topic Re: Carve public Subnet without involving Vendor in General Topics

Carve public Subnet without involving Vendor

junior_r — Fri, 02 Nov 2018 22:34:54 GMT

Anyway to accomplish following without modifying routes at the router?

I have a subnet 1.1.1.0/24

1.1.1.1/24 PAN ETH1 Need to route 1.1.1.50 from ETH1 -> ETH3 as it sits behind ETH3. I need ETH1 to reply back to router when it says arp who has for 1.1.1.50

Re: Carve public Subnet without involving Vendor

gwesson — Fri, 02 Nov 2018 22:55:39 GMT

Just to be sure, you're saying:

server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router

And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?

If that's correct, there are two ways I can think of offhand:

1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools

2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires

Re: Carve public Subnet without involving Vendor

junior_r — Fri, 02 Nov 2018 23:16:17 GMT

@gwesson wrote:
Just to be sure, you're saying:
server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router
And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?

If that's correct, there are two ways I can think of offhand:
1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here:
https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools

2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments
https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires

(1.1.1.50) [e1/4]FW 2[e1/7] 10.10.10.11/24 <----> [e1/3]PAN[e1/7] 10.10.10.10/24 <---> [e1/3]PAN[e1/1] <---> Router

Two Firewalls PAN and FW2

If i do a destination NAT on 1.1.1.50 to internal IP would the packet even make its way to ETH3? I cannot modify any IPs behind e1/3

Re: Carve public Subnet without involving Vendor

pulukas — Sat, 03 Nov 2018 16:03:57 GMT

It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces. This would not be possible to commit on the PAN.

The nat options above are to use an internal subnet on the server side and then nat/proxy arp to connect the ip.

Your other option if you need to keep that public ip on the server is to put two physical interfaces into that external facing subnet and zone with one for the upstream connection and the other for the server.

For this you would move the layer 3 address to a vlan interface and the configure two layer 2 interfaces associated with that vlan.

Here then the server is directly attached to that subnet and your policy controls are then untrust to untrust policies since the server will also be in that same zone.

Re: Carve public Subnet without involving Vendor

junior_r — Sun, 04 Nov 2018 00:15:44 GMT

@pulukas in this setup would the server send arp-reply to arp request from the circut?

Re: Carve public Subnet without involving Vendor

pulukas — Sun, 04 Nov 2018 13:14:18 GMT

Yes, in that configuration the server and the external interface will be in the same vlan and broadcast domain so they will respond to arp requests normally.

Re: Carve public Subnet without involving Vendor

JW6224 — Wed, 07 Nov 2018 14:18:24 GMT

@pulukas wrote:
It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces. This would not be possible to commit on the PAN.

@pulukas- I don't know if this is @junior_r's best solution, but in the scenario you describe, wouldn't that be possible if you had the L3 interfaces configured as part of two seperate vrouters, with routing between?

Just to be clear for anyone else reading this - I'm not at all saying this is a great idea. Even if it commits, the complexity would make this only a solution for a very few, niche setups.

Re: Carve public Subnet without involving Vendor

pulukas — Tue, 13 Nov 2018 01:18:35 GMT

You can't route the same subnet between two virtual routers.

Both will see the subnet as local.

So if you have two interfaces with the same subnet in different VR you would be using NAT to get them to communicate. And at that point you can go ahead and do the same thing back in the main VR to start with.

Typically I see this request for a server with the same public address as the untrust of the firewall from voice or other applications that don't want any nat applied to their sessions.