This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-06-22 01:49 PM

SMB Default gateway

Hi

netstat -r shows this:

 

Gateway-ID-7FB7C2DC> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ua-113-13-192- 0.0.0.0         UG        0 0          0 WAN
90.254.144.124  *               255.255.255.255 UH        0 0          0 vpnt10
192.168.3.0     *               255.255.255.0   U         0 0          0 LAN1
192.168.4.10    *               255.255.255.255 UH        0 0          0 vpnt10
113.113.192.0   *               255.255.224.0   U         0 0          0 WAN

 

 

I need 90.254.144.124 to be my default gateway, I don't know how to configure that! I used, add static route and, set static route and this is what I got:

show static-routes table
id   disabled   destination          source               service   ipv4-address     monitored-server-1monitored-server-2monitored-server-3monitoring-mode  interface   logical          metric    priority   comment
1    false                                                          90.254.144.124                                                      off                                           102       0
2    false      90.254.144.124/32                                                                                                       off              vpnt10      vpnt10           10        0

 

My SMB is connected to a central office via a VTI and the central office external IP needs to be the default gateway of SMB. SMB IP is dynamic, the 113.113.* IP is the dynamic IP of my SMB

Still when I do i traceroute I don't see my central office IP, it shows directly the default gateway of my dynamic IP (my ISP router)

The community is configured like this:

vpn-routing.JPG

any ideas!

0 Kudos
16 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-06-22 08:31 PM

You probably want to do a couple of things here 

1. Ensure the VPN peer IP (and any break glass IP etc) is routed/reachable outside the tunnel.

2. Configure your default route e.g.

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z

3. If you still encounter problems try disabling the default use of the Internet connection as the default gateway. As I recall this is controlled via: 

set internet-connection "<name>" route-traffic-through-default-gateway {true | false}
CCSM R77/R80/ELITE
0 Kudos
Moudar
Advisor
‎2024-06-23 06:23 AM
In response to Chris_Atkinson

add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z, you need to add a metric between 101-200, giving 101 to this command is rejected 

"Could not set static route metric: the metric of a default route must be unique, and cannot be same as of an existing internet connection priority "

 

I get that message even if internet connection route-traffic-through-default-gateway  is disabled?!

adding priority example 102 then the command is accepted but the gateway looses internet connection

Deleting the internet connection and adding new one, It seems to be not allowed to add a default gateway to an internet connection when it is type "DHCP"

so what should be done here?

Do I need to configure the DDNS to be able to set the default gateway as needed?

0 Kudos
the_rock
Legend
Legend
‎2024-06-23 04:47 PM
In response to Moudar

If you type ? mark at the end of that command, should give you options available.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-24 12:19 PM

If your WAN IP is DHCP, then, yes, it will control the default route by design.
You can create multiple more specific routes that point to the VTI.
For example:

  • add static-route destination 0.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z
  • add static-route destination 128.0.0.0/1 nexthop gateway ipv4-address W.X.Y.Z

 

0 Kudos
Moudar
Advisor
‎2024-06-25 03:55 AM
In response to PhoneBoy

0.0.0.0/1 seems to work fine beside the default route to the ISP

I still got 2 problems:

SMS is unreachable on SMB! but still fetch policy works fine?!

unreachable-sms.JPG

unreachable-sms1.JPG+

 

 

The other problem is that my PC behind SMB does not get internet, it is connected to port 1 (192.168.3.1) on SMB. My PC has SMB as its default gateway, My PC is getting 192.168.3.2.

0 Kudos
the_rock
Legend
Legend
‎2024-06-25 05:10 AM
In response to Moudar

Maybe do some basic captures to see why mgmt server is not reachable.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-25 08:40 AM
In response to Moudar

By default, traffic related to SIC does not go over VPN.
This requires several changes to accomplish and is generally NOT recommended.

Based on your current routing configuration, it's probably trying to do that...and failing.
You might need to create a static route towards your SMS public IP that goes out your regular default route.

As far as other troubleshooting, I would suggest using fw monitor with the -F option to specify appropriate filters (to account for traffic in both directions): https://support.checkpoint.com/results/sk/sk30583 
This will at least give us an idea of where we need to look next.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-06-25 11:33 PM
In response to Moudar

Sorry that I wasn't specific enough in my earlier reply and references to break glass subnets and such.
Management should also be routed outside the VPN and would need to be externally accessible via a NAT.

CCSM R77/R80/ELITE
0 Kudos
Moudar
Advisor
‎2024-06-26 11:41 AM
In response to Chris_Atkinson

Is there any way to "save config" on SMBs, or it does not need to manually save?

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 11:45 AM
In response to Moudar

There is not and no need either.

Andy

0 Kudos
Moudar
Advisor
‎2024-06-26 12:08 PM
In response to the_rock

device-status.JPG

this SMB device is working correctly now, but still on SMS shows red cross, I wonder why?

0 Kudos
Lesley
Authority Authority
Authority
‎2024-06-26 01:28 PM
In response to Moudar

would be hulpfull to share the full error message of the red cross. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Moudar
Advisor
‎2024-06-26 01:56 PM
In response to Lesley

That is the problem: There is no error message but still red cross!error1.JPG

error2.JPG

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-06-26 05:48 PM
In response to Moudar

This is not uncommon for DAIP Spark gateways in my experience. 

Will see if I can find the reference or SK that discusses it and share it here.

Why are DAIP gateways never really shown as connec... - Check Point CheckMates

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2024-06-26 05:51 PM
In response to Moudar

Maybe TAC can confirm, but it could be expected, since its DAIP.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-06-26 06:13 PM
In response to the_rock

Known Limitation:

limitation.jpg

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events