Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dr_Steve_Brule
Participant
Jump to solution

Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Hi all,

I have a couple of SMB 1500 devices setup for various home users.  We set these devices up with the ability to sit on their private network at home so the appliance is setup as a DAIP gateway with a private DHCP address from their home network on the WAN interface of the SMB (did this to make it easy on the end use so they can just plug in the device at home and flexibility to move the device around).

Once they get plugged in, IPSEC VPN is configured and it will create a tunnel to the main site and have connectivity.

One limitation I found on the appliance itself - I'd like to send services such as DNS, NTP, ICMP from the appliance itself down the tunnel using the LAN IP of the appliance instead of the WAN IP.  Currently, those requests are trying to be sent down the tunnel using the WAN IP which could be any private IP on the home user's network.  I don't want to define the user's home networks as part of the encryption domain so if there is some kind of workaround to use the SMB's LAN IP to send those requests, that'd be great.  Any ideas on this?

0 Kudos
1 Solution

Accepted Solutions
Dr_Steve_Brule
Participant

Found it - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Centrally Managed Solution:

Firmware R77.20.80 and higher (SMB-4577) adds the same functionality for Centrally Managed Devices.

In order to enable the feature a kernel parameter should be used - fw ctl set int fw_enc_conns_use_internal 1

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee

In Advanced Settings search for "source" and you should find applicable options to assist i.e.

"Use internal IP address for encrypted connections from local gateway"

CCSM R77/R80/ELITE
0 Kudos
CaseyB
Advisor

Is there something similar for the 1430s? Searching for similar terms in Advanced Settings is telling me no.

0 Kudos
Dr_Steve_Brule
Participant

CaseyB - See my reply to Chris above.  Mine is centrally managed...may be a difference between centrally and locally managed gateways...

0 Kudos
Dr_Steve_Brule
Participant

Forgot to mention - this is a centrally managed gateway.  Per https://community.checkpoint.com/t5/SMB-Gateways-Spark/R80-20-15-Locally-Managed-Advanced-Settings/t... it looks like "VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway" is a valid option for locally managed SMBs.  Hoping there may be something in GUIDBEdit for centrally managed...

0 Kudos
Dr_Steve_Brule
Participant

Found it - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Centrally Managed Solution:

Firmware R77.20.80 and higher (SMB-4577) adds the same functionality for Centrally Managed Devices.

In order to enable the feature a kernel parameter should be used - fw ctl set int fw_enc_conns_use_internal 1

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events