how to route 2 wans with the same subnet
January 13, 2009 11:23 PM   Subscribe

Is there a firewall that will let me have two separate wan connections that are both on the same subnet/ have the same gateway?

I have a fortinet fortigate 60 that has two wan ports. We recently upgraded our wan connections to two fios lines, and would like to use them both. Only problem is that the fortigate does not allow us to have two connections that are on the same subnet.

line 1 = with a gateway of
line 2 = with a gateway of
( addresses changed to protect the innocent )

We are currently engaged in a 2 week epic battle with verizon to see if we can get one of the lines changed to a different subnet, but so far, they have managed to just change the ip address within the same subnet. three times. word.

I feel that I need to start planning for the possiblity that they may not be able to change the ip addess for us. So I figure we could look at other firewall solutions that might be able to do what we want.

1) is it possible to have two wan connections on one firewall that are in the same subnet? I know a bit about routing, but nowhere near enough to know how this would be possible.

2) If it is possible, any suggestions on firewalls that would work? ( I think I am more interested in linux based opensource firewalls, rather than dedicated firewalls, but if thats all you got, let me know anyways ).
posted by brent_h to Computers & Internet (6 answers total) 1 user marked this as a favorite
If you want two physical interfaces to share the same subnet, what you're usually looking for is some variety of port-channel or "bonded" interfaces. That makes the two circuits look like a single interface with only one IP address and gateway, i.e. Port1 has with as the gateway, where Port1 is a virtual interface made up of your line1 and line2. Your provider has to support the same aggregation protocol on their side, and the two circuits have to terminate on the same router in Verizon's network. No router is going to allow you to number two interfaces out of the same subnet, because it wouldn't know which one to use.

The Fortigate higher-end models support 802.3ad, a standard "link aggregation" protocol. However, it doesn't look like that support is available in the Fortigate 60 (I'm looking at this manual). However, look on page 117 of that manual and see if the configuration setting is available on your box.

I can't help you on which firewalls support it, but looking for 802.3ad, or possibly LACP, in the feature set would help. However, nothing will help unless Verizon can also set it up on their side, which may not be available with the FIOS service.
posted by five toed sloth at 12:01 AM on January 14, 2009

pfSense (based on FreeBSD) will do this out of the box with any number of WAN interfaces. I believe the caveat in multihoming on a subnet under FreeBSD is that all but one interface should have a subnet mask of, the remaining one having the "actual" mask.
posted by rhizome at 2:33 AM on January 14, 2009

Yeah, I was going to mention using some subnet mask voodoo to tell the firewall each IP is its own subnet. It may not work if the gateway is the same on both.

Another option would be to place a router between one of the wan ports and the fios box, that NATs that connection, changing the subnet that the firewall sees. The firewall would still have to be configured (somehow) to decide how to use the two wan connections.
posted by gjc at 7:40 AM on January 14, 2009

I was going to suggest what gjc suggested. Drop in another router in there and use the new gateway, at least until Verizon changes that IP for you.
posted by damn dirty ape at 8:19 AM on January 14, 2009

I predict that Verizon cannot change the IP address because they have dynamic load shifting. hehe I like how that sounds!
posted by ohshenandoah at 5:13 PM on January 14, 2009

Thanks for the responses everyone. I thought about dropping another router in place, but I have always had issues with double nating ( might have to do it anyways).

I too feel that they will not be able to get us a new ip, they keep telling us that there is no way that they can control what ips get assigned, they just make a request and the system does it. What is Dynamic Load Shifting?
posted by brent_h at 9:14 PM on January 14, 2009

« Older fish on a diet   |   How to get cigarette smoke smell out of my laptop? Newer »
This thread is closed to new comments.