PA-415 Multiple interfaces into one VLAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-415 Multiple interfaces into one VLAN

L2 Linker

Hello ALl,

I am hoping somebody can help with my configuration as I seem to be stumbling and hitting a brick wall the whole week.

 

The firewall is a PA-415 running SW 11.0.0

Ethernet 1/1 is set as a WAN interface.

Ethernet 1/2 = no configuration

Ethernet 1/3 = no configuration

Ethernet 1/4 = 192.168.4.1 / 24 [Set as default LAN, layer 3]

Ethernet 1/5 = no configuration

Ethernet 1/6 to Ethernet 1/9 = VLAN.100, 172.16.15.1/24

 

When I connect a test laptop to Ethernet 1/4, I am provided with a DHCP IP address from the firewall and can route outbound traffic.

 

If I connect any test laptop into Ethernet 1/6 -> Ethernet 1/9 I am provided with an DHCP IP address from 172.16.15.15, but I can not route any outbound traffic through WAN ethernet 1/1. I tried tracert and there are no hops to ethernet 1/1. There is no traffic logs either from 172.16.15.x/24

 

From the web interface I can see the DHCP table showing an IP address allocation to the correct LAN test laptop. There are default NAT and Security Firewall rules in place, as Ethernet 1/4 routes outbound traffic correctly. My assumption from my diagnostics would be the VLAN tag of 100 is not carried through and routed to the next hop to the wan interface.  I cant find a support or a knowledge base article on configuring ports on the router a separate LAN with a VLAN Tag. 

 

The reason for using Ethernet 1/6 to Ethernet 1/9 is because these are PoE ports and I need everything connected into the PA-415. Has anybody got product notes, KB articles or ideas how I can run route the VLAN traffic through WAN interface ethernet 1/1?

 

Thank you

From jatin patel

 

1 accepted solution

Accepted Solutions

L4 Transporter

Hi there,

Good to hear. Please mark this thread as Solved.

Regarding DHCP on the WAN interface, why not statically assign it and set up an address reservation within the DHCP address scope on the device which is serving the DHCP requests? This will mitigate the commit problem you are seeing and also ensure that you do not get any duplicate addresses on the WAN.

 

cheers,

Seb.

View solution in original post

35 REPLIES 35

L4 Transporter

Hi there,

Can you confirm what security zones you have configured? Which interfaces are in which zones? Since inter-zone flows are denied by default you may need a explicitly rule to permit VLAN100 out of the WAN interface. 

Also, since you have NAT configured on the WAN interfaces does it permit 172.16.15.0/24 as a source address?

 

You mention the VLAN100 tag, are the devices connected to the PoE ports configured to receive VLAN tags, or do those ports send out the frames untagged? I suspect it is the latter.

 

cheers,

Seb.

Hello Seb,

Thank you for your reply,

The questions you posed are similiar to a few engineers that tried to fix this setup and even they couldnt understand why its failing, so i am hoping you can help me, 🙂

 

Security Zone:

Home Network = 172.16.15.x/24

Internet Uplink = WAN Interface Ethernet 1/1

Rule is Any address to any destination from any service. Default as possiable.

 

Interfaces and Zones:

Ethernet 1/1 = Internet Uplink - Layer 3

Ethernet 1/4 = Test Network Four - Layer 3

Ethernet 1/6 - 1/9 = Test Home network - Layer 2

 

Zones:

Home network - Layer 3 - Interface VLAN 100

Internet Uplink - Layer 3 - Ethernet 1/1

Test Home Network - Layer 2 - Ethernet ports with sub interfaces....used for testing to fix this issue.

Test Network Four - Layer 3 - Ethernet 1/4 - THIS WORKS.

 

VLAN 100 on the PoE ports. The ports have untagged set as TAG on the configuration. Only just did I add a sub interface with TAG as set to 100 for testing to see if that fixes the issues.

 

From Jatin

L4 Transporter

Hi there

one thing that appears to be missing from the above is a VLAN interface. You will need to assign this an ID that will match your VLAN object, then place this into 'test network four' security zone. Make sure that any security policy you have for this zone with a destination zone of 'internet uplink' now includes 172.16.15.0/24 as a source subnet (assuming you are not using 'any').

 

cheers,

Seb.

Hello Seb,

Thank you for the reply,

In my Zones for Home network, in the interface section I already have vlan.100 allocated. 

 

In interface, I have a second line that says vlan .100, with IP address in the 172.16.15.x, with VLAN interface as correct for ethernet 1/6 to ethernet 1/9. This VLAN 100 is linked to the DHCP server and issues correct DHCP addresses.

 

L4 Transporter

OK, sounds good. 

Any chance you can share screenshots of the security policy, and NAT setup?

 

cheers,

Seb.

Hello Seb,

Thank you, ill take some screen shots and send over a word document.

From Jatin

Hello Seb,

Thank you for the message, I have been through the security rule and NAT rule on the PA-415 firewall and taken a few screen shots to show you. Kindly note the 192.168.4.x network works correctly as an individual port, but since I have created the VLAN with 4 x ports no routing is taken place from the 172.x.x.x address through to the WAN interface.

Can you review the screen shots and provide your feedback please.

Thanks

L4 Transporter

Hi there,

Two things that are worth confirming:

  • Is the gateway IP for the 'Home network' (172.16.15.0/24) correctly configured as the VLAN100 interface IP? Is the netmask correct?
  • Can you create a management profile with 'ping' allowed and attach it to the VLAN100 interface. Can you confirm that devices in VLAN100 can now ping the local gateway address?

cheers,

Seb.

Hello Seb,

Thank you for checking the screenshots and for sending me your feedback.

The gateway IP address is set to 172.16.15.1/24 which DHCP starts from 172.16.15.14/24 255.255.255.0. The VLAN group is linked to the VLAN interface of VLAN ID 100.

The Managment interface is on a 192.168.1.x subnet. This was my original setup, I can change this to a 172.16.15.x subnet.

From a managment profile, ill create the new setup and allow ping and test connection to the VLAN interface 100 and the IP address gateway.

Is there a way I can send you a backup of the configuration, or a zoom call or a teams call.

From jatin

 

 

L4 Transporter

Hi there,

If you like, create a named snapshot and export it. You should be able to send it as an attachement in a private message on this forum if you like.

If I find the solution I'll share it via this post.

 

cheers,

Seb.

Hello Seb, thank you for the message,

I powered down the firewall last night and looks like their may be an issue on the unit as per the red warning lights. See screen shot. I cant get ping or access the web interface. I think I may have to reset the whole unit, which means ill loose my configuration on the firewall.

Regarding the issue on the VLAN, have you replicated my issues or built a similiar type of network or have a document I can follow?

 

L4 Transporter

OK, so I made this topology, Layer3 WAN interface, Eth1/4-7 Layer2 interfaces, VLAN100 SVI.

seb_rupik_0-1689088045637.png

Here's the config...

Interface config:

 

set network interface ethernet ethernet1/1 layer3 ip 10.0.0.2/30
set network interface vlan units vlan.100 ip 172.16.15.1/24
set network interface vlan units vlan.100 comment "Home Network"

set network vlan home_network virtual-interface interface vlan.100
set network vlan home_network interface [ ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ]

set network virtual-router default interface [ vlan.100 ethernet1/1 ]

 

 

Routing:

set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default enable yes
set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default source 10.0.0.2/30
set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default destination 10.0.0.1
set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default interval 3
set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default count 5
set network virtual-router default routing-table ip static-route default path-monitor enable yes
set network virtual-router default routing-table ip static-route default path-monitor failure-condition any
set network virtual-router default routing-table ip static-route default path-monitor hold-time 2
set network virtual-router default routing-table ip static-route default nexthop ip-address 10.0.0.1
set network virtual-router default routing-table ip static-route default bfd profile None
set network virtual-router default routing-table ip static-route default interface ethernet1/1
set network virtual-router default routing-table ip static-route default metric 10
set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0

 

DHCP config:

 

set network dhcp interface vlan.100 server option dns primary 1.1.1.1
set network dhcp interface vlan.100 server option lease unlimited
set network dhcp interface vlan.100 server option gateway 172.16.15.1
set network dhcp interface vlan.100 server option subnet-mask 255.255.255.0
set network dhcp interface vlan.100 server ip-pool 172.16.15.14-172.16.15.254
set network dhcp interface vlan.100 server mode enabled

 

Security zone setup:

 

set zone home_network network layer3 vlan.100
set zone internet_uplink network layer3 ethernet1/1
set zone home_network_l2 network layer2 [ ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ]

 

Security poilcy:

 

set rulebase security rules home_network-outbound to internet_uplink
set rulebase security rules home_network-outbound from home_network
set rulebase security rules home_network-outbound source 172.16.15.0/24
set rulebase security rules home_network-outbound destination any
set rulebase security rules home_network-outbound source-user any
set rulebase security rules home_network-outbound category any
set rulebase security rules home_network-outbound application any
set rulebase security rules home_network-outbound service application-default
set rulebase security rules home_network-outbound source-hip any
set rulebase security rules home_network-outbound destination-hip any
set rulebase security rules home_network-outbound action allow

 

NAT policy:

 

set rulebase nat rules home_network_nat source-translation dynamic-ip-and-port translated-address 10.0.0.2
set rulebase nat rules home_network_nat to internet_uplink
set rulebase nat rules home_network_nat from home_network
set rulebase nat rules home_network_nat source any
set rulebase nat rules home_network_nat destination any
set rulebase nat rules home_network_nat service any

 

 

VPC2 and VPC3 successfully ping VPC host out on the WAN:

seb_rupik_1-1689088231933.png

 

VPC3 and also ping VPC2 on the VLAN:

seb_rupik_2-1689088284243.png

 

...obviously change the WAN Eth1/1 IP and all references to suit your own topology.

 

cheers,

Seb.

Hello Seb,

Thank you for your assistanc and helpfull points, I have just rebuilt the configuration using the notes provided. 

Question:
Previously I had a static route, to force all traffic destinated to the wan IP address has to route through WAN Internet ethernet 1/1. In your configuration I noticed there is mention. May I ask why is that.

 

Also, ill test the new configuration in the morning when i had back to my test lab office.

From Jatin

  • 1 accepted solution
  • 10551 Views
  • 35 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!