- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-16-2010 06:04 AM
Hello,
I have a pan 4020 that will be replacing multiple firewalls. The internet side of the firewall has a /25 network. I have a corporate network that has an external interface of x.x.x.2/25 in the Internet zone and a guest wireless network that has an external address of x.x.x.3/25 in the Internet zone. The corporate network has an internal interface on the LAN zone. The guest wireless network has a internal interface in the guestwireless zone. The firewall will act as the default router for hosts on the guest wireless network. My question is should I configure two virtual routers? By having two external interfaces on the same network with separate virtual routers cause overlap issues? I don't want the guest wireless network to have the ability to route other networks like the my DMZ.
Thanks
Bane
02-16-2010 04:28 PM
Hello,
You could create two virtual routers, as you indicated. They would not communicate with each other and they could be in the same subnet if necessary- as long as you do not configure the same IP address on each router. Another option would be to point both the corporate and wireless users to the same gateway and use your security policies to control the traffic between zones. You may want to open a case with Support and send a diagram of your network so that they can help with your configuration.
02-17-2010 08:28 AM
So the configuration that works best for me was to have both networks egress the same interface and use security zones and policy to control the traffic. One thing I did learn is that if you have a Cisco router on the same external segment then turn off proxy arp if you want to have two external interfaces. This prevents the router from putting incorrect arp entries in the arp table.
Bane
09-21-2011 07:47 AM
I think the simplest way and what we did was created a seperate network on another interface and used the same internet gateway for guest access. And only allowed the guest network to have controlled internet access and no access to anything else through Security Policies etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!