This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Two ISP connections - one primary / one guest network

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Two ISP connections - one primary / one guest network

Go to solution
cmateam
L3 Networker

‎01-16-2013 08:41 AM

Hello,

Today we have one interface designated as a WAN interface that manages our IPsec tunnels, GP Portal/Gateway, NAT for Websites, and business web browsing and needs.  We have a second internet connection that we use for a guest network that goes through a really old Sonicwall (Different IP range/provider from our main WAN (untrust) link).  I'm wanting to move the guest network to our PAN and setup a network zone, DHCP and hand off all the traffic to our wireless controller.

I'm seeing a lot of documentation on setting up dual ISPs for redundency, etc. This isn't quite what I am looking for.  I just want to setup another untrust to trust configuration with it's own VR to pass client traffic to and from the internet.  Is that as simple as my configuration needs to be or am I missing something?  Thanks.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
AmeriNet-TK
L1 Bithead
In response to cmateam

‎01-17-2013 12:57 PM

Hello, you are essentially correct.  There are several ways to do this, but in keeping as close to your proposed solution here is what I would suggest-

Create two new zones, untrust-b and trust-b, create an L3 interface for each zone with an IP address (I would use the Sonicwall's LAN and Sonicwall WAN IP).  Create new virtual router, put both interfaces in that VR, config default gateway in that VR pointing to same Default gateway as sonicwall had) Create security policy to allow inbound and outbound traffic, create NAT rules, configure DHCP on new trust L3 interface.

Move cables from Sonicwall LAN and WAN interfaces to your newly configured PA trust and untrust interfaces, Commit.

two-ISP.bmp

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
mbutt
L5 Sessionator

‎01-16-2013 10:10 AM

Hi,

If i understand your question correctly. You are trying to move your guest network traffic to PAN.

In order to do that you can create a policy based forwarding and make sure you put in the source address range in the policy.

So only traffic that goes through this link is the guest network.

Here is a document that explains how to configure policy based forwarding

https://live.paloaltonetworks.com/docs/DOC-3220

Hopefully this helps.

Thank you

Numan

0 Likes Likes

Go to solution
cmateam
L3 Networker
In response to mbutt

‎01-16-2013 10:35 AM

Not exactly. 

We have our Main WAN link as described above.  This is a service link provided a major internet provider and is a /26 network.The Guest network is a local ISP that is providing a /28.  Currently we have the PAN handling our main WAN link, the /26.  We have a really old Sonicwall that is handling the local ISP of /28. The /28 (guest network) is vlanned and separated from our corporate network and there is no access from either network into the other.

What I am trying to accomplish is to keep these both networks separated but managed on the same firewall.  Traffic from either the corporate LAN or guest network will never merge.

I'm thinking that all I should have to is setup another virtual router, a untrust interface, trust interface, and network zone.

Is this correct?  How can I clarify more?

0 Likes Likes

Go to solution
AmeriNet-TK
L1 Bithead
In response to cmateam

‎01-17-2013 12:57 PM

Hello, you are essentially correct.  There are several ways to do this, but in keeping as close to your proposed solution here is what I would suggest-

Create two new zones, untrust-b and trust-b, create an L3 interface for each zone with an IP address (I would use the Sonicwall's LAN and Sonicwall WAN IP).  Create new virtual router, put both interfaces in that VR, config default gateway in that VR pointing to same Default gateway as sonicwall had) Create security policy to allow inbound and outbound traffic, create NAT rules, configure DHCP on new trust L3 interface.

Move cables from Sonicwall LAN and WAN interfaces to your newly configured PA trust and untrust interfaces, Commit.

two-ISP.bmp

0 Likes Likes

Go to solution
cmateam
L3 Networker
In response to AmeriNet-TK

‎01-17-2013 01:02 PM

Wow!  Thank you!  Yes this is exactly what I am trying to accomplish!  Thank you for confirming this.  This is what I had in mind, and thought it was as simple as this but in wanting to confirm, I could not find much information. Thanks!  I'll give it a shot.

0 Likes Likes

Go to solution
cmateam
L3 Networker
In response to AmeriNet-TK

‎01-17-2013 01:12 PM

Just out of curious - what are the other ways?

0 Likes Likes

Go to solution
AmeriNet-TK
L1 Bithead
In response to cmateam

‎01-17-2013 01:29 PM

You are welcome.

You have VLANs so you can use sub interfaces rather than using a physical interface, you can do PBF to direct traffic from the guest LAN to their ISP, now with version 5.0.1 you can direct traffic recieved on one interface (ISP) to return traffic to that same ISP, before you could not do that.

If you have the physical interfaces the dual VR route is fine.

Good luck.

Go to solution
cmateam
L3 Networker
In response to AmeriNet-TK

‎01-17-2013 01:32 PM

Ah - very cool.  That may be what I need in the next year (network switch upgrade and move to vlans) and for another project here soon at another location.  This is good to know for 5.0.x as I am still working with 4.1.  Thanks again.

0 Likes Likes

Go to solution
LCMember1888
L0 Member
In response to AmeriNet-TK

‎07-09-2020 12:35 AM

Can I do this without virtual system?

0 Likes Likes
  • 1 accepted solution
  • 9283 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks