New Feature                                               Need help? Try our Zyxel Search AI feature Try Now!

USG FLEX / ATP / VPN Series: Using Virtual Interfaces ATP / USG FLEX Series icon

Avatar
Raphael
  • Updated

This technical guidance explains the purpose and correct use of Virtual Interfaces on Zyxel’s USG FLEX, ATP and related VPN security appliances. It helps network engineers decide when and why to employ virtual interfaces versus traditional interface assignments or VLANs.

What a Virtual Interface Is

A Virtual Interface lets the firewall assign an additional IP address to an existing physical network port — whether on WAN or LAN — to support specific network services or scenarios.
 

The main rule is:

  • Create a Virtual Interface only when needed for specific services or network requirements.

  • Otherwise, use direct IP assignment (for WAN) or VLAN segmentation (for LAN).

WANLAN 

 

Virtual Interfaces on WAN

When a Virtual Interface is Required

A Virtual Interface on the WAN is required when the firewall is the endpoint for a service on an additional public IP address. Examples include:

  • IPSec VPN Gateway (Phase 1)

  • L2TP / SSL VPN

  • Other services where traffic terminates on the firewall

In these scenarios, the Virtual Interface is created on the WAN with the additional public IP and bound to the service.

When a Virtual Interface is Not Required

A Virtual Interface is not required on WAN if the traffic simply passes through the firewall without terminating on it, such as:

  • NAT (including 1:1 NAT)

  • Port Forwarding / Virtual Server

In these cases, you can directly specify the public IP in the NAT rule or port forwarding configuration.

Virtual Interfaces on LAN

When a Virtual Interface is Required

A Virtual Interface on LAN is required when you need:

  • Multiple subnets on the same physical LAN port without a VLAN

  • To connect devices with fixed IP addresses outside the main LAN subnet that cannot be reconfigured

  • A temporary or simplified additional gateway for LAN devices

When a Virtual Interface is Not Required

You do not need a Virtual Interface on the LAN if:

  • You can separate networks using VLANs (recommended for proper segmentation)

  • All LAN devices are in the same subnet and only one gateway IP is required

Best Practices

  • WAN: Create a Virtual Interface only if the firewall is the service endpoint (VPN, firewall-hosted services). Please do not use it for NAT-only scenarios.

  • LAN: Prefer VLAN for network segmentation; use LAN Virtual Interfaces only when VLANs are not possible or practical.

  • Keep configurations minimal — each Virtual Interface adds routing complexity.

Decision Flow – WAN

(Use the diagram for quick reference)

  • Yes – Firewall is the endpoint for the service → Use Virtual Interface (VPN, firewall services)

  • No – Firewall is only forwarding traffic → Do not use Virtual Interface (NAT, port forwarding)

Decision Flow – LAN

(Use the diagram for quick reference)

  • Yes – Additional subnet or IP required on LAN → Use Virtual Interface (unless VLAN is preferred)

  • No – Only one subnet or VLAN separation possible → Do not use Virtual Interface

Some Practice Examples

Example 1 – Using Virtual LAN Interface for Legacy Devices or Superscope

If you are using a DHCP Superscope or have legacy devices where you cannot change the IP and gateway configuration:

You may have devices in your network with IP addresses outside the configured subnet of your firewall’s LAN interface. This can happen in scenarios such as:

  • DHCP Superscope is used to provide multiple IP ranges on the same physical LAN.

  • Old or inaccessible devices that have a different gateway/IP configuration and cannot be reconfigured due to missing credentials.

In such cases, it is a valid reason to use a Virtual LAN Interface. Create a new Virtual LAN Interface with the required IP configuration by navigating to: Network > Interface > Ethernet

undefined

Example 2 – Hosting Multiple VPN Gateways on Different Public IPs (WAN)
You have multiple public IP addresses and need to host separate IPSec VPN gateways for different clients.

  • Create a Virtual Interface on WAN for each additional public IP.

  • Bind each VPN gateway to the appropriate Virtual Interface to ensure traffic separation.

Example 3 – Migrating to a New Subnet without Reconfiguring All Devices (LAN)
When changing the LAN subnet, but some critical systems cannot be reconfigured immediately, you can:

  • Keep the old subnet active by creating a Virtual LAN Interface with the old IP range.

  • Gradually migrate devices to the new subnet without network downtime.

Example 4 – Separating Test and Production Traffic (WAN)
You have one WAN link but need to isolate production and testing VPN traffic:

  • Assign a dedicated public IP for testing via a Virtual WAN Interface.

  • Bind the test VPN to this interface while keeping production traffic on the main WAN IP.

Example 5 – Providing Internet to a Temporary Network Segment (LAN)
During an event or project, you need to provide internet access to a group of devices with a dedicated IP range:

  • Create a Virtual LAN Interface with the event/project subnet.

  • Apply specific firewall and bandwidth rules to that subnet without affecting the main LAN.

Related articles

Comments

0 comments

Please sign in to leave a comment.