Create a Post
Showing results for 
Search instead for 
Did you mean: 

Traffic cannot reach default gateway



I've got the following lab environment.

Security Gateway with two interfaces

eth0 (external) - on subnet with default gateway at

eth1 (internal) - on subnet

Security Management Server that sits on an internal network with IP address of

and Windows 10 host that also sits on an internal network with IP address of


Problem is that devices on the internal network are not able to break out from local subnet (

Devices on the internal network use SG ( as their default gateway, but traffic is not being passed to the default gateway of SG (

I am able to ping and break out to the Internet from SG, and the policy that's currently applied only has one statement that allows traffic from all sources going to all destinations for all services.


Hope this makes sense. Please let me know if you need any additional information.

Any advice will be much appreciated 🙂

0 Kudos
4 Replies

What do you use for the lab? physical, virtual? what is the version in use? Do you have at least one accept rule for your internal traffic? NAT? How do you know you cannot "break out of internal network"? Traces on the FW? anything else?

0 Kudos

Hi Val, thanks for the quick reply.

It's a virtual lab on VMware Workstation 16, and it's Gaia R80.10.

There is only one rule in place that allows all traffic going from all sources to all destinations for all services.

The firewall has a bridged connection to the physical NIC and the external interface has an IP address from my home subnet ( There is no NAT.

The firewall has a default gateway in the routing table, and I'm able to ping Google's DNS server directly from the firewall (see below).


MKUJ-CP-SG> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

S via, eth0, cost 0, age 24387
C is directly connected, eth1
C is directly connected, lo
C is directly connected, eth0


MKUJ-CP-SG> ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=116 time=27.3 ms
64 bytes from icmp_seq=2 ttl=116 time=29.4 ms
64 bytes from icmp_seq=3 ttl=116 time=28.9 ms
64 bytes from icmp_seq=4 ttl=116 time=29.5 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 27.360/28.845/29.583/0.896 ms


However, when I do a traceroute from my Windows 10 VM, which sits behind a firewall, I can see that packet gets to the internal interface and doesn't get forwarded further.


C:\Users\Michal>tracert -d

Tracing route to over a maximum of 30 hops

1 <1 ms <1 ms <1 ms
2 * * * Request timed out.


This traffic shouldn't be blocked by any rule since there is only one rule allowing all access. And since destination is outside of my local network I would expect next hop to be my firewall's default gateway (

0 Kudos

>>There is no NAT

That is your problem then.

Traffic is most probably being forwarded out by the FW, but without NAT, it cannot be returned properly. 

I suggest you look into our Check Point for Beginners series, we explain the full lab settings there, including required policy, tracing, etc. Also, we even have virtual labs there, with video guidance. 


You pointed me in the right direction, and honestly, I should've known better 🙂

The problem wasn't with NAT but with the missing route pointing to the subnet that sits behind the firewall (, traffic was able to exit my lab network but couldn't find its way back.


The solution was to either add a static route on my Windows host directly or on the default gateway and point all traffic destined for my lab subnet back to the firewall.

Thanks a lot for your help.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events