topic Re: SMB Gateway with a WAN Connection but 2 Default Gateways in Spark Firewall (SMB)

SMB Gateway with a WAN Connection but 2 Default Gateways

Soroosh — Fri, 10 Oct 2025 08:05:55 GMT

Hi mates,

I recently had a case with one WAN connection and one IP address, but two default gateways for HA on a 1535 gateway.
I need to configure the gateway so that, if the primary default gateway fails, it automatically sends traffic to the secondary default gateway. This will ensure redundancy for the internet connection.

My problem is that I don't know how to do it.
First, it is not possible to define two default gateways for a WAN connection.
2. It is not possible to prevent the gateway from creating the default gateway automatically, even with the "Route traffic through this connection by default" option disabled under ISP redundancy in the advanced tab of the internet connection settings.
3. It seems that I have to create two default routes, but, as I described in the last point, I cannot create the primary default route because the gateway created it automatically, and it is not editable. Also, the secondary route that I created stays inactive.
4. According to this scenario, connection monitoring should be deactivated (apparently) and monitoring should be set on the route. However, this is also not possible for the automatically created default route, and the secondary default route that I created returned an error: "Could not set static route: The next-hop IP address of the monitored route must be on the local LAN subnet." For monitoring VPN or GRE tunnels, select them in the virtual tunnel's hop field." It doesn't matter if I set the IP address of the standard gateway of the ISP or any other IP address, such as a Google DNS IP address.

What could be the solution in this case?

Thanks in Advance
Regards
Soroosh

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

Chris_Atkinson — Fri, 10 Oct 2025 12:04:48 GMT

Could you please share the firmware version/build used and perhaps a diagram including the relevant IP addresses / netmask details?

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

PhoneBoy — Fri, 10 Oct 2025 20:30:26 GMT

You can't monitor an external IP, only an IP on the same subnet as the WAN.
That usually means the WAN's default route.

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

the_rock — Sun, 12 Oct 2025 22:45:41 GMT

I would agree with what Phoneboy had said, but, if you want to be sure, you can double check with TAC.

Andy

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

Soroosh — Mon, 13 Oct 2025 07:50:23 GMT

Firmware vewrsion is RR81.10.17_996004721
I have attached the diagram. I'm not sure if I am allowed to expose the IP addresses, so I have replaced the first three octets with x, and yes, it is /24. 🙂

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

Soroosh — Mon, 13 Oct 2025 07:53:49 GMT

The problem is that it doesn't accept the IP address of the default gateway either. It shows the same error. Also, I cannot modify/delete/deactivate the automatically created default route.

Re: SMB Gateway with a WAN Connection but 2 Default Gateways

Soroosh — Fri, 31 Oct 2025 12:00:41 GMT

TAC Answer:
1. System-Defined Routes Are Not Editable
"You cannot edit, delete, enable, and disable routes created by the operating system for directly attached networks or by dynamic routing protocols."

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Configuring-Routing-Table.htm

2. Default Route Failover Is Tied to Interface Status
If the WAN interface goes down, the default route becomes inactive, and traffic is routed according to other active routes.
The system does not support two default gateways for a single WAN interface.

3. ISP Redundancy Feature
Designed for multiple WAN interfaces (e.g., WAN1, WAN2), not for two gateways on one interface.
"Route traffic through this connection by default" only applies to the selected WAN interface.

4. Static Route Monitoring Limitations
Monitored static routes require the next-hop to be on a local subnet.
You cannot use an external IP as the next-hop for route monitoring.

5. Cluster/HA Solutions
True HA with automatic failover between gateways is supported via cluster configuration (ClusterXL or Quantum Spark cluster), but this requires two appliances and typically two WAN interfaces.

Please check admin guide to configure High Availability:
https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-High-Availability.htm

ISP Redundancy:
https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-Internet-Connectivity.htm?Highlight=ISP%20Redundancy

So, I had to set 2 IPs on the WAN Port, and sat the Primary DG for one and the secondary for another.
with this method I could find a solution for this case. And it seems it works.