07-07-2023 02:44 AM
Hello ALl,
I am hoping somebody can help with my configuration as I seem to be stumbling and hitting a brick wall the whole week.
The firewall is a PA-415 running SW 11.0.0
Ethernet 1/1 is set as a WAN interface.
Ethernet 1/2 = no configuration
Ethernet 1/3 = no configuration
Ethernet 1/4 = 192.168.4.1 / 24 [Set as default LAN, layer 3]
Ethernet 1/5 = no configuration
Ethernet 1/6 to Ethernet 1/9 = VLAN.100, 172.16.15.1/24
When I connect a test laptop to Ethernet 1/4, I am provided with a DHCP IP address from the firewall and can route outbound traffic.
If I connect any test laptop into Ethernet 1/6 -> Ethernet 1/9 I am provided with an DHCP IP address from 172.16.15.15, but I can not route any outbound traffic through WAN ethernet 1/1. I tried tracert and there are no hops to ethernet 1/1. There is no traffic logs either from 172.16.15.x/24
From the web interface I can see the DHCP table showing an IP address allocation to the correct LAN test laptop. There are default NAT and Security Firewall rules in place, as Ethernet 1/4 routes outbound traffic correctly. My assumption from my diagnostics would be the VLAN tag of 100 is not carried through and routed to the next hop to the wan interface. I cant find a support or a knowledge base article on configuring ports on the router a separate LAN with a VLAN Tag.
The reason for using Ethernet 1/6 to Ethernet 1/9 is because these are PoE ports and I need everything connected into the PA-415. Has anybody got product notes, KB articles or ideas how I can run route the VLAN traffic through WAN interface ethernet 1/1?
Thank you
From jatin patel
07-12-2023 01:34 AM
Good spot. since I was only trying to reach that VPC host which was on the other end of the connect WAN subnet I forgot to add a default route. I'll add it to the post above for the sake of completion.
cheers,
Seb.
07-12-2023 01:38 AM
Hello Seb,
Hi, just a short note this time, I saw this yesterday evening, and tried again this morning, the error message is confusing. All the IP address are standard /24, so not sure where and how this rule has occured.
Any thoughts.
07-12-2023 02:30 AM
hmmm, what is the output of:
show running nat-policy
...also what is the SKU of the firewall you are configuring?
07-12-2023 02:38 AM
I think I see what you have done.... in the NAT rule, make sure the 'translated address' does not include a CIDR, instead have just the interface IP: 10.0.0.2
cheers,
Seb.
07-12-2023 03:06 AM
Hello Seb,
Thank you for the message, after investigation, Strange one here, if the DHCP server has the options enabled with the subnet mask, this setting conflicts with the objects if you have a prefix / 24.
i have fixed it, the DHCP server issues out IP addresses correctly, but the NAT rule was not aware of the subnet mask. So I deleted the NAT rule, then edited the objects with the / prefix and the commit passed.
Yes your right, there seems to be an issue when using the object instead of the manual entry.
I find the web interface sensitive when using objects of manual entries.
Once I sort out this IP address and its passed, i'll figure a way to test the connections.
07-12-2023 03:13 AM
Hi Seb,
Here is the steps I have to do to fix the issue.
-> Remove the NAT rule,
-> Change the prefix in the objects to no prefix.
-> Run the commit and all passes with warnings about IP address reading has /32.
-> Add /24 to the static IP address and run commit, all passes and no warnings.
-> Reconfigure the NAT rule using objects and if you use Translated Interface you will have error message for IP address schema, if you use Interface interface with updated IP Prefix, the commit will pass.
07-12-2023 04:07 AM
Hello Seb,
So it seems, I am back to the same problem with the VLAN interface not routing outbound through the wan interface.
I dont know whether I need to have sub interfaces to carry the VLAN tags through ethernet 1/1. Previously I had a test port in layer 3 to check internet connectivity, but here I not done that. Ive left it default as ports 6 to 9 with VLAN 100, should be able to route out through ethernet 1/1.
This screen shot shows anything on the 172,16.15.0/24 is allowed route through ethernet 1/1 from vlan 100
On the security rules, I even added in the wan interface to force the traffic. so anything on VLAN 17 on the 172.16.15.0.24 network is allowed through the wan interface.
So it seems I cant add the zone because of the conflict in layer 2 and layer 3. Im not sure if its a routing issue or a interface issue.
From Jatin
07-12-2023 04:27 AM
Can you do me a favour and a share the running config as you have it currently. from the CLI run these commands and copy the output:
set cli pager off
set cli config-output-format set
configure
show
cheers,
Seb.
07-12-2023 02:07 PM - edited 07-12-2023 02:09 PM
07-12-2023 03:37 PM
From the diagram I have multiple Layer 2 and layer 3 switches with a small PoE switches.
The aim is to remove the Draytek router, PoE switch and Layer 3 switch and use the PA-415 as a combination for all three.
You can see from the Draytek router its on a full flat LAN network 192.168.1.0/24 network
I need the same configuration on the Palo Alto PA-415 using ethernet 1.1 as the wan route to the virgin media router and the ethernet port 6 to 9 on a LAN network. At the moment I have set the LAN test network of 172.16.15.0/24 for testing purposes. At the moment ethernet ports 1/6 to ethernet 1/9 all recevied an DHCP IP address on a 172.16.15.0/24, but there no outbound route through ethernet 1/1.
My configuration on the PA-415 is as follows:
Ethernet 1/1 : 192.168.1.111
Managment IP : 192.168.1.210
VLAN 100 set on Ethernet 1/6 to 1/9
VLAN 100 IP interface 172.16.15.1/24
VLAN 100 DHCP server from 172.16.15.14 with pool size of 50.
Static Route, NAT and Security rule to send all traffic through ethernet 1/1
My assumption is because ethernet 1/1 is layer 3 and ethernet 1/6 to 1/9 are set to layer 2, I think we need a sub interface on ethernet 1/1 to route VLAN 100. When I configure a single port, for example ethernet 1/4 with ethernet address of 10.0.0.0/24 I can route outbound traffic through ethernet 1/1 because this is set to layer 3. But with an additional VLAN there is no routing into ethernet 1/1 from ethernet 1/6, 1/7, 1/8 or 1/9.
Any ideas?
From jatin
07-12-2023 04:48 PM
Hello Seb,
Out of curiosity I have also read this web sense and created sub-interfaces with VLAN tag 100. I added in a NAT and security rule. Still no luck.
07-13-2023 05:30 AM
Hi there,
Looks like an issue with your security policy, for the rule 'Home_Network_Internet_Uplink' the destination zone should be set to 'WAN_internet' and the destination address should be set to 'any' .
Let us know if that works.
cheers,
Seb.
07-13-2023 05:38 AM
Hello Seb,
Thank you for the message, I hope the CLI command output and the visio diagram was clear for you.
I tried a similiar configuration to what you suggested before, when I specify a destination zone I am presentated with the layer 3 issue:
Do you want to jump on a zoom call or a teams call, as I am free now till 14:45 GMT.
From jatin
07-13-2023 05:49 AM
...in which case set the source zone as 'Home-Network' .
cheers,
Seb.
07-13-2023 06:07 AM
hello Seb,
Well thats gone and done it now.....:-) FIXED IT...
C:\Users\jatin.patel>ping www.google.co.uk
Pinging www.google.co.uk [172.217.16.227] with 32 bytes of data:
Reply from 172.217.16.227: bytes=32 time=18ms TTL=55
Reply from 172.217.16.227: bytes=32 time=16ms TTL=55
Reply from 172.217.16.227: bytes=32 time=14ms TTL=55
Reply from 172.217.16.227: bytes=32 time=14ms TTL=55
Ping statistics for 172.217.16.227:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 18ms, Average = 15ms
C:\Users\jatin.patel>ipconfig
C:\Users\jatin.patel>ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Default Switch (Ethernet)):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::da8d:1e18:47dd:ae39%43
IPv4 Address. . . . . . . . . . . : 172.17.80.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f88d:3c30:b817:20a2%16
IPv4 Address. . . . . . . . . . . : 172.16.15.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.15.100
ooooo looks like the internet and address space is working now and routing correctly...now for the dreaded bit....I wonder once I remove the DrayTek route and modify the LAN side to 192.168.1.1 to match my home network, and change the WAN to DHCP client whether everything will work. As before if you change the ethernet 1/1 to DHCP, the commit throws out a complaint message.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
