Different subnets on the same interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Different subnets on the same interface

L2 Linker

Hi,

 

my ISP has assigned me with a /30 for the p2p connection and it is routing a /24 public subnet towards that /30. Meaning the WAN interface in the Palo will have to respond to many different ips on two different subnets. I haven't found any Kb that describe this scenario. Also please consider we are migrating from another devicewhich is perfectly working fine with this configuration, this in case we want to start pointing fingers to the ISP. No, it is definitely the Palo. Also for the sake of the conversation i am running a p3020 with 7.1

 

- outbound traffic works (a machine inside the LAN can go out to the internet and uses one of the /24 addresses using the NAT rule i have configured).

- Inbound traffic (published services) do not work at all, it seems that the Palo never answer with an ARP to tell the other device that it "has" those ips.

- tried using loopbacks, or to add the additional subnet in the interface configuratio, i have zero traffic hitting the interface (no ARP sent)

 

Digging around i found two solutions, didnt manage to test them thou:

 

- forcing a GARP within the CLI (this is an horrible solution, and i would need to do this everytime i restart the Palo?)

- Add a fake route in the virtual router. Add a route to the /24 with next hop None, so that the Palo installs a route and start accepting the traffic. This is still a horrible workaround.

 

I am wondering how you guys do it,

 

thanks!

 

 

 

 

1 accepted solution

Accepted Solutions

L6 Presenter

I have absolutely no issues with the same scenario on PA. Everything is working normally.

 

On the interface I have mutliple IPs, for example:

- 1.1.1.1/30 (connected network for routing)

- 2.2.2.x/24 (one IP from routed network)

- 2.2.2.y/32, 2.2.2.z/32, 2.2.2.c/32...... (other IPs from routed network)  

 

I can use all IPs from SNAT, DNAT... No problems at all.

 

Grautitious ARP will be needed only right after from switching cables from previous device to PA. No fake routes are needed.

 

 

View solution in original post

10 REPLIES 10

L6 Presenter

I have absolutely no issues with the same scenario on PA. Everything is working normally.

 

On the interface I have mutliple IPs, for example:

- 1.1.1.1/30 (connected network for routing)

- 2.2.2.x/24 (one IP from routed network)

- 2.2.2.y/32, 2.2.2.z/32, 2.2.2.c/32...... (other IPs from routed network)  

 

I can use all IPs from SNAT, DNAT... No problems at all.

 

Grautitious ARP will be needed only right after from switching cables from previous device to PA. No fake routes are needed.

 

 

Cyber Elite
Cyber Elite

The GARP command from CLI is purely there for testing or temporary need to do so

 

if you add the second subnet to the itnerface and commit, the firewall will start responding to ARP requests for any IP that's configured in a proper inbound NAT policy (untrust to untrust , any to <externalIP>, translate to <internal IP>)

 

2016-11-28_11-02-13.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

mmm thanks, so you have to add all the IPs one by one? I mean if i have 200 addresses in use on the /24, do i have to add them to the interface?

 

thanks

 

In some cases yes; if you want to use one of those address for PA management you have to add it to interface.

But in general no. If you use an addres in NAT rule it should be enough. 

u only need to add the ones you want the firewall to take ownership of

 

adding a subnet range to your interface only binds the one IP to that interface, granting 'ownership' to the firewall and making it respond to arp requests (eg 10.0.0.1/24 only has the firewall respond for .1, the rest is just 'the subnet' it belongs to)

 

if you provide additional ip addresses for it to use, by creating NAT rules for example (or loopback interfaces), the firewall will start taking ownership for those

 

at one point you will need to define most of the IP addresses in a NAT policy anyway, as you don't want/need the firewall responding for an IP address that's not being used in policy.

 

 

 

P.S. you don't necessarily need to define them one by one, you can also create a many-to-many policy that blankets the whole public subnet to an internal subnet, but I would recommend creating a policy per IP

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Allright thanks very much guys. So this is what i am going to do:

 

- have the /30 configured in the WAN interface

- add also the /24 on the same WAN interface, with no /32 ip specified

- NAT rules are already there.

- use the GARP once i switch the cable to force the ISP device to update its own MAC table.

 

does this sound right?

thanks heaps

 

Yep, should be ok. Install policy also does a gratitious ARP so you can do that instead.

perfect

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi guys thanks for all your help, turns out it was the ISP device that for some reason was working with the previous device and not with the Palo for unknown reasons. We bypassed that ISP router completely and boom everything started working straight away.

 

they may have configured static ARP entries for your previous device 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 8880 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!