https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86561#M17364 When your ISP is indeed routing the IP of int 2 to your int 1 then indeed you should be able to use it like this and tcpdump should show you the IP of int 2. Thu, 28 May 2020 08:17:14 GMT Maarten_Sjouw 2020-05-28T08:17:14Z https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86550#M17356 <P>Hi, I am trying to figure out what exactly means when set link selection and all consequences for choosing one interface or another one.</P><P>As far I have read on Internet, link selection determines the interface used for incoming/outgoing traffic, and also helps to determine the best route. I can understand this but I still have tons of questions regarding link selection:</P><P>- What happen if I have two interfaces with public IP (lets call these interfaces 1 and 2), and I have just a default route to reach Internet through interface 1. What happens if I set the interface 2 IP as link selection?</P><P>- Will my device try to reach the peer using default route through interface 1 or will my device try to reach the peer through interface 2 (even if I have not a route for that)?</P><P>- If the checkpoint device uses interface 1 to send traffic, which IP would use the firewall as source address for generated packets? Interface 1 or interface 2 IP address?</P><P>Can you please help me with these doubts?</P><P>Thanks!</P> Thu, 28 May 2020 05:15:21 GMT https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86550#M17356 Gusa2727 2020-05-28T05:15:21Z https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86558#M17361 1 When you set int 2 to be the source you should make sure to set a route for the peer to use int 2 as it will use the int 2 IP on the outgoing packets and if you do not set a route it will send the traffic out int 1 according the routes and it will return on int 2. Thu, 28 May 2020 07:57:34 GMT https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86558#M17361 Maarten_Sjouw 2020-05-28T07:57:34Z https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86559#M17362 <P>Thank you for the answer but, what if the interface 2 is configured but actually it does not have connectivity. Then the ISP router has a static route which send the traffic destined to Interface 2 public subnet, through the interface 1. In this case, the traffic would go in/out through interface 1 but, if I run a tcpdump, which source IP should I see leaving the firewall? The Interface 2 IP (which is set in the link selection) or interface 1 IP?</P><P>I suppose that I should see interface 2 IP but I just need to confirm this. I am havin issues with a NAT and I would like to ensure this behavior before modifying the NAT. Thanks!</P> Thu, 28 May 2020 08:04:08 GMT https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86559#M17362 Gusa2727 2020-05-28T08:04:08Z https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86561#M17364 When your ISP is indeed routing the IP of int 2 to your int 1 then indeed you should be able to use it like this and tcpdump should show you the IP of int 2. Thu, 28 May 2020 08:17:14 GMT https://community.checkpoint.com/t5/General-Topics/Questions-about-VPN-link-selection-and-source-Peer-address/m-p/86561#M17364 Maarten_Sjouw 2020-05-28T08:17:14Z