topic Re: Is it possible to configure public address on port with /31 mask in Spark Firewall (SMB)

Is it possible to configure public address on port with /31 mask

Siljo — Thu, 16 Nov 2023 12:12:17 GMT

I am trying to configure public address with /31 mask on interface of CP 1550 (V-80) appliance.
Running SW is Version: R81.10.08 (996001608)
In command line it looks as it should be possible but at the end it is not working.
This is printout of commands I am using.

Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 255.255.255.254
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Electo>
Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 31
Could not set interface subnet-mask: Invalid subnet mask
Electo>

At the end, is it possible to configure it or not?
Thanks

Re: Is it possible to configure public address on port with /31 mask

Chris_Atkinson — Thu, 16 Nov 2023 12:44:42 GMT

It should work in R80.20.30 and higher, if not please raise a support case with TAC to investigate further.

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 13:14:52 GMT

I had seen people do this before and it did work.

Just tried bogus IP in the lab and it took it

Andy

CP-STANDALONE-backup> set interface eth3 ipv4-address 9.10.11.19 mask-length 31
CP-STANDALONE-backup> save config

Re: Is it possible to configure public address on port with /31 mask

Siljo — Thu, 16 Nov 2023 14:09:16 GMT

which appliance did you used?

I have 1550, and it is refusing to accept command.

Re: Is it possible to configure public address on port with /31 mask

Chris_Atkinson — Thu, 16 Nov 2023 14:10:43 GMT

Looks like a full GAiA appliance.

As above if it does not work for you please contact support https://help.checkpoint.com

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 14:13:41 GMT

I used eve-ng standalone config lab. I dont sadly have any smb appliance to test, but let me spin one up quick on demo point and will check.

Give me 10-15 mins.

Andy

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 14:31:41 GMT

Appears to be some sort of limitation. I tried, but exact same issue. Maybe TAC case would help here, speciailly based on below thread...

Kind regards,

Andy

https://community.checkpoint.com/t5/SMB-Gateways-Spark/WAN-interface-on-1590-with-31-Subnet-Mask/td-p/116709

Re: Is it possible to configure public address on port with /31 mask

Siljo — Thu, 16 Nov 2023 14:38:33 GMT

Thanks for check and quick answer.

It seems that next stop is TAC

Mario

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 14:43:55 GMT

No worries. Yes, I would agree, thats your best bet at this point.

Andy

P.S. I will keep trying to see if there is any way around it, but so far, just keeps saying its invalid subnet mask...if I get anywhere, will update you.

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 15:17:00 GMT

Im 100% positive this has nothing to do with the version at all, as its same on few different codes. Just working on some Palo Alto stuff right now, but will get back to this soon.

Kind regards,

Andy

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 17:01:42 GMT

No luck as of yet, but here is something Im not really grasping, if you will. Maybe someone from CP can clarify...Im not subnetting expert by any means, but if you think about it logically, /31 is essentially 2 hosts, which neither one can be used, as one is network and other is broadcast IP, so in that case, how come it works on regular Gaia, but not on smb?

Maybe below would explain it?

https://support.checkpoint.com/results/sk/sk91020

Kind regards,

Andy

Re: Is it possible to configure public address on port with /31 mask

Siljo — Thu, 16 Nov 2023 18:30:50 GMT

Indeed /31 has only 2 IP addresses inside, but it is used for point to point links for small ISP-s to not waste 50% of address space.

Some vendors support /31 subneting, but CP on SMB-s unfortunately is not one of them.

Maybe in some next SW release.

Anyhow thanks for your help.

Mario

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 18:34:11 GMT

Yes, exactly.

Cheers,

Andy

Re: Is it possible to configure public address on port with /31 mask

Bob_Zimmerman — Thu, 16 Nov 2023 19:32:06 GMT

The high address in a network block is reserved for broadcast. What a lot of people seem to miss is this is also the reason the low address in a network block is reserved. Before IP broadcast was standardized in RFC 919 in late 1984, some vendors had introduced their own implementation of broadcast using the low address. It's still commonly reserved today to avoid conflicting with implementations from the 80s (like old mainframes which tend to be business-critical to big companies). Thus, a /31 network could be considered to contain two broadcast addresses. Broadcast actually means "everyone in this network except me", so two broadcast addresses could uniquely identify two hosts.

RFC 3021 standardized use of 31-bit IPv4 network blocks in late 2000.

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 19:43:44 GMT

I still dont see the logic as to why /31 works on regular Gaia and not on embedded version. Maybe someone from CP can clarify the reason, unless its internal info only...

Andy

Re: Is it possible to configure public address on port with /31 mask

Bob_Zimmerman — Thu, 16 Nov 2023 20:51:26 GMT

It'll be a bug in the configuration validation logic. The part which takes "set interface eth1 ipv4-address 10.20.30.40 mask-length purple" and tells you "Purple isn't a valid netmask, dummy!"

The Linux network stack has supported 31-bit netmasks since somewhere in 2.5, so it's very unlikely to be something lower level. You can almost certainly use ifconfig to set the interface to a 31-bit mask by hand (ifconfig eth5 10.20.30.40 net mask 255.255.255.254), it just won't survive reboot thanks to clish.

Re: Is it possible to configure public address on port with /31 mask

the_rock — Thu, 16 Nov 2023 21:37:43 GMT

Agree, thats true. Anyway, would like to see if there is an official CP answer to all this : - )

Andy

Re: Is it possible to configure public address on port with /31 mask

PhoneBoy — Thu, 16 Nov 2023 22:16:49 GMT

Seems like this has happened before: https://community.checkpoint.com/t5/SMB-Gateways-Spark/WAN-interface-on-1590-with-31-Subnet-Mask/m-p/116709#M5105
Please consult with the TAC: https://help.checkpoint.com

Re: Is it possible to configure public address on port with /31 mask

Siljo — Mon, 20 Nov 2023 13:53:28 GMT

Finally it works.

All the time I was trying to configure /31 on local network port.

This is not working, configuration is not accepted by SMB.

But when same port is configured as Internet connection from GUI then SMB accepts /31 network for that port.

Problem solved 😉

Anyhow many thanks for help.

Mario

Re: Is it possible to configure public address on port with /31 mask

the_rock — Mon, 20 Nov 2023 13:55:53 GMT

Learned something new today, though I rarely work on SMB appliances, thats good to know.

Thanks mate ✅

Andy