topic Re: Adding default gateway outside scope of interface in Firewall and Security Management

Adding default gateway outside scope of interface

Hugo_vd_Kooij — Thu, 07 Sep 2017 18:56:58 GMT

Gents,

I try to setup a lab gateway on my OVH server. But OVH has a rather odd setup.

External interface has a /32 netmask. For example: 137.1.2.3/32
You need to setup a host route to the router (137.1.2.254 in this example) based on the interface.
Then you need to setup the default gateway to the router.

The point is that step 1 and step 2 works on GAIA (R80.10 T421) but the 3rd step does give you no error but it will not actually setup the route.

set static-route 137.1.2.254/32 nexthop gateway logical eth1 priority 1 on
set static-route default nexthop gateway address 137.1.2.254 priority 1 on

Is there a trick to force GAIA to bring up the default gateway?

If I change the subnet mask to /24 it work but ...... OVH goes totally balistic if I configure it that way.

The other trick is to dump the default just on the interface eth1 and that will work as well

The next step is the wizard. It will not accept this netmask.

Did someone work this out with GAIA?

Can Someone from Check Point R&D get a little bit of budget to toy around on OVH and see if they can fix GAYA to work in such a setup?

Re: Adding default gateway outside scope of interface

PhoneBoy — Thu, 07 Sep 2017 20:26:49 GMT

Wouldn't a /32 subnet be a point-to-point interface?

In that case it would seem setting the default route to the interface in question is the correct way to configure this.

Re: Adding default gateway outside scope of interface

Hugo_vd_Kooij — Fri, 08 Sep 2017 07:30:28 GMT

The syntax is what I intend. But GAIA simply does not play ball here. It will not setup the default route to a host to which a route has been provided.

And the first time wizard is not even accepting this setting. So I have to work around that limitation too.

Re: Adding default gateway outside scope of interface

Norbert_Bohusch — Fri, 08 Sep 2017 10:51:39 GMT

Maybe information on sk92799 is helpful here.

So adding scopelocal might help! This helps in Scenarios where the default-gw is on different subnet than the interface IPs. Like in scenarios where cluster IP is in different subnet.

Re: Adding default gateway outside scope of interface

Hugo_vd_Kooij — Mon, 11 Sep 2017 07:48:12 GMT

I tried the scenario in my cloud lab but the routing entry will not stick.

The article does not list R80 and R80.10 and I noticed the indicated file (/etc/routed.conf) does not contain the suggested information.

I have put in a note with the SK to ask if this is a known issue with R80.

As of yet the ISP has not been making a fuss about the routing entry over the interface.

Pending the remark I made on th SK I may create a TAC ticket.

Re: Adding default gateway outside scope of interface

nsamsin — Fri, 20 Aug 2021 23:24:42 GMT

Srry for reviving this ancient topic, but I was wondering if (and how) you eventually managed to solve this particular OVH-lab challenge?