Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Siljo
Participant
Jump to solution

Is it possible to configure public address on port with /31 mask

I am trying to configure public address with /31 mask on interface of CP 1550 (V-80) appliance.
Running SW is Version: R81.10.08 (996001608)
In command line it looks as it should be possible but at the end it is not working.
This is printout of commands I am using.

Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 255.255.255.254
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Electo>
Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 31
Could not set interface subnet-mask: Invalid subnet mask
Electo>

At the end, is it possible to configure it or not?
Thanks

0 Kudos
1 Solution

Accepted Solutions
Siljo
Participant

Finally it works.

All the time I was trying to configure /31 on local network port.

This is not working, configuration is not accepted by SMB.

But when same port is configured as Internet connection from GUI then SMB accepts /31 network for that port.

Problem solved 😉

Anyhow many thanks for help.

Br

Mario

View solution in original post

(1)
20 Replies
Chris_Atkinson
Employee Employee
Employee

It should work in R80.20.30 and higher, if not please raise a support case with TAC to investigate further.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

I had seen people do this before and it did work. 

Just tried bogus IP in the lab and it took it

Andy

 

CP-STANDALONE-backup> set interface eth3 ipv4-address 9.10.11.19 mask-length 31
CP-STANDALONE-backup> save config

0 Kudos
Siljo
Participant

which appliance did you used?

I have 1550, and it is refusing to accept command.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Looks like a full GAiA appliance.

As above if it does not work for you please contact support https://help.checkpoint.com

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

I used eve-ng standalone config lab. I dont sadly have any smb appliance to test, but let me spin one up quick on demo point and will check.

Give me 10-15 mins.

Andy

0 Kudos
the_rock
Legend
Legend

Appears to be some sort of limitation. I tried, but exact same issue. Maybe TAC case would help here, speciailly based on below thread...

Kind regards,

Andy

 

https://community.checkpoint.com/t5/SMB-Gateways-Spark/WAN-interface-on-1590-with-31-Subnet-Mask/td-...

0 Kudos
Siljo
Participant

Thanks for check and quick answer.

It seems that next stop is TAC

BR

Mario

0 Kudos
the_rock
Legend
Legend

No worries. Yes, I would agree, thats your best bet at this point.

Andy

P.S. I will keep trying to see if there is any way around it, but so far, just keeps saying its invalid subnet mask...if I get anywhere, will update you.

(1)
the_rock
Legend
Legend

Im 100% positive this has nothing to do with the version at all, as its same on few different codes. Just working on some Palo Alto stuff right now, but will get back to this soon.

Kind regards,

Andy

0 Kudos
the_rock
Legend
Legend

No luck as of yet, but here is something Im not really grasping, if you will. Maybe someone from CP can clarify...Im not subnetting expert by any means, but if you think about it logically, /31 is essentially 2 hosts, which neither one can be used, as one is network and other is broadcast IP, so in that case, how come it works on regular Gaia, but not on smb?

Maybe below would explain it?

https://support.checkpoint.com/results/sk/sk91020

Kind regards,

Andy

0 Kudos
Siljo
Participant

Indeed /31 has only 2 IP addresses inside, but it is used for point to point links for small ISP-s to not waste 50% of address space.

Some vendors support /31 subneting, but CP on SMB-s unfortunately is not one of them.

Maybe in some next SW release.

Anyhow thanks for your help.

BR

Mario

 

0 Kudos
the_rock
Legend
Legend

Yes, exactly.

Cheers,

Andy

0 Kudos
Bob_Zimmerman
Mentor
Mentor

The high address in a network block is reserved for broadcast. What a lot of people seem to miss is this is also the reason the low address in a network block is reserved. Before IP broadcast was standardized in RFC 919 in late 1984, some vendors had introduced their own implementation of broadcast using the low address. It's still commonly reserved today to avoid conflicting with implementations from the 80s (like old mainframes which tend to be business-critical to big companies). Thus, a /31 network could be considered to contain two broadcast addresses. Broadcast actually means "everyone in this network except me", so two broadcast addresses could uniquely identify two hosts.

RFC 3021 standardized use of 31-bit IPv4 network blocks in late 2000.

0 Kudos
the_rock
Legend
Legend

I still dont see the logic as to why /31 works on regular Gaia and not on embedded version. Maybe someone from CP can clarify the reason, unless its internal info only...

Andy

0 Kudos
Bob_Zimmerman
Mentor
Mentor

It'll be a bug in the configuration validation logic. The part which takes "set interface eth1 ipv4-address 10.20.30.40 mask-length purple" and tells you "Purple isn't a valid netmask, dummy!"

The Linux network stack has supported 31-bit netmasks since somewhere in 2.5, so it's very unlikely to be something lower level. You can almost certainly use ifconfig to set the interface to a 31-bit mask by hand (ifconfig eth5 10.20.30.40 net mask 255.255.255.254), it just won't survive reboot thanks to clish.

0 Kudos
the_rock
Legend
Legend

Agree, thats true. Anyway, would like to see if there is an official CP answer to all this : - )

Andy

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Siljo
Participant

Finally it works.

All the time I was trying to configure /31 on local network port.

This is not working, configuration is not accepted by SMB.

But when same port is configured as Internet connection from GUI then SMB accepts /31 network for that port.

Problem solved 😉

Anyhow many thanks for help.

Br

Mario

(1)
the_rock
Legend
Legend

Learned something new today, though I rarely work on SMB appliances, thats good to know.

Thanks mate

Andy

0 Kudos
PhoneBoy
Admin
Admin

That kind of makes sense since you only typically use a /31 on an Internet-facing device.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events