Palo Alto at Home

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto at Home

Not applicable

My current setup at home consists of a comcast modem - PA-200 - linksys wireless router. For this setup, I have the PA in vwire connected to the modem and my wireless router is performing DHCP.

Last night I attempted to change my setup and took down my network for a couple of hours. Smiley Happy I'd like to setup my wireless router as an access point, and configure the PA-200 as a DHCP server. I'm having trouble figuring out how I would create zones and virtual routers to route between the networks.


Below is a diagram on how I imagine it would be set up. I just don't have the experience with PA yet to accomplish it.


Home.jpg


Any ideas how I could accomplish this? Thanks!

1 accepted solution

Accepted Solutions

L7 Applicator

Hi Michael:

So, a few quick tips for you:

1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router.  You only need 1 virtual router for the entire deployment.  You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc.  If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router.  If you're using DHCP from your ISP then this will be done automatically. 

2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.

3.) assign an IP address to each interface

4.) place each interface into their respective zones

5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network.  You can use private address ranges like:

     192.168.1.0/24 for wired network

     192.168.2.0/24 for wireless network

6.) go to Policies / Security and create a basic security policy that says:

      permit all from int to isp

      permit all from wap to isp

      deny all from isp to int & wap

7.) go to Policies / NAT and create a basic NAT policy that says:

      if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address

Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.

Good luck.  PA200 is a nice box for a home network!

View solution in original post

8 REPLIES 8

Not applicable

If this is the wrong area for a post like this, please point me in the right direction. Thanks!

L7 Applicator

Hi Michael:

So, a few quick tips for you:

1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router.  You only need 1 virtual router for the entire deployment.  You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc.  If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router.  If you're using DHCP from your ISP then this will be done automatically. 

2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.

3.) assign an IP address to each interface

4.) place each interface into their respective zones

5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network.  You can use private address ranges like:

     192.168.1.0/24 for wired network

     192.168.2.0/24 for wireless network

6.) go to Policies / Security and create a basic security policy that says:

      permit all from int to isp

      permit all from wap to isp

      deny all from isp to int & wap

7.) go to Policies / NAT and create a basic NAT policy that says:

      if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address

Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.

Good luck.  PA200 is a nice box for a home network!

Awesome information! Thank you so much for your help. It seems like I was on the right track, I just wasn't sure about the VR configuration.

Do I put all interfaces into the VR? Should I create a route 0.0.0.0/0 pointing to my ISP? Does the PA know about all networks connected to it already?

When I click add VR => General => Add => All Layer 3 interfaces?

Under Static Routes => Add =>

Name

Destination

Interface

Next Hop

Ip Address

Not exactly sure how this should look either. I tried looking on the administrator guide 4.1, but it was unclear.

Thanks again!

Yes, all interfaces into the same VR

Yes, PA knows about all directly connected networks (incl int and wap)

You should add a static route 0.0.0.0/0 pointing to ISP only if you have a static IP address for your PA200's "isp" interface.

   - If your ISP assigns you an address through DHCP and you configure E1/1 to be a DHCP Client, then the static route pointing to the ISP will be handled automatically. 

Great! I am pulling my Layer 3 IP from DHCP off of the ISP cable modem. Just to be clear, I don't need to add a static route because my Layer 3 interface knows how to get out to the ISP?

Yep.  The checkbox "automatically create default..." does just that.

This is great, I plan to have the same setup, but I'm having trouble figuring out DNS and gateway settings on the VR, interfaces and DHCP server.

Would you mind sharing your settings? My WAN(untrust) is getting a DHCP address from my ISP, but my LAN cannot access the internet.

Thanks!

  • 1 accepted solution
  • 6577 Views
  • 8 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!