Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-18-2012 09:48 AM
My current setup at home consists of a comcast modem - PA-200 - linksys wireless router. For this setup, I have the PA in vwire connected to the modem and my wireless router is performing DHCP.
Last night I attempted to change my setup and took down my network for a couple of hours. 
I'd like to setup my wireless router as an access point, and configure the PA-200 as a DHCP server. I'm having trouble figuring out how I would create zones and virtual routers to route between the networks.
Below is a diagram on how I imagine it would be set up. I just don't have the experience with PA yet to accomplish it.
Any ideas how I could accomplish this? Thanks!
08-18-2012 10:31 AM
Hi Michael:
So, a few quick tips for you:
1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router. You only need 1 virtual router for the entire deployment. You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc. If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router. If you're using DHCP from your ISP then this will be done automatically.
2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.
3.) assign an IP address to each interface
4.) place each interface into their respective zones
5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network. You can use private address ranges like:
192.168.1.0/24 for wired network
192.168.2.0/24 for wireless network
6.) go to Policies / Security and create a basic security policy that says:
permit all from int to isp
permit all from wap to isp
deny all from isp to int & wap
7.) go to Policies / NAT and create a basic NAT policy that says:
if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address
Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.
Good luck. PA200 is a nice box for a home network!
08-18-2012 09:54 AM
If this is the wrong area for a post like this, please point me in the right direction. Thanks!
08-18-2012 10:31 AM
Hi Michael:
So, a few quick tips for you:
1.) in the GUI, go to Network / Virtual Routers, and place all 3 interfaces into the _same_ virtual router. You only need 1 virtual router for the entire deployment. You don't want to break up the PA200 into "multiple" routers each with their own routing table, their own interfaces, etc. If you're using static IPs from your ISP, be sure to add a static route in the virtual router that points to your ISP's router. If you're using DHCP from your ISP then this will be done automatically.
2.) in the GUI, go to Network / Interfaces and set all 3 interfaces to layer-3 mode.
3.) assign an IP address to each interface
4.) place each interface into their respective zones
5.) under Network / DHCP Server, create 2 DHCP servers, one on e 1/2 for your internal network, and one on 1/3 for your wireless network. You can use private address ranges like:
192.168.1.0/24 for wired network
192.168.2.0/24 for wireless network
6.) go to Policies / Security and create a basic security policy that says:
permit all from int to isp
permit all from wap to isp
deny all from isp to int & wap
7.) go to Policies / NAT and create a basic NAT policy that says:
if the src zone is int or wap and the dst zone is isp, then translate the source to the ISP interface address
Also, you'll want to disable the DHCP server on your wireless AP if it has one, and plug the PA200 E1/3 into one of the LAN-side ports on your WAP.
Good luck. PA200 is a nice box for a home network!
08-18-2012 10:41 AM
Awesome information! Thank you so much for your help. It seems like I was on the right track, I just wasn't sure about the VR configuration.
Do I put all interfaces into the VR? Should I create a route 0.0.0.0/0 pointing to my ISP? Does the PA know about all networks connected to it already?
08-18-2012 10:49 AM
When I click add VR => General => Add => All Layer 3 interfaces?
Under Static Routes => Add =>
Name
Destination
Interface
Next Hop
Ip Address
Not exactly sure how this should look either. I tried looking on the administrator guide 4.1, but it was unclear.
Thanks again!
08-18-2012 10:50 AM
Yes, all interfaces into the same VR
Yes, PA knows about all directly connected networks (incl int and wap)
You should add a static route 0.0.0.0/0 pointing to ISP only if you have a static IP address for your PA200's "isp" interface.
- If your ISP assigns you an address through DHCP and you configure E1/1 to be a DHCP Client, then the static route pointing to the ISP will be handled automatically.
08-18-2012 10:54 AM
Great! I am pulling my Layer 3 IP from DHCP off of the ISP cable modem. Just to be clear, I don't need to add a static route because my Layer 3 interface knows how to get out to the ISP?
08-18-2012 01:09 PM
Yep. The checkbox "automatically create default..." does just that.
10-24-2013 01:05 PM
This is great, I plan to have the same setup, but I'm having trouble figuring out DNS and gateway settings on the VR, interfaces and DHCP server.
Would you mind sharing your settings? My WAN(untrust) is getting a DHCP address from my ISP, but my LAN cannot access the internet.
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
