Hi CheckMates,

1. Architecture

• Platform: R81.20 VSX cluster (two appliances).
• Upstream edge: Cisco CSR owned by the carrier.
• Public block: public_IP/26. The carrier will send the whole /26 to one next-hop; they do not want to create a second sub-interface / VLAN.
• Management: out-of-band eth0 on a physical switch → Smart MDSM.

2. Two design options

The two diagrams are attached for clarity.

3. What we have tested

• Created VR → assigned the /26 to its external interface.
• Added VS1…VS6, each gets a /32 (or /29) from the /26 — those routes are built automatically via warp links, OK.
• Added a warp link to connect VS0 to the VR (unnumbered).
• Tried to add a static host route <VS0-public>/32 → VS0 inside the VR.
  Problem: VS0 never appears in the drop-down list; CLI (set static-route) complains it is an “invalid next hop”.
• Result: admin VPN can’t establish, SmartConsole can’t reach VS0.

4. Questions for the community

1. Is there a supported way to make VS0 reachable through the same VR, without asking the carrier for a second VLAN?
2. If not, can each Virtual System expose its own “management interface” that SmartConsole could use directly (so the admin VPN could land on the customer’s VS instead of VS0)?
3. Any hidden trick (e.g. numbered warp, PBR, loopback) that would let me route that single /32 back to VS0 while the rest of the /26 stays in the VR?

5. Why we hesitate

• Check Point docs say only VS0 should communicate with the Management Server, and that traffic must not traverse another VS.
• The customer is pushing hard to keep one interconnect on the CSR.

Has anyone solved a similar “single /26 – need admin VPN on VS0” constraint before?
Appreciate any pointers, even if the answer is “you really do need the second VLAN”.

Thanks!