my ISP has assigned me with a /30 for the p2p connection and it is routing a /24 public subnet towards that /30. Meaning the WAN interface in the Palo will have to respond to many different ips on two different subnets. I haven't found any Kb that describe this scenario. Also please consider we are migrating from another devicewhich is perfectly working fine with this configuration, this in case we want to start pointing fingers to the ISP. No, it is definitely the Palo. Also for the sake of the conversation i am running a p3020 with 7.1
- outbound traffic works (a machine inside the LAN can go out to the internet and uses one of the /24 addresses using the NAT rule i have configured).
- Inbound traffic (published services) do not work at all, it seems that the Palo never answer with an ARP to tell the other device that it "has" those ips.
- tried using loopbacks, or to add the additional subnet in the interface configuratio, i have zero traffic hitting the interface (no ARP sent)
Digging around i found two solutions, didnt manage to test them thou:
- forcing a GARP within the CLI (this is an horrible solution, and i would need to do this everytime i restart the Palo?)
- Add a fake route in the virtual router. Add a route to the /24 with next hop None, so that the Palo installs a route and start accepting the traffic. This is still a horrible workaround.
I am wondering how you guys do it,
Solved! Go to Solution.
I have absolutely no issues with the same scenario on PA. Everything is working normally.
On the interface I have mutliple IPs, for example:
- 18.104.22.168/30 (connected network for routing)
- 2.2.2.x/24 (one IP from routed network)
- 2.2.2.y/32, 2.2.2.z/32, 2.2.2.c/32...... (other IPs from routed network)
I can use all IPs from SNAT, DNAT... No problems at all.
Grautitious ARP will be needed only right after from switching cables from previous device to PA. No fake routes are needed.
The GARP command from CLI is purely there for testing or temporary need to do so
if you add the second subnet to the itnerface and commit, the firewall will start responding to ARP requests for any IP that's configured in a proper inbound NAT policy (untrust to untrust , any to <externalIP>, translate to <internal IP>)
mmm thanks, so you have to add all the IPs one by one? I mean if i have 200 addresses in use on the /24, do i have to add them to the interface?
In some cases yes; if you want to use one of those address for PA management you have to add it to interface.
But in general no. If you use an addres in NAT rule it should be enough.
u only need to add the ones you want the firewall to take ownership of
adding a subnet range to your interface only binds the one IP to that interface, granting 'ownership' to the firewall and making it respond to arp requests (eg 10.0.0.1/24 only has the firewall respond for .1, the rest is just 'the subnet' it belongs to)
if you provide additional ip addresses for it to use, by creating NAT rules for example (or loopback interfaces), the firewall will start taking ownership for those
at one point you will need to define most of the IP addresses in a NAT policy anyway, as you don't want/need the firewall responding for an IP address that's not being used in policy.
P.S. you don't necessarily need to define them one by one, you can also create a many-to-many policy that blankets the whole public subnet to an internal subnet, but I would recommend creating a policy per IP
Allright thanks very much guys. So this is what i am going to do:
- have the /30 configured in the WAN interface
- add also the /24 on the same WAN interface, with no /32 ip specified
- NAT rules are already there.
- use the GARP once i switch the cable to force the ISP device to update its own MAC table.
does this sound right?
Hi guys thanks for all your help, turns out it was the ISP device that for some reason was working with the previous device and not with the Palo for unknown reasons. We bypassed that ISP router completely and boom everything started working straight away.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!