https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331801#M83964 <P>If i read your issue correctly you have:</P><P>&nbsp;</P><P>a desktop computer with 2 network cards plugged in, one in range 192.168.100 and one in 192.168.130</P><P>your firewall also has 2 connected interfaces, one in 192.168.100 and one in 192.168.130</P><P>&nbsp;</P><P>your desktop is connected with both interfaces in the same broadcast domain to the firewall on the interface with ip 192.168.100</P><P>the firewall is connected to a different broadcast domain on the 192.168.130 interface</P><P>&nbsp;</P><P>i don't think there is a (layer3) solution to this issue as your host will always prefer the locally connected subnet over a remotely routed one so it will look for ARP rather than route</P><P>&nbsp;</P><P>you could consider switching your firewall to two layer2 interfaces, and setting up routed vlan interfaces in each subnet</P><P>that way both broadcast domains will see eachother and a default gateway will remain available for routing</P><P>&nbsp;</P> Fri, 05 Jun 2020 07:08:30 GMT reaper 2020-06-05T07:08:30Z https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331691#M83954 <P>Hi</P><P>&nbsp;</P><P>I have a network with IP addresses in the range of 192.168.100 and 192.168.130 on two singular network cards on the same machine on the local network. Port 4 on the firewall is plugged into another device with the .130 range IP. &nbsp; Port 1 on the firewall is plugged into the local network. I can’t contact the other device from the machine.&nbsp;<BR /><BR /></P><P>Any idea how I can achieve this?</P><P>&nbsp;</P> Thu, 04 Jun 2020 20:12:33 GMT https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331691#M83954 jeff.noseworthy1 2020-06-04T20:12:33Z https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331725#M83959 <P>Hello,</P><P>I think your enviroment like this;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="upelister_0-1591308547499.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26036iF0285F9AB0054A4C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="upelister_0-1591308547499.png" alt="upelister_0-1591308547499.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>To Check-</P><OL><LI>İnterface types should be L3 and ip address assigned.</LI><LI>Same default router shoul be used.<OL><LI>Else you must crate a routing entry for each subnet in each VR.</LI></OL></LI><LI>You can put them in different zone or same zone up to you.<OL><LI>İf different zone, you have to create a rule.</LI><LI>İf same zone Default allow rule will allow traffic.</LI><LI>İf there is clean up rule before default rules, a permit rule must be created even if they are in same zone.</LI><LI>İf there is an allow rule logging should be enabled.</LI></OL></LI><LI>Link States must be Green not red or greyed out.</LI><LI>Assingnin a ping enabled management profile to interface’s good for trouble shooting.</LI><LI>ON cli you can check arp entry’s to verify hosts are connected properly.<OL><LI>)&gt; show arp ethernet1/1 or )&gt; show arp ethernet1/4</LI></OL></LI><LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="upelister_1-1591308547505.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26035i568684771B647807/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="upelister_1-1591308547505.png" alt="upelister_1-1591308547505.png" /></span><P>&nbsp;</P></LI><LI>If you are using VM Palo Alto, “promiscous mode” has to be enabled all interface’s. İn ESX.</LI><LI>For 100.0 network host can ping to its gateway.</LI><LI>For 130.0 network host can ping to its gateway.</LI><LI>Trace route can be helpful.</LI></OL><P>Have a nice and healty day.</P> Thu, 04 Jun 2020 22:10:20 GMT https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331725#M83959 upelister 2020-06-04T22:10:20Z https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331801#M83964 <P>If i read your issue correctly you have:</P><P>&nbsp;</P><P>a desktop computer with 2 network cards plugged in, one in range 192.168.100 and one in 192.168.130</P><P>your firewall also has 2 connected interfaces, one in 192.168.100 and one in 192.168.130</P><P>&nbsp;</P><P>your desktop is connected with both interfaces in the same broadcast domain to the firewall on the interface with ip 192.168.100</P><P>the firewall is connected to a different broadcast domain on the 192.168.130 interface</P><P>&nbsp;</P><P>i don't think there is a (layer3) solution to this issue as your host will always prefer the locally connected subnet over a remotely routed one so it will look for ARP rather than route</P><P>&nbsp;</P><P>you could consider switching your firewall to two layer2 interfaces, and setting up routed vlan interfaces in each subnet</P><P>that way both broadcast domains will see eachother and a default gateway will remain available for routing</P><P>&nbsp;</P> Fri, 05 Jun 2020 07:08:30 GMT https://live.paloaltonetworks.com/t5/general-topics/vlan-entry/m-p/331801#M83964 reaper 2020-06-05T07:08:30Z