Static routing conflict with selective DNAT/SNAT o...

perfect4situa

Hi everyone,
I’m working with a centrally managed Check Point Spark appliance running R81.10.17 (latest build) in a multi‑ISP environment.
I need to configure manual DNAT/SNAT for specific services using a secondary public IP from a secondary ISP, while ensuring that:

Only traffic toward the Internet is NATted
Internal traffic or traffic toward other routed networks is not NATted
Outbound traffic for a specific internal host uses the secondary ISP only

✅Goal

For a specific internal host:

Translate it to a specific secondary public IP (SNAT)
Allow external services to reach it via DNAT
Force this traffic to use the secondary ISP via a dedicated static route when going to internet
Avoid affecting any other traffic or internal routed networks

⚠️Problem

To make outbound traffic use the secondary ISP, I created a static route on the firewall such as:

Destination: Any  
Gateway: Secondary ISP gateway

However, when the route uses destination = Any, another issue appears:

✅Traffic toward the Internet correctly uses the secondary ISP
❌BUT traffic coming from devices reachable via other static routes
(e.g., internal routed networks or specific internal subnets)
is also sent out to the Internet instead of being forwarded to the correct internal interface.

It looks like the Any → secondary ISP route overrides more specific static routes, even though normally specific routes should take precedence.

❓Question

Is it correct to fix this using route weights/metrics, or is there a better technique?

I’m trying to understand whether I should:

Adjust route priority / metric / weight
Or if Spark appliances require a different approach for multi‑ISP selective routing when manual NAT is involved

➜ Additional details

NAT is configured manually (and also with hide‑all networks flag enabled)
The public IP used for DNAT/SNAT is not the interface IP but another public IP belonging to the same ISP subnet
Manual NAT itself works
The routing is what breaks internal‑to‑internal flows
I want to ensure:
- Only Internet flows use the secondary ISP
- Internal routed networks keep following their static routes
- DNAT/SNAT is applied only when traffic matches the specific host/service

✅What I’m asking the community

How do you correctly force only Internet traffic for a specific host to use a secondary ISP without breaking other static routes?
Should route metrics be modified, or is policy‑based routing (PBR) required?
Are there recommended best practices for multi‑ISP selective NAT and routing on Spark appliances?

Any suggestions, experiences, or best‑practice examples would be greatly appreciated.

Thanks in advance!

PhoneBoy

How do you have the relevant routes configured?

perfect4situa

Route for Internet:

Internet Route

Route for LAN:

LAN Route

NAT Configuration

DNAT

Original Source:      Any
Original Destination: <Secondary Public IP>
Service:              <Service Group>

Translated Source:    Original
Translated Destination: 172.20.15.3
Translated Service:   Original

SNAT

Original Source:      172.20.15.3
Original Destination: Any
Service:              Any

Translated Source:    <Secondary Public IP>
Translated Destination: Original
Translated Service:   Original

PhoneBoy

Maybe create a single route with source 172.20.15.3, destination 172.18.9.0/24 and secondary WAN as the next hop?
To be clear, this would be in addition to the routes you already have.

perfect4situa

I think I’m close to the solution, but I’m not sure this is the correct or optimal approach.
I changed my setup, the route to the WAN has destination any and a specific source host, while the static route to the internal LAN has a specific destination network and source any. This causes the WAN route to be evaluated first, even with a higher metric (10) than the LAN static route (metric 0).

To work around this, I added an additional static route to the internal LAN with priority 0, which correctly overrides the WAN route. However, this would require creating extra static routes for every internal network that already has a global static route (source any). I also had to adjust the SNAT so that the destination is only the external zone instead of any.

Is this configuration considered correct, or is there a better way to handle this scenario?

PhoneBoy

Do the routes look like the one I suggested?
That might be the only way to do it, though perhaps you could do it with fewer routes through supernetting.

perfect4situa

Thanks for the suggestion.
In my setup, the static routes are slightly different from the ones you described. Below is the configuration that actually works for me. I also integrated the required supernetting to avoid routing conflicts and to make sure the correct egress interface is selected when DNAT/SNAT is applied.

(In the screenshot the source IP is 172.20.15.245, but you can assume it is 172.20.15.3.)

As you can see, I kept the original WAN route (third row) with destination ANY. However, in addition to the “ANY to internal network” route, I also need a dedicated route for the specific source IP. This route has a higher priority than the WAN route (first and second row), otherwise the traffic would incorrectly follow the WAN path.

PhoneBoy

Looks alright to me.
More specific routes are always going to take priority.

perfect4situa

I agree with your explanation. However, my initial assumption was that a route with a more specific destination and source set to any would take precedence over a route with source any and a single destination. That misunderstanding was actually the root cause of my issue.

I also have a couple of additional questions related to this scenario:

Can both DNAT rules be active at the same time (i.e. accept incoming connections on both ISP links)?
If so, will the return traffic always follow the same public IP/interface that was used for the incoming connection, or will it go out via the primary ISP or according to the static route configuration?
What is the correct configuration for NAT loopback (hairpin NAT) in this type of multi-ISP setup?

For these questions, would it be better to open a new post, or can they be addressed within this thread?

Thanks in advance for any clarification.

PhoneBoy

In theory, you can have both DNAT rules in place as we require a similar configuration for ISP Redundancy on non-Spark gateways.
Not sure the configuration would be different for Hairpin NAT, assuming the use case is internal hosts trying to reach an external address (based on WAN address).

perfect4situa

I believe the issue with multiple DNAT rules is that only one outbound ISP can be effectively used at a time.

How can the gateway be configured to ensure that return traffic originating from a secondary ISP is routed back through the same secondary ISP, in order to avoid asymmetric routing?

At the moment, it does not seem possible to filter routing decisions based on source or destination, and even the route configuration follows predefined precedence rules that do not align with the NAT rules.

PhoneBoy

This might be SecureXL related...see if the behavior changes with fwaccel off.

Are you a member of CheckMates?