topic Re: Traffic cannot reach default gateway in Firewall and Security Management

Traffic cannot reach default gateway

m2kujawa — Mon, 16 Nov 2020 07:55:38 GMT

Hello,

I've got the following lab environment.

Security Gateway with two interfaces

eth0 (external) - 192.168.10.6 on 192.168.10.0/24 subnet with default gateway at 192.168.10.254

eth1 (internal) - 10.0.0.1 on 10.0.0.0/24 subnet

Security Management Server that sits on an internal network with IP address of 10.0.0.2

and Windows 10 host that also sits on an internal network with IP address of 10.0.0.3.

Problem is that devices on the internal network are not able to break out from local subnet (10.0.0.0/24).

Devices on the internal network use SG (10.0.0.1) as their default gateway, but traffic is not being passed to the default gateway of SG (192.168.10.254).

I am able to ping 192.168.10.254 and break out to the Internet from SG, and the policy that's currently applied only has one statement that allows traffic from all sources going to all destinations for all services.

Hope this makes sense. Please let me know if you need any additional information.

Any advice will be much appreciated 🙂

Re: Traffic cannot reach default gateway

_Val_ — Mon, 16 Nov 2020 13:12:30 GMT

What do you use for the lab? physical, virtual? what is the version in use? Do you have at least one accept rule for your internal traffic? NAT? How do you know you cannot "break out of internal network"? Traces on the FW? anything else?

Re: Traffic cannot reach default gateway

m2kujawa — Mon, 16 Nov 2020 14:32:55 GMT

Hi Val, thanks for the quick reply.

It's a virtual lab on VMware Workstation 16, and it's Gaia R80.10.

There is only one rule in place that allows all traffic going from all sources to all destinations for all services.

The firewall has a bridged connection to the physical NIC and the external interface has an IP address from my home subnet (192.168.10.0/24). There is no NAT.

The firewall has a default gateway in the routing table, and I'm able to ping Google's DNS server directly from the firewall (see below).

MKUJ-CP-SG> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

S 0.0.0.0/0 via 192.168.10.254, eth0, cost 0, age 24387
C 10.0.0.0/24 is directly connected, eth1
C 127.0.0.0/8 is directly connected, lo
C 192.168.10.0/24 is directly connected, eth0

MKUJ-CP-SG> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=27.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=29.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=28.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=29.5 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 27.360/28.845/29.583/0.896 ms

However, when I do a traceroute from my Windows 10 VM, which sits behind a firewall, I can see that packet gets to the internal interface and doesn't get forwarded further.

C:\Users\Michal>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.0.0.1
2 * * * Request timed out.

This traffic shouldn't be blocked by any rule since there is only one rule allowing all access. And since destination is outside of my local network I would expect next hop to be my firewall's default gateway (192.168.10.254).

Re: Traffic cannot reach default gateway

_Val_ — Mon, 16 Nov 2020 15:19:53 GMT

>>There is no NAT

That is your problem then.

Traffic is most probably being forwarded out by the FW, but without NAT, it cannot be returned properly.

I suggest you look into our Check Point for Beginners series, we explain the full lab settings there, including required policy, tracing, etc. Also, we even have virtual labs there, with video guidance.

Re: Traffic cannot reach default gateway

m2kujawa — Mon, 16 Nov 2020 19:43:00 GMT

You pointed me in the right direction, and honestly, I should've known better 🙂

The problem wasn't with NAT but with the missing route pointing to the subnet that sits behind the firewall (10.0.0.0/24), traffic was able to exit my lab network but couldn't find its way back.

The solution was to either add a static route on my Windows host directly or on the default gateway and point all traffic destined for my lab subnet back to the firewall.

Thanks a lot for your help.