SMB Default gateway

Moudar

Hi

netstat -r shows this:

Gateway-ID-7FB7C2DC> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ua-113-13-192- 0.0.0.0         UG        0 0          0 WAN
90.254.144.124  *               255.255.255.255 UH        0 0          0 vpnt10
192.168.3.0     *               255.255.255.0   U         0 0          0 LAN1
192.168.4.10    *               255.255.255.255 UH        0 0          0 vpnt10
113.113.192.0   *               255.255.224.0   U         0 0          0 WAN

I need 90.254.144.124 to be my default gateway, I don't know how to configure that! I used, add static route and, set static route and this is what I got:

show static-routes table
id   disabled   destination          source               service   ipv4-address     monitored-server-1monitored-server-2monitored-server-3monitoring-mode  interface   logical          metric    priority   comment
1    false                                                          90.254.144.124                                                      off                                           102       0
2    false      90.254.144.124/32                                                                                                       off              vpnt10      vpnt10           10        0

My SMB is connected to a central office via a VTI and the central office external IP needs to be the default gateway of SMB. SMB IP is dynamic, the 113.113.* IP is the dynamic IP of my SMB

Still when I do i traceroute I don't see my central office IP, it shows directly the default gateway of my dynamic IP (my ISP router)

The community is configured like this:

any ideas!

Chris_Atkinson

You probably want to do a couple of things here

1. Ensure the VPN peer IP (and any break glass IP etc) is routed/reachable outside the tunnel.

2. Configure your default route e.g.

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z

3. If you still encounter problems try disabling the default use of the Internet connection as the default gateway. As I recall this is controlled via:

set internet-connection "<name>" route-traffic-through-default-gateway {true | false}

CCSM R77/R80/ELITE

Moudar

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z, you need to add a metric between 101-200, giving 101 to this command is rejected

"Could not set static route metric: the metric of a default route must be unique, and cannot be same as of an existing internet connection priority "

I get that message even if internet connection route-traffic-through-default-gateway is disabled?!

adding priority example 102 then the command is accepted but the gateway looses internet connection

Deleting the internet connection and adding new one, It seems to be not allowed to add a default gateway to an internet connection when it is type "DHCP"

so what should be done here?

Do I need to configure the DDNS to be able to set the default gateway as needed?

the_rock

If you type ? mark at the end of that command, should give you options available.

PhoneBoy

If your WAN IP is DHCP, then, yes, it will control the default route by design.
You can create multiple more specific routes that point to the VTI.
For example:

add static-route destination 0.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z
add static-route destination 128.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z

Moudar

0.0.0.0/1 seems to work fine beside the default route to the ISP

I still got 2 problems:

SMS is unreachable on SMB! but still fetch policy works fine?!

+

The other problem is that my PC behind SMB does not get internet, it is connected to port 1 (192.168.3.1) on SMB. My PC has SMB as its default gateway, My PC is getting 192.168.3.2.

the_rock

Maybe do some basic captures to see why mgmt server is not reachable.

Andy

PhoneBoy

By default, traffic related to SIC does not go over VPN.
This requires several changes to accomplish and is generally NOT recommended.

Based on your current routing configuration, it's probably trying to do that...and failing.
You might need to create a static route towards your SMS public IP that goes out your regular default route.

As far as other troubleshooting, I would suggest using fw monitor with the -F option to specify appropriate filters (to account for traffic in both directions): https://support.checkpoint.com/results/sk/sk30583
This will at least give us an idea of where we need to look next.

Chris_Atkinson

Sorry that I wasn't specific enough in my earlier reply and references to break glass subnets and such.
Management should also be routed outside the VPN and would need to be externally accessible via a NAT.

CCSM R77/R80/ELITE

Moudar

Is there any way to "save config" on SMBs, or it does not need to manually save?

the_rock

There is not and no need either.

Andy

Moudar

this SMB device is working correctly now, but still on SMS shows red cross, I wonder why?

Lesley

would be hulpfull to share the full error message of the red cross.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Moudar

That is the problem: There is no error message but still red cross!

Chris_Atkinson

This is not uncommon for DAIP Spark gateways in my experience.

Will see if I can find the reference or SK that discusses it and share it here.

Why are DAIP gateways never really shown as connec... - Check Point CheckMates

CCSM R77/R80/ELITE

the_rock

Maybe TAC can confirm, but it could be expected, since its DAIP.

Chris_Atkinson

Known Limitation:

CCSM R77/R80/ELITE

Are you a member of CheckMates?

SMB Default gateway