The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: FireWall-1 with Internet via (R)RAS Connection

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


WARNING: Check Point does not recommend or support this configuration. Neither do I, for that matter. Proceed at your own risk.

It does work, assuming the following is true:

  • If NT 4.0 SP3 or higher is installed, build 3045 or higher of FireWall-1 must be installed
  • If SP1 is installed, FireWall-1 2.1c or higher should work fine.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasArp\DisableOtherSrcPackets

    Type is DWORD, value is 0

  • If one of your subnets is on the same logical IP subnet as your service provider, you need to set the following registry entry:

    \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\IPCP\PriorityBasedOnSubNetwork

    Type is DWORD, value is 1

Other than these issues, everything that you would normally have to do to set up an NT system to run FireWall-1 needs to be done. This includes (but is not limited to) turning on "IP Routing" in the TCP/IP Properties, configuring the interfaces, and configuring the routing.

Known issues with this configuration:

  • Any IPSEC-based encryption will probably not work (basically, anything but FWZ). FWZ seems to work okay, however.
  • Licensing: Either license your firewall to the internal IP address or do not start FireWall-1 up until after RAS connects you to the Internet as FireWall-1 will complain about the license being invalid and not start correctly.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.