Thank you very much for the reply.
Extensive information:
We currently have 2 routers before the firewall.

The first one only does NAT towards the Public IPs, at first they were assigned to IPs with the same subnet, now we have changed them to different subnets and they have been as follows: 172.16.1.1; 172.16.3.1; 172.16.4.1 -172.16.9.1 with 172.16.3.2 being the gateway.

We want to remove the second one, but at this moment it has another NAT that redirects all the traffic that arrives from the WAN interface of the firewall (172.16.2.2) towards the gateway 172.16.2.1.

Everything that enters or leaves the firewall does so through the WAN interface (172.16.2.2) and the static route has 172.16.2.1 as its gateway.

We have created in another interface the 8 subnets, one for each NAT towards its public IP, all the traffic tries to go out through the 172.16.2.1 gateway.

Summarizing.
My questions are:
Can I separate the traffic of each public IP so that they can be accessed by different services, one for the Internet, another for the exchange mail, another for VPN for example?

If so, should I modify the gateway of static route?

again I appreciate your help

Hi @GUSTAVI,

Main purpose of having multiple interfaces is (in most cases) to provide redundancy (e.g. to have 2 Internet links) and/or to separate services (e.g. Internet link for browsing and publishing services and WAN to reach stores). I personally don't see benefit of trying to separate public services on multiple links, due to several reasons:

• Main one is routing - at the end of the day, people still need to reach your services over Internet link. Assuming that you have one provider, they will route your public IP scope over one link anyway.
• Previously stated was for inbound traffic. For outbound traffic, you'll normally have one default route, so your outbound traffic will always leave over one single link. If you want to route certain traffic over certain links, you would need to introduce PBR (policy-based routing), which I personally don't like, esspecially on FW
• By using multiple links this way, you are risking asymetry in traffic, which FW hates, and most likely, you'll face issues with dropped traffic
• It brings additional complexity to entire setup, and troubleshooting of this would be a nightmare for anyone who didn't implement it

You can still have multiple trusted segments being published on their own public IPs. You just need to differentiate security services (such as NAT/PAT and ACL) from routing. Your routing will most likely be unique on FW (unless PBR is introduced), so you'll have one default GW. In case you need to use multiple links for same purpose (e.g. ISP is providing you with 2 links, with 2 different interlinks), I would advise to use security zone for this (you would create interfaces Outside1 and Outside2, but both would be member of zone Outside, and your NAT rulles would use Outside as a keyword).

BR,

Milos