Configuring multiple networks behind the same interface.

Frequently Asked Questions
Post Reply
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Configuring multiple networks behind the same interface.

Post by Peter » 14 May 2013, 19:32

This FAQ applies to:
  • Clavister CorePlus / cOS Core all versions

I want to add a second network behind one of my interfaces. How can i achieve this?


Lets say you have the following base setup:
Dmz_IP =
Dmz_Network =
Now we want to add a second network behind the Dmz interface:
Dmz_IP_2 =
Dmz_Network_2 =
In order to get this working we only need to add one single route in the routing table that looks like this:
Route Dmz Dmz_Network_2 LocalIP=Dmz_IP_2
Local IP is very important to use here. Local IP does two things:

1. It ARP publishes the defined IP address on the selected interface.
2. It uses the defined IP address as sender when doing ARP queries towards this network.

Machines in the new network would reasonably want to use as it's default gateway, and this will work fine as we have ARP publised it using Local IP.

It also works in the other way around. When the Firewall wants to perform an ARP query towards e.g. it will use as sender IP for this ARP query. And since the source IP then will be part of the network, the client will respond without any problems.

What happens if Local IP is not used?

Lets assume that we forgot to set the Local IP on the route, then it would mean that when the Firewall performs an ARP query to find it will use the defined IP address on the Dmz interface ( as sender. The client will get very confused by this as it's a request from an IP address that is not part of it's own network, and will reject it.

Also unless we have manually ARP published on the Dmz interface, the clients will be unable to ARP query their "default gateway" and will be unable to reach anything past their local network.

To configure multiple IP addresses behind the same interface, see:viewtopic.php?f=18&t=5171&p=10741#p10741

Post Reply