topic Re: Is topology like this possible? in General Topics

Is topology like this possible?

Netstaff — Mon, 23 Dec 2019 10:31:59 GMT

Hello!

I have an idea for my test lab, in conditions without physical switch and with very limited number of ports. I need my server behind firewall to receive IP from ISP DHCP and also I need my firewall to have an outside L3 interface also receiving IP from that DHCP, and use it to NAT all devices from port 2. It would all be easy with many ports and a switch, is there solutions without them? Topology is just for reference, where yellow switch is hypothetical virtual switch inside firewall, I don't know which way is the right way is to do this. (blue devices in topology are not under my control)

Re: Is topology like this possible?

BPry — Mon, 23 Dec 2019 14:51:46 GMT

@Netstaff,

The feature that you are looking for is called DHCP-Relay.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFXCA0

Re: Is topology like this possible?

Netstaff — Mon, 23 Dec 2019 18:23:53 GMT

Hello. Getting an address is just half the story. All devices need to have the ability to communicate with each other. I don't exactly understand, how will it be. And I can't test it until Friday... So sorry, this is absolutely hypothetical situation, this is not useful at all, and if you don't want to have some fun, don't waste your time.

So let's imagine a situation:

1. all addresses are /24

2. Port 1 is layer 3 port gets 192.168.0.2 from DHCP

3. The server gets 192.168.0.3 from DHCP relay

Now the server needs to communicate with ISP, but it's only connected to port 3

4. Port 3 also needs to be in the same subnet with the server, so... it gets IP from DHCP relay and gets address 192.168.0.4

At this point wouldn't virtual router detect that 192.168.0.0/24 network is accessible from 2 different interfaces and start to panic?

Re: Is topology like this possible?

BPry — Mon, 23 Dec 2019 19:08:47 GMT

@Netstaff,

You didn't say that you wanted the solution completely built out for you, so I didn't. The answer to your original question is absolutely, you would achieve this by doing the following.

Leave ethernet1/1 as you already have it configured.
Configure ethernet1/3 as a layer3 interface, create a new zone for your server, and setup DHCP-Relay so that the servers DHCP requests are relayed to the ISP.
You'll need to create a DHCP reservation for your Server or be constantly updating the following if the server refreshes it's IP address.
On your route table you simply need to define a route to your server, hypothetically lets call it 192.168.0.4/32, so that a more defined route is installed. Traffic, like any routing table, will take the more defined route.
Configure the proper security rulebase entries so that traffic is allowed/denied as required.

- You don't necessarily need to configure ethernet1/3 as layer3, but since ethernet1/2 is layer3 already it helps keep a unified configuration.

Re: Is topology like this possible?

Netstaff — Mon, 23 Dec 2019 19:34:02 GMT

"or be constantly updating the following"

By using which method?

Re: Is topology like this possible?

BPry — Mon, 23 Dec 2019 19:38:39 GMT

@Netstaff,

Any method you use to configure the firewall (API, CLI, or GUI). You can't use an FQDN in your static-routes so the firewall isn't able to do this for you. I would personally recommend the reservation; if you can't do that you'll probably want to create a script on the server that monitors what IP address it currently has, and when it changes you can use the API to update the route statement that you created to the new IP address and commit the change.

Re: Is topology like this possible?

Netstaff — Mon, 23 Dec 2019 19:46:33 GMT

Manually? With Script? I'm sorry I did not give an accurate description of the problem. I knew that there are a thousand unnecessary difficult ways to do it, I would have preferred to ask if there is elegant technology especially for this. Like if Palo Alto could connect it's virtual routers to the virtual switch with virtual interfaces and monitored interface traffic.

Re: Is topology like this possible?

BPry — Mon, 23 Dec 2019 19:51:52 GMT

@Netstaff,

Ideally you would monitor the IP on the server, updating it when necessary, with a script running directly on that server instead of doing it manually.

"Like if Palo Alto could connect it's virtual routers to the virtual switch with virtual interfaces and monitored interface traffic."

The firewall is capable of providing routed interfaces, that's it. The firewall was never designed to act like a switch.

Re: Is topology like this possible?

Netstaff — Fri, 27 Dec 2019 11:00:22 GMT

I think I found the solution: ports 1 and 1 - L2 together, port 2 attached virtual router also to be attached as VLAN interface with DHCP client. Not sure if it works, going to test later. Just posting if somebody interested.

Just tested it and it works great with port 1 and 2 as L2 interfaces and L3 inteface vlan attached to same bridge.