This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amir_Arama
Advisor
‎2018-08-22 06:07 AM

Weird Networking configuration Question

Hi,

it might be dummy question, just thinking out loud, maybe someone knows a way of making this work.

I have a FW with Lan interface (let's say eth0) with address: 192.168.1.254/16 (note the subnet)

this network includes servers, PCs, Printers etc.. now i'm required to do segmentation inside this network.

i want to keep this address range (not use 172.16./10.x.x.x.).

i thought of how can i accomplish this step at a time, without taking down the whole network to maintanance.

my quesion is as follows:

if i will create new interface (eth2) with address 192.168.2.254/24 and i will move some servers to this network.

1. is it supported to create interface with address that included/conflicted with other interface?

2.i need that the PCs and other Servers/devices still located on 192.168.0.0/16 network to keep communicating with the servers moved to 192.168.2.0/24 network. so i think how it might work is that FW should know to reply to arp request to servers on 192.168.2.0, and to respond on behalf (proxy arp) and then move the packet to 192.168.2.0 int, and packets to 192.168.0.0 expect from 192.168.2.0 will go to the 192.168.0.0/16 int. and also on the opposite direction that arp request to 192.168.3.0 for example from within 192.168.2.0 will respond by the fw and let the communication occur.

is anyone knows a way to make this happen ?

thanks

0 Kudos
3 Replies
Amir_Arama
Advisor
‎2018-08-22 07:27 AM

ok i can see that gaia not allow to configure this right on the interface config. it says that the address conflicts with destination network of interface (the original class b int)

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-22 10:49 AM

the only way to do these type of things is by using a layer 3 device in between the GW and the new network, so on eth2 you use a network 100.64.64.0/29 and connect that interface to a router/layer-3 switch.

Then you story remains the same, create proxy arps for each used IP in the 192.168.2/24 on eth0.

It also depends on the part on the /16 really being used, if only the bottom half of the /16 is used you can change the eth0 interface to a /17 and then add a new range in the top half. If 3/4 of the /16 is used you set a primary IP of 192.168.0.0/17 and add an alias for 192.168.128.0/18, then you have the top quarter available.

Regards, Maarten
0 Kudos
Amir_Arama
Advisor
‎2018-08-22 11:48 PM
In response to Maarten_Sjouw

Yeah, those are the conclusions i also came up with yesterday.

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top