setting up multiple internet connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

setting up multiple internet connections

L2 Linker

Translator
 
 
 
 

 

Translator
 
 
 
 

Hi everyone. I have a PA-220 firewall. It is currently connected via interface 1/8 to an internet connection that I will soon have to discontinue, and which I will call GW1 here.
At the same time I activated a new internet connection that I will call GW2, connected to interface 1/7 of the firewall.
I would like to understand, before disconnecting the GW1 from the 1/8 interface, whether I have correctly performed all the configurations for the GW2 connection.
Via CLI, with the command "ping source ip_gw2 host 8.8.8.8 this cannot reach it.
If instead I try to execute the command "ping source ip_gw1 host 8.8.8.8 this responds correctly. Could it be a problem as a rule? Or is the firewall not able to support two different internet connections at the same time? thanks

14 REPLIES 14

L5 Sessionator

It can support multiple internet connections. 

Do you have routing set up to use GW2?

Can you ping the next hop on GW2 sourced from 1/7? If you don't have a route to go to the next hop on GW2, then a ping to 8s sourced from there won't work.

 

 

Translator
 
 
 
 

 

I created a second virtual router and assigned the 1/7 GW2 interface to it. In the statitc routes tab I entered the public IP provided by the ISP.

2_VR.JPG

L2 Linker

Translator
 
 
 
 

 

I'm starting to think that the interface used for the second ISP is configured correctly despite the ping problems.

But I wonder...why does the command "ping source ip_gw2 host 8.8.8.8" get no response (neither lost packets nor successful packets) while the command "ping source ip_gw2 host www.google.com" gets responses instead?

L2 Linker

Translator
 
 
 
 

 

I can also ping 8.8.4.4. While the ping towards 8.8.8.8 remains stationary:

gnesper_0-1714978123110.png

gnesper_1-1714978184944.png

 

 

That is odd. If you do a traceroute, does it even get to the first hop?

L2 Linker

Translator
 
 
 
 

 

consider that now I have both ISPs connected to the firewall.

Could you tell me the command to try traceroute with the second isp?

It's the same as ping, traceroute source x.x.x.x host 8.8.8.8

L2 Linker

Translator
 
 
 
 

gnesper_0-1715098516878.png

this is the result.

Please note that at the firewall I set 8.8.8.8 as the first DNS and 8.8.4.4 as the second DNS.

If I reverse it then I can ping 8.8.8.8 but no longer 8.8.4.4 🙂

Do you have the same results with the other ISP?

Cyber Elite
Cyber Elite

Hello,

What do the traffic logs show? Is icmp allowed out that interface? Is eth 1/7 in the proper zone?

Regards,

Translator
 
 
 
 

 

with the other ISP the traceroute and ping are OK:

gnesper_0-1715113644142.png

 

Translator
 
 
 
 

 

1/7 is in an untrust zone, similar to 1/8.
I think icmp is allowed since in the security policies in the application tab I set "any"

Cyber Elite
Cyber Elite

Hello,

On the new ISP interface, put in a specific route to something on the internet that is not required by the general users, ie you can use googles dns ip 8.8.8.8 if the other networks dont rely on it. Since its a specific route, it will take precedence over the 0.0.0.0/0 path.

 

Regards,

L2 Linker

Translator
 
 
 
 

 

guys I just discovered something...it seems that 1/8 is not able to ping the DNS set on the firewall (8.8.8.8 and 8.8.4.4 in fact). If I set only one DNS, for example 1.1.1.1, 1/8 magically starts to ping both 8.8.8.8 and 8.8.4.4. Obviously don't ping 1.1.1.1 anymore. Is this normal behavior?

  • 2465 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!