually makes sense to use virtual interfaces.

real use case virtual LAN interface - one scenario is superscope or legacy devices where you can not change IP and gateway config

For some reason, you might be having devices in your network with different IP ranges out of the configured subnet of your firewalls LAN interface. Two reasons could be:

  • DHCP Superscope
  • Old devices in your network which have a different gateway / IP configuration and you do not know the login credentials to change it

This is a valid reason to use virtual interfaces. Simply create a new virtual LAN interface with the IP configuration needed by heading to Network > Interface > Ethernet:

blobid0.png

 

But please note that it is better to actually use VLANs to separate your broadcast domains!

Contact Us
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Related articles

Comments

0 comments

Please sign in to leave a comment.