topic Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN in Spark Firewall (SMB)

Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Dr_Steve_Brule — Fri, 02 Sep 2022 13:27:32 GMT

Hi all,

I have a couple of SMB 1500 devices setup for various home users. We set these devices up with the ability to sit on their private network at home so the appliance is setup as a DAIP gateway with a private DHCP address from their home network on the WAN interface of the SMB (did this to make it easy on the end use so they can just plug in the device at home and flexibility to move the device around).

Once they get plugged in, IPSEC VPN is configured and it will create a tunnel to the main site and have connectivity.

One limitation I found on the appliance itself - I'd like to send services such as DNS, NTP, ICMP from the appliance itself down the tunnel using the LAN IP of the appliance instead of the WAN IP. Currently, those requests are trying to be sent down the tunnel using the WAN IP which could be any private IP on the home user's network. I don't want to define the user's home networks as part of the encryption domain so if there is some kind of workaround to use the SMB's LAN IP to send those requests, that'd be great. Any ideas on this?

Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Chris_Atkinson — Fri, 02 Sep 2022 16:10:49 GMT

In Advanced Settings search for "source" and you should find applicable options to assist i.e.

"Use internal IP address for encrypted connections from local gateway"

Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

CaseyB — Fri, 02 Sep 2022 16:49:22 GMT

Is there something similar for the 1430s? Searching for similar terms in Advanced Settings is telling me no.

Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Dr_Steve_Brule — Fri, 02 Sep 2022 18:34:43 GMT

Forgot to mention - this is a centrally managed gateway. Per https://community.checkpoint.com/t5/SMB-Gateways-Spark/R80-20-15-Locally-Managed-Advanced-Settings/td-p/10621 it looks like "VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway" is a valid option for locally managed SMBs. Hoping there may be something in GUIDBEdit for centrally managed...

Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Dr_Steve_Brule — Fri, 02 Sep 2022 18:35:57 GMT

CaseyB - See my reply to Chris above. Mine is centrally managed...may be a difference between centrally and locally managed gateways...

Re: Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Dr_Steve_Brule — Fri, 02 Sep 2022 18:55:41 GMT

Found it - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119415&partition=Advanced&product=Quantum

Centrally Managed Solution:

Firmware R77.20.80 and higher (SMB-4577) adds the same functionality for Centrally Managed Devices.

In order to enable the feature a kernel parameter should be used - fw ctl set int fw_enc_conns_use_internal 1