Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SAM_X
Explorer

Add 2 IP in the same WAN internet connection interface

Hi Guys,

I am configuring a SMB 1590 device.I have a class of 8 public IP that i can use from the ISP and I want to add 2 public IP to the same WAN internet connection interface but i get the error "IP address is in the subnet of an existing network"

Can someone Please help on this issue?

 

 

 

0 Kudos
18 Replies
Sorin_Gogean
Advisor

Hey,

 

What would be the reason you want to do that?

If you want to use the 2nd IP for NAT-ing traffic from certain users, is not needed to be defined on the box, as long as you have it's routed properly.

 

Thank you,

PS: not sure if a SMB differs too much from an 15600 GW, but for us is working fine.

0 Kudos
PhoneBoy
Admin
Admin

In this case, it’s no different between SMB and non-SMB.

0 Kudos
SAM_X
Explorer

Hey

Im getting into the point. So it is not possible to add two public ip to the same interface?

Im using the chp firewall as a router in my case. The optic fiber is connected directly to the appliance.

What do you recommend ?

 

Thnx 

0 Kudos
PhoneBoy
Admin
Admin

No, it's not possible.
What is it you are trying to do that you think adding a second WAN IP would be the solution for?

0 Kudos
Sorin_Gogean
Advisor

I hate it when I get half answers, but still I'll ask again like others did 😁 ..

From certain perspective we all use CKP as a router but with extra features 🤣

 

So again, what would be the reason you want to do that? Why you want to get 2 IP's or 10 IPs on the WAN interface ?!?!?!

 

Thank  you,

 

0 Kudos
marekzima
Participant

OK. I will try to describe the situation.
From ISP I've got Public IP range f.e.: 172.16.189.0/29 (172.16.189.1-6).
ISP GW for me is: 172.16.189.1
Public IPs for me: 172.16.189.2-6 (5 Public IPs) with GW 172.16.189.1

Now, I have multiple VLANs or LANs for easy understanding: LAN1 - 192.169.190.1/24 - Management Network, LAN2 - 192.168.191.1/24 - Production LAN, 192.168.192.1/24 - Guests Network, 192.168.193.1/24 - DMZ.

And I want to translate all these networks to different Public IPs like this:
192.168.190.0/24 -> 172.16.189.2
192.168.191.0/24 -> 172.16.189.3
192.168.192.0/24 -> 172.16.189.4
192.168.193.0/24 -> 172.16.189.5

So no just one server or host, or one by one, but whole network I want ti hide behind different public IP.

How to do that?

I've created NAT rules, it translate correctly, byt SPARK does not react on other then specified IP on WAN interface.
I'm not able to create ALIAS from same WAN network to tell SPARK, this is also your IP address.

So, what now?

0 Kudos
PhoneBoy
Admin
Admin

You need to create proxy ARPs for the relevant IPs manually.
See: https://support.checkpoint.com/results/sk/sk114531 

0 Kudos
marekzima
Participant

No 🙂
There is an easy solution.
You have to create another NAT rule where Original destination is your required WAN IP.
So, f,e,:

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original

1st rule is about NAT from LAN to Internet, so every traffic from network 192.168.191.0/24 is NATed (masquerade) to 172.16.189.3 IP 🙂 You have to check "Hide multiple sources behind translated  source address" and also "Serve as an ARP Proxy for the original destination's IP address"

2nd rule will assign another IP from WAN network to WAN interface and will send all traffic to this address to right destination

That's all 🙂

Now you can repeate it for every IP assigned to you by ISP provider and you can use all Public IPs as you want 🙂

0 Kudos
adamec
Contributor

Hi Marek may I ask you bout the second NAT rule? Why is it not like below, could ou please explain?

Is it because, once A traffic reaches first rule a session is stored inside a NAT table and once it receives communication from external source it looks in the NAT table for destination? thanks

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service

2.      Any                         172.16.189.3                 Any                         Original                     192.168.191.0/24              Original

0 Kudos
marekzima
Participant

Hello,

It works for NEW incoming connections as well. 🙂 So, I want to use also for another networks on my LAN.

So, then I'm able to create NAT to any device I want in my LAN, not just for device inside 192.168.191.0/24 🙂

You can use the 2nd WAN IP for multiple LANs and you will create just rule od type 1 (1st rule) and do not have to create another 2nd type 🙂

 

0 Kudos
adamec
Contributor

But how does an incoming traffic knows where to go (not initiated from internal network). When the rule is like below.

Original destination is 172.16.189.3 and it is translated to 172.16.189.3 do I need any adittional routing or something?

No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original

0 Kudos
marekzima
Participant

OK. There are 2 situations:

1. Hide outgoing traffic from LAN to the another IP of WAN (assigned IPs from ISP)
- When packet goes out, the router will build NAT table and returning packet (related/established) will follow the stored info inside NAT table, so router knows where to send this returning packet.

2. Using another IP form IPs in NAT (f.e. webserver, mail server)
Now, incoming packet take a look in NAT rules, if there is some redirection for him. If not, packet is dropped. If yes, packet will be forwarded according the rule he belongs to.

0 Kudos
winuser
Contributor

Hello,

I would like to set up multiple IP addresses from the internal network in the same way. I won't have any device/server in the internal network that should be accessible from the outside. Therefore, all communication into the network must be initiated from the internal side.

For this reason, I thought that only the first rule from the following would suffice:

  1. Original Source: 192.168.191.0/24, Original Destination: Any, Original Service: Any, Translated Source: 172.16.189.3, Translated Destination: Original, Translated Service: Original
  2. Original Source: Any, Original Destination: 172.16.189.3, Original Service: Any, Translated Source: Original, Translated Destination: Original, Translated Service: Original

However, when I set up only the first NAT rule, the communication did not work until I set up the second NAT rule, then access to the internet started working. I have read through it multiple times and do not understand why it doesn't work with just one NAT rule.

As I understand it, and according to what you wrote, a device from the internal network (192.168.191.0/24) starts communication to the internet, NAT translates it to second Public IP (172.16.189.3), then when a response comes back to(second Public IP (172.16.189.3) the checkpoint, it checks the NAT table, and the message should return to the correct recipient.

This should be the end, but still, the communication did not happen until we had the second NAT rule, even though we do not have any device in the network to which new communication from the internet should reach?

0 Kudos
marekzima
Participant

Hello,

by simply way ... it looks like 2nd rule tells router "Hey, this is also my public IP" 🙂

I was investigating this before and this was the reason why I put it here to help all others 🙂 to do not waste a time.

1st rule works, the packet goes out with new (specified) public IP address. however checkpoint drops all packet to that (I did sniff for that communication.) So, then I've added 2nd rule and it looks like checkpoint then knows that packet belongs to him 🙂

So yes, just 1st rule is not enough, they have to be both to make Internet connection via another public IP from ISP.

 

Marek

adamec
Contributor

Okay, I understand a bit more now. So with second rule I say to my GW "hey this is also my public IP". But when connection is initiated from the outside, I also need another rule to tell my GW to what Private IP it should translate incoming connection. Am I right?

 

Thanks

0 Kudos
marekzima
Participant

Exactly 🙂

When connection is initiated from outside, you need NAT forward rule 🙂

0 Kudos
adamec
Contributor

Okay so for example i would change NAT rule n. 2. And would edit translated destination, to my desired private IP.

Thank you I understand it now

0 Kudos
AmirArama
Employee
Employee

is it locally or centrally managed GW ?

it sounds like the 2nd NAT rule generates Proxy arp for this Public IP, which the first rule isn't automatically do.

you can verify it by running tcpdump on this interface facing the isp, for example tcpdump -nnei WAN | grep 172.16.189.3
without the 2nd NAT rule, if you see lots of "who has 172.16.189.3 tell x.x.x.x (router), and with the 2nd NAT rule, you will see once in a while the same who has, but you will also see a reply from the GW - 172.16.189.3 is at mac-address (GW).

there are procedures to add proxy arp manually.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events