Palo Alto at Home

Reply
Highlighted
Not applicable

Palo Alto at Home

My current setup at home consists of a comcast modem - PA-200 - linksys wireless router. For this setup, I have the PA in vwire connected to the modem and my wireless router is performing DHCP.

Last night I attempted to change my setup and took down my network for a couple of hours. :smileyhappy: I'd like to setup my wireless router as an access point, and configure the PA-200 as a DHCP server. I'm having trouble figuring out how I would create zones and virtual routers to route between the networks.


Below is a diagram on how I imagine it would be set up. I just don't have the experience with PA yet to accomplish it.


Home.jpg


Any ideas how I could accomplish this? Thanks!

Tags (2)

Accepted Solutions
Highlighted
L7 Applicator

Hi Michael:

So, a few quick tips for you:

1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router.  You only need 1 virtual router for the entire deployment.  You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc.  If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router.  If you're using DHCP from your ISP then this will be done automatically. 

2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.

3.) assign an IP address to each interface

4.) place each interface into their respective zones

5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network.  You can use private address ranges like:

     192.168.1.0/24 for wired network

     192.168.2.0/24 for wireless network

6.) go to Policies / Security and create a basic security policy that says:

      permit all from int to isp

      permit all from wap to isp

      deny all from isp to int & wap

7.) go to Policies / NAT and create a basic NAT policy that says:

      if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address

Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.

Good luck.  PA200 is a nice box for a home network!

View solution in original post


All Replies
Highlighted
Not applicable

If this is the wrong area for a post like this, please point me in the right direction. Thanks!

Highlighted
L7 Applicator

Hi Michael:

So, a few quick tips for you:

1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router.  You only need 1 virtual router for the entire deployment.  You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc.  If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router.  If you're using DHCP from your ISP then this will be done automatically. 

2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.

3.) assign an IP address to each interface

4.) place each interface into their respective zones

5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network.  You can use private address ranges like:

     192.168.1.0/24 for wired network

     192.168.2.0/24 for wireless network

6.) go to Policies / Security and create a basic security policy that says:

      permit all from int to isp

      permit all from wap to isp

      deny all from isp to int & wap

7.) go to Policies / NAT and create a basic NAT policy that says:

      if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address

Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.

Good luck.  PA200 is a nice box for a home network!

View solution in original post

Highlighted
Not applicable

Awesome information! Thank you so much for your help. It seems like I was on the right track, I just wasn't sure about the VR configuration.

Do I put all interfaces into the VR? Should I create a route 0.0.0.0/0 pointing to my ISP? Does the PA know about all networks connected to it already?

Highlighted
Not applicable

When I click add VR => General => Add => All Layer 3 interfaces?

Under Static Routes => Add =>

Name

Destination

Interface

Next Hop

Ip Address

Not exactly sure how this should look either. I tried looking on the administrator guide 4.1, but it was unclear.

Thanks again!

Highlighted
L7 Applicator

Yes, all interfaces into the same VR

Yes, PA knows about all directly connected networks (incl int and wap)

You should add a static route 0.0.0.0/0 pointing to ISP only if you have a static IP address for your PA200's "isp" interface.

   - If your ISP assigns you an address through DHCP and you configure E1/1 to be a DHCP Client, then the static route pointing to the ISP will be handled automatically. 

Highlighted
Not applicable

Great! I am pulling my Layer 3 IP from DHCP off of the ISP cable modem. Just to be clear, I don't need to add a static route because my Layer 3 interface knows how to get out to the ISP?

Highlighted
L7 Applicator

Yep.  The checkbox "automatically create default..." does just that.

Highlighted
Not applicable

This is great, I plan to have the same setup, but I'm having trouble figuring out DNS and gateway settings on the VR, interfaces and DHCP server.

Would you mind sharing your settings? My WAN(untrust) is getting a DHCP address from my ISP, but my LAN cannot access the internet.

Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!