https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254121#M12986 <P>Hello everyone,</P><P>We have nearly 20 Checkpoint appliances at our branches. We currently have an existing PPPoE connection used for both Internet access and a Site-to-Site VPN to our DC, HO.&nbsp;</P><P>I'm planning to set up a backup 4G Internet link for SMB appliances at our branch offices. This is intended to ensure continuous Internet and VPN connectivity for staff in case the primary PPPoE link goes down.</P><P>I would like to ask:<BR />Is it possible to establish a Site-to-Site VPN over this 4G interface?</P><P>The 4G connection uses CGNAT, so no public IP is available on the branch side. I'm currently unsure whether Check Point SMB appliances support dial-up VPN mode (where the branch initiates VPN without needing a static public IP).</P><P>Does anyone know something about this, please help me.</P><P>Thanks &amp; Best regards.</P> Mon, 28 Jul 2025 15:53:27 GMT Mk_83 2025-07-28T15:53:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254121#M12986 <P>Hello everyone,</P><P>We have nearly 20 Checkpoint appliances at our branches. We currently have an existing PPPoE connection used for both Internet access and a Site-to-Site VPN to our DC, HO.&nbsp;</P><P>I'm planning to set up a backup 4G Internet link for SMB appliances at our branch offices. This is intended to ensure continuous Internet and VPN connectivity for staff in case the primary PPPoE link goes down.</P><P>I would like to ask:<BR />Is it possible to establish a Site-to-Site VPN over this 4G interface?</P><P>The 4G connection uses CGNAT, so no public IP is available on the branch side. I'm currently unsure whether Check Point SMB appliances support dial-up VPN mode (where the branch initiates VPN without needing a static public IP).</P><P>Does anyone know something about this, please help me.</P><P>Thanks &amp; Best regards.</P> Mon, 28 Jul 2025 15:53:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254121#M12986 Mk_83 2025-07-28T15:53:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254138#M12987 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/106488">@Mk_83</a>&nbsp;How about your DC ? Are there running gateways with a none dynamic public IP address ?</P> <P>It‘s normally not a problem with site to site VPN via 4G, 5G, LTE ….. to a central gateway. NAT done by the mobile networks providers are too no problems. IPSEC connection will be using NAT-T and the connection has to be initiate from the branch site to the central DC.</P> <P>Monitoring of the state of the branch appliances does not work (the small green sign of the firewall object in SmartConsole). The monitoring connection is initiated from the SMS to the branch appliance and this will fail because of the NAT in the providers network.</P> <P>The branch gateway objects must be defined with dynamic external IP. We are running environments with integrated LTE in the appliance and others with external LTE routers, both are working fine.</P> Mon, 28 Jul 2025 20:22:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254138#M12987 Wolfgang 2025-07-28T20:22:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254164#M12988 <P>Many thanks for your response.</P><P>Yes, Our DC gateway (Sophos) already have public IP (pppoe).</P><P>We were add the branch gateways to Smart-1 Cloud (connect through pppoe internet link), and set up VPN S2S to DC using that link. This works well since both sides have public IP addresses.</P><P>Do you have any documentation or best practices regarding configuring a VPN tunnel from a 4G/LTE/5G (non-public IP) to a DC gateway with a public IP, could you please share it with me?</P><P><SPAN>Thanks &amp; Best Regards.</SPAN></P><P>&nbsp;</P> Tue, 29 Jul 2025 07:45:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254164#M12988 Mk_83 2025-07-29T07:45:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254165#M12989 <P><A href="https://support.checkpoint.com/results/sk/sk167473" target="_blank" rel="noopener"><SPAN>sk167473: FAQ for Security Gateways with Dynamically Assigned IP Address (<STRONG>DAIP</STRONG>)</SPAN></A></P> Tue, 29 Jul 2025 07:50:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-over-4G-Internet-for-Quantum-Spark-Appliances/m-p/254165#M12989 G_W_Albrecht 2025-07-29T07:50:09Z