https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/242344#M12147 <P>Hi guys,&nbsp;</P><P>&nbsp;</P><P>I was having issues with a ClusterXL set-up and wanted to know if there is a solution.&nbsp;</P><P>&nbsp;</P><P>So here is what currently is correctly working (non-clusterXL):&nbsp;</P><P>- device: 1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet via GUI)</P><P>- firewallrules to allow BGP</P><P>- single WAN interface has a /31 public IP from the provider.&nbsp;</P><P>- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.</P><P>- a dorment (not connected) second WAN connection on different carrier with /31 public IP in same BGP set-up.</P><P>&nbsp;</P><P>Last week we wanted to add a second firewall. This stopped working even BEFORE the member device was added.</P><P>Here is what we did:</P><P>- reset WAN interfaces to DHCP to bypass subnet restrictions on the HA wizard (seems it needs at least 3 usable IPs on all interfaces without DHCP, even if you are not going to use it. Else the wizard won't finish).</P><P>- set first device as primary cluster member with only LAN/internal interfaces in HA mode</P><P>- readded WAN interface /31 set-up (this is non-HA)</P><P>Now the problem is that "BGP peer is not reachable" (/var/log/routed). Even though only internal networks are now HA.</P><P>It seems that the non-HA interface is no longer used for advertising the BGP route. Mind you, the default gateway is still there and ANY other traffic is passed. Just not training data for the BGP.</P><P>When you Delete the cluster configuration it magically starts working again.</P><P>&nbsp;</P><P>&nbsp;</P><P>Second (less important for now) thing is that we have 2 /31 lines. So my thoughts were to add both to both firewalls (non-HA ofcourse) and leave one disconnected on the devices so that the firewall only uses one and the active firewall advertises on the connected one. This since the HA set-up needs at least 3 usable IP-adresses for the HA.</P><P>- second device:&nbsp;1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet)</P><P>- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.</P><P>- firewall rules to allow SYNC traffic</P><P>- add as member to the cluster group</P><P>- WAN interface has a /31 public IP from the primary line&nbsp;</P><P>- DMZ interface has a /31 public IP from other line.</P><P>&nbsp;</P> Wed, 26 Feb 2025 08:15:44 GMT bjbakker1984 2025-02-26T08:15:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/242344#M12147 <P>Hi guys,&nbsp;</P><P>&nbsp;</P><P>I was having issues with a ClusterXL set-up and wanted to know if there is a solution.&nbsp;</P><P>&nbsp;</P><P>So here is what currently is correctly working (non-clusterXL):&nbsp;</P><P>- device: 1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet via GUI)</P><P>- firewallrules to allow BGP</P><P>- single WAN interface has a /31 public IP from the provider.&nbsp;</P><P>- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.</P><P>- a dorment (not connected) second WAN connection on different carrier with /31 public IP in same BGP set-up.</P><P>&nbsp;</P><P>Last week we wanted to add a second firewall. This stopped working even BEFORE the member device was added.</P><P>Here is what we did:</P><P>- reset WAN interfaces to DHCP to bypass subnet restrictions on the HA wizard (seems it needs at least 3 usable IPs on all interfaces without DHCP, even if you are not going to use it. Else the wizard won't finish).</P><P>- set first device as primary cluster member with only LAN/internal interfaces in HA mode</P><P>- readded WAN interface /31 set-up (this is non-HA)</P><P>Now the problem is that "BGP peer is not reachable" (/var/log/routed). Even though only internal networks are now HA.</P><P>It seems that the non-HA interface is no longer used for advertising the BGP route. Mind you, the default gateway is still there and ANY other traffic is passed. Just not training data for the BGP.</P><P>When you Delete the cluster configuration it magically starts working again.</P><P>&nbsp;</P><P>&nbsp;</P><P>Second (less important for now) thing is that we have 2 /31 lines. So my thoughts were to add both to both firewalls (non-HA ofcourse) and leave one disconnected on the devices so that the firewall only uses one and the active firewall advertises on the connected one. This since the HA set-up needs at least 3 usable IP-adresses for the HA.</P><P>- second device:&nbsp;1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet)</P><P>- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.</P><P>- firewall rules to allow SYNC traffic</P><P>- add as member to the cluster group</P><P>- WAN interface has a /31 public IP from the primary line&nbsp;</P><P>- DMZ interface has a /31 public IP from other line.</P><P>&nbsp;</P> Wed, 26 Feb 2025 08:15:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/242344#M12147 bjbakker1984 2025-02-26T08:15:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/242453#M12148 <P>Hi,<BR />R81.10.15 does not yet support loopback in cluster mode. This functionality is currently planned for Q2.<BR />As for the 3 usable IP addresses for the HA - this is no longer correct. You can use private IPs for the physical interfaces on each gateway and routable IP as VIP. See&nbsp;<A href="https://protect.checkpoint.com/v2/r02/___https:/sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-High-Availability.htm?tocpath=Managing%20the%20Device%7CConfiguring%20High%20Availability%7C_____10%23Single_Routable_IP_Cluster___.YzJlOmNwYWxsOmM6bzpjZjI2MGMzNWFkOGE0YWNjNzQ5OTk5MjExZjcxOWJmMjo3OjlhOTI6NDAyMjM2NWMwZDI1ZGE5OGI0NWMzM2E2YWRjY2ZiM2MwNjRkMTlhYjJiNjcxMzljOWMxMmI4MGQ4N2ZlMmQ1NTpoOlQ6Tg" target="_blank">https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-High-Availability.htm?tocpath=Managing%20the%20Device%7CConfiguring%20High%20Availability%7C_____10#Single_Routable_IP_Cluster</A></P> <P>Thanks.</P> Wed, 26 Feb 2025 16:57:04 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/242453#M12148 sigal 2025-02-26T16:57:04Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/243155#M12172 <P>Hi Sigal,&nbsp;</P><P>&nbsp;</P><P>Thanks for the reply and advise. I will go testing this when the next opportunity presents itself.</P><P>&nbsp;</P><P>Regards.</P> Thu, 06 Mar 2025 10:36:03 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Advertise-dual-WAN-via-BGP-in-ClusterXL/m-p/243155#M12172 bjbakker1984 2025-03-06T10:36:03Z