https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225135#M11298 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/70231">@eliaskoudounas</a>&nbsp;</P> <P>The /31 mask is strange. It contains only network address and broadcast address. No usable IP (host) are in this subnet.</P> <TABLE class="cinfoT"> <TBODY> <TR> <TD>IP Address:</TD> <TD>10.0.1.0</TD> </TR> <TR> <TD>Network Address:</TD> <TD>10.0.1.0</TD> </TR> <TR> <TD>Usable Host IP Range:</TD> <TD>NA</TD> </TR> <TR> <TD>Broadcast Address:</TD> <TD>10.0.1.1</TD> </TR> <TR> <TD>Total Number of Hosts:</TD> <TD>2</TD> </TR> <TR> <TD><STRONG>Number of Usable Hosts:</STRONG></TD> <TD><STRONG>0</STRONG></TD> </TR> <TR> <TD>Subnet Mask:</TD> <TD>255.255.255.254</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Akos</P> Fri, 30 Aug 2024 13:28:39 GMT AkosBakos 2024-08-30T13:28:39Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225103#M11296 <P>Greetings,</P><P>I come across a problem on current installation with an SMB Device.More precise:</P><P><STRONG>Quantum Spark 1600 Appliance version R81.10.10 (996002945).</STRONG></P><P>There is two wan interface on on DMZ with IP x.x.x.x/28 and the other on the WAN interface with IP y.y.y.y.y/31.</P><P>The SD-WAN Functionality is active and traffic from internal client can be redirected based on policy protocols etc, and that's support some core functionality for the network(traffic shaping).</P><P>The problem is on NATting service outside the LAN.</P><P>While using the DMZ interface with gateway IP on the network x.x.x.x/28&nbsp; which include IPs provided by the ISP on the same range x.x.x.x/28 everything is working as expected.</P><P>When using the WAN interface with gateway IP is on this network y.y.y.y.y/31 the provided IPs from the other ISP is on another network z.z.z.z/30 and NAT rules doesn't seem to work despite giving the internal client the SD-SAN policy to use routes from the second interface y.y.y.y.y/31. Also i followed this guidance&nbsp;<A href="https://support.checkpoint.com/results/sk/sk114531" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk114531</A> to configure proxy arp for all the network with the according MAC address of the interfaces and nothing seems to work.</P><P>The only way that the NAT worked is only when&nbsp; a static rule on the routing table was created and configured with the next hop to be on the secondary interface here is an example.</P><TABLE cellspacing="0" cellpadding="0"><TBODY><TR><TD>Any</TD><TD>internal-client/32</TD><TD>Any</TD><TD><DIV class="">&nbsp;</DIV>Secondary (WAN)</TD><TD>0</TD><TD>Static(PBR)</TD><TD>60</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Have anyone had any similar situation on an SMB appliance, the problem is that this solution is not fitting when you need to configure many internal servers and need to add static routing for each one.</P><P>&nbsp;</P> Fri, 30 Aug 2024 09:09:47 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225103#M11296 eliaskoudounas 2024-08-30T09:09:47Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225135#M11298 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/70231">@eliaskoudounas</a>&nbsp;</P> <P>The /31 mask is strange. It contains only network address and broadcast address. No usable IP (host) are in this subnet.</P> <TABLE class="cinfoT"> <TBODY> <TR> <TD>IP Address:</TD> <TD>10.0.1.0</TD> </TR> <TR> <TD>Network Address:</TD> <TD>10.0.1.0</TD> </TR> <TR> <TD>Usable Host IP Range:</TD> <TD>NA</TD> </TR> <TR> <TD>Broadcast Address:</TD> <TD>10.0.1.1</TD> </TR> <TR> <TD>Total Number of Hosts:</TD> <TD>2</TD> </TR> <TR> <TD><STRONG>Number of Usable Hosts:</STRONG></TD> <TD><STRONG>0</STRONG></TD> </TR> <TR> <TD>Subnet Mask:</TD> <TD>255.255.255.254</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Akos</P> Fri, 30 Aug 2024 13:28:39 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225135#M11298 AkosBakos 2024-08-30T13:28:39Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225413#M11323 <P>Hello,</P><P>Thank you for you time.</P><P>The ISP provide me with this network on our example will be something like that</P><TABLE><TBODY><TR><TD width="197.967px" height="24px">IP Address:</TD><TD width="123.7px" height="24px">172.132.125.32</TD></TR><TR><TD width="197.967px" height="24px">Network Address:</TD><TD width="123.7px" height="24px">172.28.125.32/31</TD></TR><TR><TD width="197.967px" height="24px">Usable Host IP Range:</TD><TD width="123.7px" height="24px">172.132.125.32</TD></TR><TR><TD width="197.967px" height="24px">Broadcast Address:</TD><TD width="123.7px" height="24px">172.132.125.33</TD></TR><TR><TD width="197.967px" height="24px">Total Number of Hosts:</TD><TD width="123.7px" height="24px">2</TD></TR><TR><TD width="197.967px" height="24px"><STRONG>Number of Usable Hosts:</STRONG></TD><TD width="123.7px" height="24px"><STRONG>1</STRONG></TD></TR><TR><TD width="197.967px" height="24px">Subnet Mask:</TD><TD width="123.7px" height="24px">255.255.255.254</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>The second ISP internet connection is currently active and working, thus routing internal traffic and nat is also accessible when i enable the static route</P> Tue, 03 Sep 2024 07:54:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CGNAT-Is-not-working-on-secondary-WAN-interface/m-p/225413#M11323 eliaskoudounas 2024-09-03T07:54:24Z