This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Siljo
Participant
‎2023-11-16 04:12 AM
Jump to solution

Is it possible to configure public address on port with /31 mask

I am trying to configure public address with /31 mask on interface of CP 1550 (V-80) appliance.
Running SW is Version: R81.10.08 (996001608)
In command line it looks as it should be possible but at the end it is not working.
This is printout of commands I am using.

Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 255.255.255.254
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Could not set interface mask-length: Value is not a valid number
Could not set interface mask-length: Value is too low. The minimum value allowed is 1
Could not set interface mask-length: Value is too high. The maximum value allowed is 32
Electo>
Electo> set interface LAN4 ipv4-address 1.2.3.255 mask-length 31
Could not set interface subnet-mask: Invalid subnet mask
Electo>

At the end, is it possible to configure it or not?
Thanks

0 Kudos
1 Solution

Accepted Solutions
Siljo
Participant
‎2023-11-20 05:52 AM
In response to PhoneBoy
Jump to solution

Finally it works.

All the time I was trying to configure /31 on local network port.

This is not working, configuration is not accepted by SMB.

But when same port is configured as Internet connection from GUI then SMB accepts /31 network for that port.

Problem solved 😉

Anyhow many thanks for help.

Br

Mario

View solution in original post

(1)
20 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-16 04:44 AM
Jump to solution

It should work in R80.20.30 and higher, if not please raise a support case with TAC to investigate further.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 05:14 AM
Jump to solution

I had seen people do this before and it did work. 

Just tried bogus IP in the lab and it took it

Andy

 

CP-STANDALONE-backup> set interface eth3 ipv4-address 9.10.11.19 mask-length 31
CP-STANDALONE-backup> save config

Best,
Andy
0 Kudos
Siljo
Participant
‎2023-11-16 06:09 AM
In response to the_rock
Jump to solution

which appliance did you used?

I have 1550, and it is refusing to accept command.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-16 06:10 AM
In response to Siljo
Jump to solution

Looks like a full GAiA appliance.

As above if it does not work for you please contact support https://help.checkpoint.com

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 06:13 AM
In response to Siljo
Jump to solution

I used eve-ng standalone config lab. I dont sadly have any smb appliance to test, but let me spin one up quick on demo point and will check.

Give me 10-15 mins.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 06:31 AM
In response to Siljo
Jump to solution

Appears to be some sort of limitation. I tried, but exact same issue. Maybe TAC case would help here, speciailly based on below thread...

Kind regards,

Andy

 

https://community.checkpoint.com/t5/SMB-Gateways-Spark/WAN-interface-on-1590-with-31-Subnet-Mask/td-...

Best,
Andy
0 Kudos
Siljo
Participant
‎2023-11-16 06:38 AM
In response to the_rock
Jump to solution

Thanks for check and quick answer.

It seems that next stop is TAC

BR

Mario

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 06:43 AM
In response to Siljo
Jump to solution

No worries. Yes, I would agree, thats your best bet at this point.

Andy

P.S. I will keep trying to see if there is any way around it, but so far, just keeps saying its invalid subnet mask...if I get anywhere, will update you.

Best,
Andy
(1)
the_rock
MVP Gold
MVP Gold
‎2023-11-16 07:17 AM
In response to Siljo
Jump to solution

Im 100% positive this has nothing to do with the version at all, as its same on few different codes. Just working on some Palo Alto stuff right now, but will get back to this soon.

Kind regards,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 09:01 AM
In response to Siljo
Jump to solution

No luck as of yet, but here is something Im not really grasping, if you will. Maybe someone from CP can clarify...Im not subnetting expert by any means, but if you think about it logically, /31 is essentially 2 hosts, which neither one can be used, as one is network and other is broadcast IP, so in that case, how come it works on regular Gaia, but not on smb?

Maybe below would explain it?

https://support.checkpoint.com/results/sk/sk91020

Kind regards,

Andy

Best,
Andy
0 Kudos
Siljo
Participant
‎2023-11-16 10:30 AM
In response to the_rock
Jump to solution

Indeed /31 has only 2 IP addresses inside, but it is used for point to point links for small ISP-s to not waste 50% of address space.

Some vendors support /31 subneting, but CP on SMB-s unfortunately is not one of them.

Maybe in some next SW release.

Anyhow thanks for your help.

BR

Mario

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 10:34 AM
In response to Siljo
Jump to solution

Yes, exactly.

Cheers,

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-11-16 11:32 AM
In response to the_rock
Jump to solution

The high address in a network block is reserved for broadcast. What a lot of people seem to miss is this is also the reason the low address in a network block is reserved. Before IP broadcast was standardized in RFC 919 in late 1984, some vendors had introduced their own implementation of broadcast using the low address. It's still commonly reserved today to avoid conflicting with implementations from the 80s (like old mainframes which tend to be business-critical to big companies). Thus, a /31 network could be considered to contain two broadcast addresses. Broadcast actually means "everyone in this network except me", so two broadcast addresses could uniquely identify two hosts.

RFC 3021 standardized use of 31-bit IPv4 network blocks in late 2000.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 11:43 AM
In response to Bob_Zimmerman
Jump to solution

I still dont see the logic as to why /31 works on regular Gaia and not on embedded version. Maybe someone from CP can clarify the reason, unless its internal info only...

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-11-16 12:51 PM
In response to the_rock
Jump to solution

It'll be a bug in the configuration validation logic. The part which takes "set interface eth1 ipv4-address 10.20.30.40 mask-length purple" and tells you "Purple isn't a valid netmask, dummy!"

The Linux network stack has supported 31-bit netmasks since somewhere in 2.5, so it's very unlikely to be something lower level. You can almost certainly use ifconfig to set the interface to a 31-bit mask by hand (ifconfig eth5 10.20.30.40 net mask 255.255.255.254), it just won't survive reboot thanks to clish.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-16 01:37 PM
In response to Bob_Zimmerman
Jump to solution

Agree, thats true. Anyway, would like to see if there is an official CP answer to all this : - )

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-16 02:16 PM
Jump to solution

Seems like this has happened before: https://community.checkpoint.com/t5/SMB-Gateways-Spark/WAN-interface-on-1590-with-31-Subnet-Mask/m-p... 
Please consult with the TAC: https://help.checkpoint.com 

0 Kudos
Siljo
Participant
‎2023-11-20 05:52 AM
In response to PhoneBoy
Jump to solution

Finally it works.

All the time I was trying to configure /31 on local network port.

This is not working, configuration is not accepted by SMB.

But when same port is configured as Internet connection from GUI then SMB accepts /31 network for that port.

Problem solved 😉

Anyhow many thanks for help.

Br

Mario

(1)
the_rock
MVP Gold
MVP Gold
‎2023-11-20 05:55 AM
In response to Siljo
Jump to solution

Learned something new today, though I rarely work on SMB appliances, thats good to know.

Thanks mate

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-20 03:16 PM
In response to Siljo
Jump to solution

That kind of makes sense since you only typically use a /31 on an Internet-facing device.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events