topic Dynamic IP on WAN interface. Managed on its local static… in Firewall and Security Management

Dynamic IP on WAN interface. Managed on its local static…

JackPrendergast — Wed, 26 May 2021 07:06:48 GMT

Hi,

Can anyone add some clarity over the proposed options and best practice over this scenario please?

I have 2 interfaces - WAN and LAN.

WAN is DHCP. LAN is Static.

The gateway is managed via its LAN address

NAT is ticked to hide all internal networks behind this gateway.

When that WAN IP changes, how does the topology in smart dashboard update? Also, what would happen to the NAT? Would it fail?

Note - I have NOT ticked DAIP gateway as the Main IP of the gateway object is the LAN address which is indeed static.

thank you.

Re: Dynamic IP on WAN interface. Managed on its local static…

G_W_Albrecht — Wed, 26 May 2021 07:14:37 GMT

How did you define the topology ? I would assume that your LAN IP is the external IP as all internal IPS are NATed behind it, and the WAN IP an internal interface. As you can not tick DAIP for your WAN IF, the IP change would never propagate anywhere, i think. So what in fact does happen in your scenario ?

Re: Dynamic IP on WAN interface. Managed on its local static…

JackPrendergast — Wed, 26 May 2021 10:11:24 GMT

Hi.

Topology is

Modem - CP - LAN Router - Users.

CP has eth1 attached to Modem.

eth1 has obtain ip automatically, with custom dhcp options configured in dhclient and recieves public IP from ISP.

DHCP for the LAN is done on the CP.

Local traffic via the LAN router routes to the CP and CP hides local traffic behind the public IP assigned to eth1.

eth2 attached to LAN router is static. Fixed 192.168.0.0/24 address

eth1, attached to ISP modem is dynamic (ISP wont give fixed IP)

Gateway is managed locally via eth2. DAIP is NOT enabled as gateway is managed on LAN via static IP.

So, the question is, when the public IP attached to eth1 changes, how do these changes apply to the rest of the process?

How can the topology in SC update automatically? Otherwise, traffic will stop and fail. Traffic will try be hide nat behind the old public IP as topology hasnt updated.

There must be a way for this?

Re: Dynamic IP on WAN interface. Managed on its local static…

JackPrendergast — Wed, 26 May 2021 10:18:46 GMT

Re: Dynamic IP on WAN interface. Managed on its local static…

PhoneBoy — Wed, 26 May 2021 14:59:03 GMT

Marking the gateway as DAIP is really only necessary if you manage the gateway via the interface that is dynamic.
Marking the gateway DAIP imposes some significant limitations: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk167473

Without checking that box, if WAN address actually changes, it would require a policy install (with config changes) to restore all functionality, most likely.