Rob, We do this for a large percentage of our customers without issue. We route public subnets to customer specific firewalls which then translate those addresses to internal hosts: /Carrier routing:// / * /ip route 172.16.0.8/30 10.0.0.4/ /Carrier / Customer peering 10.0.0.0/29:/ * /Network address 10.0.0.0/ * /Carrier-virt 10.0.0.1/ * /Carrier-pri 10.0.0.2/ * /Carrier-sec 10.0.0.3// / * /FW-virt 10.0.0.4/ * /FW-pri 10.0.0.5/ * /FW-sec 10.0.0.6 / * /Broadcast 10.0.0.7// / /NATs:/ * /172.16.0.8 == 192.168.0.20/ * /172.16.0.9 == 192.168.2.19/ * /172.16.0.10 == 192.168.23.12// / * /172.16.0.11 == 192.168.7.11/ This works as long as: 1. The IP's are being translated and are not on an interface. 2. There is a proper network between the endpoints such as the peering network listed. 3. Both sides know the routes in play. In this case it's default for the firewall, static on the carrier. It works because without an interface on the Firewall, there's no knowledge of the network subnet at play. The routed subnet arrives at the firewall due to the route, and return traffic is simply routed on the peering network via the default gateway. -- Will On 4/4/17 11:53 AM, Rob Janssen wrote: