topic Re: Different subnets on the same interface in General Topics

Different subnets on the same interface

myrdin — Sun, 27 Nov 2016 22:25:11 GMT

Hi,

my ISP has assigned me with a /30 for the p2p connection and it is routing a /24 public subnet towards that /30. Meaning the WAN interface in the Palo will have to respond to many different ips on two different subnets. I haven't found any Kb that describe this scenario. Also please consider we are migrating from another devicewhich is perfectly working fine with this configuration, this in case we want to start pointing fingers to the ISP. No, it is definitely the Palo. Also for the sake of the conversation i am running a p3020 with 7.1

- outbound traffic works (a machine inside the LAN can go out to the internet and uses one of the /24 addresses using the NAT rule i have configured).

- Inbound traffic (published services) do not work at all, it seems that the Palo never answer with an ARP to tell the other device that it "has" those ips.

- tried using loopbacks, or to add the additional subnet in the interface configuratio, i have zero traffic hitting the interface (no ARP sent)

Digging around i found two solutions, didnt manage to test them thou:

- forcing a GARP within the CLI (this is an horrible solution, and i would need to do this everytime i restart the Palo?)

- Add a fake route in the virtual router. Add a route to the /24 with next hop None, so that the Palo installs a route and start accepting the traffic. This is still a horrible workaround.

I am wondering how you guys do it,

thanks!

Re: Different subnets on the same interface

santonic — Mon, 28 Nov 2016 07:25:52 GMT

I have absolutely no issues with the same scenario on PA. Everything is working normally.

On the interface I have mutliple IPs, for example:

- 1.1.1.1/30 (connected network for routing)

- 2.2.2.x/24 (one IP from routed network)

- 2.2.2.y/32, 2.2.2.z/32, 2.2.2.c/32...... (other IPs from routed network)

I can use all IPs from SNAT, DNAT... No problems at all.

Grautitious ARP will be needed only right after from switching cables from previous device to PA. No fake routes are needed.

Re: Different subnets on the same interface

reaper — Mon, 28 Nov 2016 10:02:38 GMT

The GARP command from CLI is purely there for testing or temporary need to do so

if you add the second subnet to the itnerface and commit, the firewall will start responding to ARP requests for any IP that's configured in a proper inbound NAT policy (untrust to untrust , any to <externalIP>, translate to <internal IP>)

Re: Different subnets on the same interface

myrdin — Mon, 28 Nov 2016 21:33:36 GMT

mmm thanks, so you have to add all the IPs one by one? I mean if i have 200 addresses in use on the /24, do i have to add them to the interface?

thanks

Re: Different subnets on the same interface

santonic — Tue, 29 Nov 2016 07:09:16 GMT

In some cases yes; if you want to use one of those address for PA management you have to add it to interface.

But in general no. If you use an addres in NAT rule it should be enough.

Re: Different subnets on the same interface

reaper — Tue, 29 Nov 2016 10:39:17 GMT

u only need to add the ones you want the firewall to take ownership of

adding a subnet range to your interface only binds the one IP to that interface, granting 'ownership' to the firewall and making it respond to arp requests (eg 10.0.0.1/24 only has the firewall respond for .1, the rest is just 'the subnet' it belongs to)

if you provide additional ip addresses for it to use, by creating NAT rules for example (or loopback interfaces), the firewall will start taking ownership for those

at one point you will need to define most of the IP addresses in a NAT policy anyway, as you don't want/need the firewall responding for an IP address that's not being used in policy.

P.S. you don't necessarily need to define them one by one, you can also create a many-to-many policy that blankets the whole public subnet to an internal subnet, but I would recommend creating a policy per IP

Re: Different subnets on the same interface

myrdin — Tue, 29 Nov 2016 21:39:53 GMT

Allright thanks very much guys. So this is what i am going to do:

- have the /30 configured in the WAN interface

- add also the /24 on the same WAN interface, with no /32 ip specified

- NAT rules are already there.

- use the GARP once i switch the cable to force the ISP device to update its own MAC table.

does this sound right?

thanks heaps

Re: Different subnets on the same interface

santonic — Wed, 30 Nov 2016 09:19:21 GMT

Yep, should be ok. Install policy also does a gratitious ARP so you can do that instead.

Re: Different subnets on the same interface

reaper — Wed, 30 Nov 2016 09:26:30 GMT

perfect

Re: Different subnets on the same interface

myrdin — Sun, 04 Dec 2016 23:34:29 GMT

Hi guys thanks for all your help, turns out it was the ISP device that for some reason was working with the previous device and not with the Palo for unknown reasons. We bypassed that ISP router completely and boom everything started working straight away.

Re: Different subnets on the same interface

reaper — Tue, 06 Dec 2016 11:26:02 GMT

they may have configured static ARP entries for your previous device 🙂