Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Problem with Internet Router installation

Hi All

 

We had an issue last week with a new internet router installation. In our current set up, we have two L2 connections off of a switch which consists of their Checkpoint FW and the current legacy internet router. What we did to introduce the new internet router was plug it into a different port on the same switch with the same ip as the legacy internet connection while unplugging the legacy connection (which is the default gateway of the Checkpoint Firewall).

Once this was in place and the legacy connection was disabled, some of the traffic recovered which is routing over the Checkpoint (notably the public ip space which was over the L2 connection along with their VPN which routes through the Checkpoint), however the internet traffic which traverses the default gateway outbound does not. I can see the correct ARP entries in Checkpoint as well as on the routing/switching. The new INET router has connectivity, but the traffic is not forwarded for internet connections with the exception of the local VPN (which is situated like a DMZ).

Once we rolled back, the connectivity reverted immediately without any issues. 

Any ideas on this? It was a strange one that left us scratching our heads.

 

Many thanks

0 Kudos
4 Replies
Highlighted
Admin
Admin

Did you verify packets were leaving the gateway on the correct interface with tcpdump or similar?
0 Kudos
Highlighted
Ivory

We didn't at the time, but the fact that the DMZ was working would suggest that at the very least that traffic was leaving the default GW. I plan on having another crack at it with tcpdump, however I was hoping that there was something obvious that I overlooked.

We were constantly getting errors like the following - 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0);Blocking request as configured in engine settings of Firewall'

However I thought that this was what it was saying - a connectivity issue rather than DNS. Even despite this, I couldn't ping 8.8.8.8 or by ip from the inside.
0 Kudos
Highlighted

this sounds like the provider is not advertising the connection network between router and firewall into the internet from the new router.
Regards, Maarten
0 Kudos
Highlighted
Ivory

Unfortunately, that wasn't the case. Both subnets worked - one went through the CP FW and the other via the new router to another device in the the other public subnet. 😞

Thanks for your reply
0 Kudos