topic Re: SMB Default gateway in Spark Firewall (SMB)

SMB Default gateway

Moudar — Sat, 22 Jun 2024 20:49:34 GMT

netstat -r shows this:

Gateway-ID-7FB7C2DC> netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default ua-113-13-192- 0.0.0.0 UG 0 0 0 WAN 90.254.144.124 * 255.255.255.255 UH 0 0 0 vpnt10 192.168.3.0 * 255.255.255.0 U 0 0 0 LAN1 192.168.4.10 * 255.255.255.255 UH 0 0 0 vpnt10 113.113.192.0 * 255.255.224.0 U 0 0 0 WAN

I need 90.254.144.124 to be my default gateway, I don't know how to configure that! I used, add static route and, set static route and this is what I got:

show static-routes table id disabled destination source service ipv4-address monitored-server-1monitored-server-2monitored-server-3monitoring-mode interface logical metric priority comment 1 false 90.254.144.124 off 102 0 2 false 90.254.144.124/32 off vpnt10 vpnt10 10 0

My SMB is connected to a central office via a VTI and the central office external IP needs to be the default gateway of SMB. SMB IP is dynamic, the 113.113.* IP is the dynamic IP of my SMB

Still when I do i traceroute I don't see my central office IP, it shows directly the default gateway of my dynamic IP (my ISP router)

The community is configured like this:

any ideas!

Re: SMB Default gateway

Chris_Atkinson — Sun, 23 Jun 2024 03:32:03 GMT

You probably want to do a couple of things here

1. Ensure the VPN peer IP (and any break glass IP etc) is routed/reachable outside the tunnel.

2. Configure your default route e.g.

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z

3. If you still encounter problems try disabling the default use of the Internet connection as the default gateway. As I recall this is controlled via:

set internet-connection "<name>" route-traffic-through-default-gateway {true | false}

Re: SMB Default gateway

Moudar — Sun, 23 Jun 2024 13:23:15 GMT

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z, you need to add a metric between 101-200, giving 101 to this command is rejected

"Could not set static route metric: the metric of a default route must be unique, and cannot be same as of an existing internet connection priority "

I get that message even if internet connection route-traffic-through-default-gateway is disabled?!

adding priority example 102 then the command is accepted but the gateway looses internet connection

Deleting the internet connection and adding new one, It seems to be not allowed to add a default gateway to an internet connection when it is type "DHCP"

so what should be done here?

Do I need to configure the DDNS to be able to set the default gateway as needed?

Re: SMB Default gateway

the_rock — Sun, 23 Jun 2024 23:47:42 GMT

If you type ? mark at the end of that command, should give you options available.

Re: SMB Default gateway

PhoneBoy — Mon, 24 Jun 2024 19:19:17 GMT

If your WAN IP is DHCP, then, yes, it will control the default route by design.
You can create multiple more specific routes that point to the VTI.
For example:

add static-route destination 0.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z
add static-route destination 128.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z

Re: SMB Default gateway

Moudar — Tue, 25 Jun 2024 10:55:07 GMT

0.0.0.0/1 seems to work fine beside the default route to the ISP

I still got 2 problems:

SMS is unreachable on SMB! but still fetch policy works fine?!

The other problem is that my PC behind SMB does not get internet, it is connected to port 1 (192.168.3.1) on SMB. My PC has SMB as its default gateway, My PC is getting 192.168.3.2.

Re: SMB Default gateway

the_rock — Tue, 25 Jun 2024 12:10:02 GMT

Maybe do some basic captures to see why mgmt server is not reachable.

Andy

Re: SMB Default gateway

PhoneBoy — Tue, 25 Jun 2024 15:40:21 GMT

By default, traffic related to SIC does not go over VPN.
This requires several changes to accomplish and is generally NOT recommended.

Based on your current routing configuration, it's probably trying to do that...and failing.
You might need to create a static route towards your SMS public IP that goes out your regular default route.

As far as other troubleshooting, I would suggest using fw monitor with the -F option to specify appropriate filters (to account for traffic in both directions): https://support.checkpoint.com/results/sk/sk30583
This will at least give us an idea of where we need to look next.

Re: SMB Default gateway

Chris_Atkinson — Wed, 26 Jun 2024 06:33:07 GMT

Sorry that I wasn't specific enough in my earlier reply and references to break glass subnets and such.
Management should also be routed outside the VPN and would need to be externally accessible via a NAT.

Re: SMB Default gateway

Moudar — Wed, 26 Jun 2024 18:41:22 GMT

Is there any way to "save config" on SMBs, or it does not need to manually save?

Re: SMB Default gateway

the_rock — Wed, 26 Jun 2024 18:45:09 GMT

There is not and no need either.

Andy

Re: SMB Default gateway

Moudar — Wed, 26 Jun 2024 19:08:20 GMT

this SMB device is working correctly now, but still on SMS shows red cross, I wonder why?

Re: SMB Default gateway

Lesley — Wed, 26 Jun 2024 20:28:06 GMT

would be hulpfull to share the full error message of the red cross.

Re: SMB Default gateway

Moudar — Wed, 26 Jun 2024 20:56:56 GMT

That is the problem: There is no error message but still red cross!

Re: SMB Default gateway

Chris_Atkinson — Thu, 27 Jun 2024 01:04:59 GMT

This is not uncommon for DAIP Spark gateways in my experience.

Will see if I can find the reference or SK that discusses it and share it here.

Why are DAIP gateways never really shown as connec... - Check Point CheckMates

Re: SMB Default gateway

the_rock — Thu, 27 Jun 2024 00:51:55 GMT

Maybe TAC can confirm, but it could be expected, since its DAIP.

Re: SMB Default gateway

Chris_Atkinson — Thu, 27 Jun 2024 01:13:24 GMT

Known Limitation: