In this case, it’s no different between SMB and non-SMB.

Hey

Im getting into the point. So it is not possible to add two public ip to the same interface?

Im using the chp firewall as a router in my case. The optic fiber is connected directly to the appliance.

What do you recommend ?

Thnx 

No, it's not possible.
What is it you are trying to do that you think adding a second WAN IP would be the solution for?

I hate it when I get half answers, but still I'll ask again like others did 😁 ..

From certain perspective we all use CKP as a router but with extra features 🤣

So again, what would be the reason you want to do that? Why you want to get 2 IP's or 10 IPs on the WAN interface ?!?!?!

Thank  you,

OK. I will try to describe the situation.
From ISP I've got Public IP range f.e.: 172.16.189.0/29 (172.16.189.1-6).
ISP GW for me is: 172.16.189.1
Public IPs for me: 172.16.189.2-6 (5 Public IPs) with GW 172.16.189.1

Now, I have multiple VLANs or LANs for easy understanding: LAN1 - 192.169.190.1/24 - Management Network, LAN2 - 192.168.191.1/24 - Production LAN, 192.168.192.1/24 - Guests Network, 192.168.193.1/24 - DMZ.

And I want to translate all these networks to different Public IPs like this:
192.168.190.0/24 -> 172.16.189.2
192.168.191.0/24 -> 172.16.189.3
192.168.192.0/24 -> 172.16.189.4
192.168.193.0/24 -> 172.16.189.5

So no just one server or host, or one by one, but whole network I want ti hide behind different public IP.

How to do that?

I've created NAT rules, it translate correctly, byt SPARK does not react on other then specified IP on WAN interface.
I'm not able to create ALIAS from same WAN network to tell SPARK, this is also your IP address.

So, what now?

You need to create proxy ARPs for the relevant IPs manually.
See: https://support.checkpoint.com/results/sk/sk114531 

No 🙂
There is an easy solution.
You have to create another NAT rule where Original destination is your required WAN IP.
So, f,e,:

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original

1st rule is about NAT from LAN to Internet, so every traffic from network 192.168.191.0/24 is NATed (masquerade) to 172.16.189.3 IP 🙂 You have to check "Hide multiple sources behind translated  source address" and also "Serve as an ARP Proxy for the original destination's IP address"

2nd rule will assign another IP from WAN network to WAN interface and will send all traffic to this address to right destination

That's all 🙂

Now you can repeate it for every IP assigned to you by ISP provider and you can use all Public IPs as you want 🙂

Hi Marek may I ask you bout the second NAT rule? Why is it not like below, could ou please explain?

Is it because, once A traffic reaches first rule a session is stored inside a NAT table and once it receives communication from external source it looks in the NAT table for destination? thanks

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service

2.      Any                         172.16.189.3                 Any                         Original                     192.168.191.0/24              Original

Hello,

It works for NEW incoming connections as well. 🙂 So, I want to use also for another networks on my LAN.

So, then I'm able to create NAT to any device I want in my LAN, not just for device inside 192.168.191.0/24 🙂

You can use the 2nd WAN IP for multiple LANs and you will create just rule od type 1 (1st rule) and do not have to create another 2nd type 🙂

But how does an incoming traffic knows where to go (not initiated from internal network). When the rule is like below.

Original destination is 172.16.189.3 and it is translated to 172.16.189.3 do I need any adittional routing or something?

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original

OK. There are 2 situations:

1. Hide outgoing traffic from LAN to the another IP of WAN (assigned IPs from ISP)
- When packet goes out, the router will build NAT table and returning packet (related/established) will follow the stored info inside NAT table, so router knows where to send this returning packet.

2. Using another IP form IPs in NAT (f.e. webserver, mail server)
Now, incoming packet take a look in NAT rules, if there is some redirection for him. If not, packet is dropped. If yes, packet will be forwarded according the rule he belongs to.

Hello,

I would like to set up multiple IP addresses from the internal network in the same way. I won't have any device/server in the internal network that should be accessible from the outside. Therefore, all communication into the network must be initiated from the internal side.

For this reason, I thought that only the first rule from the following would suffice:

1. Original Source: 192.168.191.0/24, Original Destination: Any, Original Service: Any, Translated Source: 172.16.189.3, Translated Destination: Original, Translated Service: Original
2. Original Source: Any, Original Destination: 172.16.189.3, Original Service: Any, Translated Source: Original, Translated Destination: Original, Translated Service: Original

However, when I set up only the first NAT rule, the communication did not work until I set up the second NAT rule, then access to the internet started working. I have read through it multiple times and do not understand why it doesn't work with just one NAT rule.

As I understand it, and according to what you wrote, a device from the internal network (192.168.191.0/24) starts communication to the internet, NAT translates it to second Public IP (172.16.189.3), then when a response comes back to(second Public IP (172.16.189.3) the checkpoint, it checks the NAT table, and the message should return to the correct recipient.

This should be the end, but still, the communication did not happen until we had the second NAT rule, even though we do not have any device in the network to which new communication from the internet should reach?

Hello,

by simply way ... it looks like 2nd rule tells router "Hey, this is also my public IP" 🙂

I was investigating this before and this was the reason why I put it here to help all others 🙂 to do not waste a time.

1st rule works, the packet goes out with new (specified) public IP address. however checkpoint drops all packet to that (I did sniff for that communication.) So, then I've added 2nd rule and it looks like checkpoint then knows that packet belongs to him 🙂

So yes, just 1st rule is not enough, they have to be both to make Internet connection via another public IP from ISP.

Marek

Okay, I understand a bit more now. So with second rule I say to my GW "hey this is also my public IP". But when connection is initiated from the outside, I also need another rule to tell my GW to what Private IP it should translate incoming connection. Am I right?

Thanks

Exactly 🙂

When connection is initiated from outside, you need NAT forward rule 🙂

Okay so for example i would change NAT rule n. 2. And would edit translated destination, to my desired private IP.

Thank you I understand it now

is it locally or centrally managed GW ?

it sounds like the 2nd NAT rule generates Proxy arp for this Public IP, which the first rule isn't automatically do.

you can verify it by running tcpdump on this interface facing the isp, for example tcpdump -nnei WAN | grep 172.16.189.3
without the 2nd NAT rule, if you see lots of "who has 172.16.189.3 tell x.x.x.x (router), and with the 2nd NAT rule, you will see once in a while the same who has, but you will also see a reply from the GW - 172.16.189.3 is at mac-address (GW).

there are procedures to add proxy arp manually.