This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
winuser
Contributor
‎2024-02-08 05:48 AM
Jump to solution

Configuring Multiple Public IP Addresses on WAN Interface

I am reaching out to explore the possibility of configuring multiple public IP addresses on the WAN port of our device(SMB QUANTUM SPARKTM 1800 SECURITY GATEWAYS). Currently, we have a single public IP address (x.x.x.1) but our ISP has provided us with a range of x.x.x.1-5. I am curious to know if it's feasible to assign these additional IP addresses to our WAN interface, and what potential limitations or specific requirements might exist for such a setup.

Photo how look configuration on WebUI and what device we have.

Ideally, we're looking to segment our network so that one portion of our internal network utilizes one public IP address, while another portion uses a different public IP. The goal is to optimize and secure our network operations(Internal IP 192.168.1-100.0 for Public x.x.x.1 and 192.168.101-255.0 for for Public x.x.x.2), in addition to enhancing management and control over our network traffic.

Could anyone provide insights on how we might achieve this configuration? I am interested in any specifications, steps, or recommendations that could assist us in implementing this functionality.

Thank you in advance for your help and guidance.

Labels
Preview file
66 KB
Preview file
35 KB
0 Kudos
2 Solutions

Accepted Solutions
AmirArama
Employee
Employee
‎2024-02-08 07:52 AM
Jump to solution

is it centrally managed ?

basically you don't configure it on the wan interface for that, you only create nat rules to hide specific internal ranges behind specific public IP address. and that should give you the result you are asking for.

you might need to configure Proxy arp for those new addresses behind the mac address of your wan interface

https://support.checkpoint.com/results/sk/sk114531

 

View solution in original post

winuser
Contributor
‎2024-02-20 05:02 AM
In response to the_rock
Jump to solution

I have only 1 WAN port
OK. I will try to describe the situation.
From ISP I've got Public IP range f.e.: 172.16.189.0/29 (172.16.189.1-6).
ISP GW for me is: 172.16.189.1
Public IPs for me: 172.16.189.2-6 (5 Public IPs) with GW 172.16.189.1

Now, I have multiple VLANs or LANs for easy understanding: LAN1 - 192.169.190.0/24 - Management Network, LAN2 - 192.168.191.0/24 - Production LAN

And I want to translate all these networks to different Public IPs like this:
192.168.190.0/24 -> 172.16.189.2
192.168.191.0/24 -> 172.16.189.3



Thank you all for your time and advice @the_rock , @AmirArama . I have found another post where this issue was addressed using NAT rules. It's still unclear to me why two different NAT rules are necessary, but I am think this post as solved. Thank you once again.

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Add-2-IP-in-the-same-WAN-internet-connection-...

View solution in original post

0 Kudos
8 Replies
AmirArama
Employee
Employee
‎2024-02-08 07:52 AM
Jump to solution

is it centrally managed ?

basically you don't configure it on the wan interface for that, you only create nat rules to hide specific internal ranges behind specific public IP address. and that should give you the result you are asking for.

you might need to configure Proxy arp for those new addresses behind the mac address of your wan interface

https://support.checkpoint.com/results/sk/sk114531

 

winuser
Contributor
‎2024-02-09 04:47 AM
In response to AmirArama
Jump to solution

Thank you @the_rock and  @AmirArama .


We manage our device locally through the WebUI,

Does your advice still apply even though we have a locally managed device?

Additionally, I find myself a bit confused about the correct configuration for the WAN port address. Should it encompass a network range or be configured as a single WAN address?

I also want to ensure my understanding is correct regarding the setup of NAT rules for internet routing. My interpretation is that internal network A should be mapped to Public IP A1 and internal network B to Public IP B1, facilitating clear routing directions. Could you please provide further clarification or guidance on this matter?

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-09 04:50 AM
In response to winuser
Jump to solution

I believe it would apply, but will let @AmirArama confirm. What do you mean by single wan address or range? It all depends how your provider assigned it...if range is say /29, then subnet would be 255.255.255.248.

Best,

Andy

Best,
Andy
0 Kudos
AmirArama
Employee
Employee
‎2024-02-09 05:12 AM
In response to winuser
Jump to solution

I'm less expirienced with the locally managed. However the idea is the same for every networking device.

To be more specific, If the additional pool you received from the isp is in the same subnet as the WAN interface IP, then as @the_rock mentioned you configure the wan interface with the appropriate subnet that includes all the pool and configure the mentioned proxy arp.

But, if the additional pool is at different subnet. Then on the wan interface you configure the point to point ip and subnet between your device and the isp. And you don't need to configure proxy arp - Instead verify with your isp that he route the additional pool towards your wan ip as a nexthop.

Im not sure why you want to hide each subnet behind different public IP. But its up to you. The routing is irrelevant only the one default route you have on your wan interface assuming you have only one isp.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-09 05:20 AM
In response to AmirArama
Jump to solution

Totally agree with that. @winuser , as Amir mentioned, say if you had 2 ISP links, than onbiously, your DG for 2nd link would be different, but no need to hide each subnet behind different public IP.

Andy

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2024-02-08 08:15 AM
Jump to solution

Thats it, exactly what @AmirArama said. For regular Gaia fw, I believe you would just add as alias interface tied to an actual physical interface.

Best,

Andy

 

 

Screenshot_1.png

Best,
Andy
0 Kudos
winuser
Contributor
‎2024-02-20 05:02 AM
In response to the_rock
Jump to solution

I have only 1 WAN port
OK. I will try to describe the situation.
From ISP I've got Public IP range f.e.: 172.16.189.0/29 (172.16.189.1-6).
ISP GW for me is: 172.16.189.1
Public IPs for me: 172.16.189.2-6 (5 Public IPs) with GW 172.16.189.1

Now, I have multiple VLANs or LANs for easy understanding: LAN1 - 192.169.190.0/24 - Management Network, LAN2 - 192.168.191.0/24 - Production LAN

And I want to translate all these networks to different Public IPs like this:
192.168.190.0/24 -> 172.16.189.2
192.168.191.0/24 -> 172.16.189.3



Thank you all for your time and advice @the_rock , @AmirArama . I have found another post where this issue was addressed using NAT rules. It's still unclear to me why two different NAT rules are necessary, but I am think this post as solved. Thank you once again.

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Add-2-IP-in-the-same-WAN-internet-connection-...

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-20 05:17 AM
In response to winuser
Jump to solution

For sure, NAT will always be a solution for anything source or dst translated.

Best,

Andy

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events