PA-415 Multiple interfaces into one VLAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-415 Multiple interfaces into one VLAN

L2 Linker

Hello ALl,

I am hoping somebody can help with my configuration as I seem to be stumbling and hitting a brick wall the whole week.

 

The firewall is a PA-415 running SW 11.0.0

Ethernet 1/1 is set as a WAN interface.

Ethernet 1/2 = no configuration

Ethernet 1/3 = no configuration

Ethernet 1/4 = 192.168.4.1 / 24 [Set as default LAN, layer 3]

Ethernet 1/5 = no configuration

Ethernet 1/6 to Ethernet 1/9 = VLAN.100, 172.16.15.1/24

 

When I connect a test laptop to Ethernet 1/4, I am provided with a DHCP IP address from the firewall and can route outbound traffic.

 

If I connect any test laptop into Ethernet 1/6 -> Ethernet 1/9 I am provided with an DHCP IP address from 172.16.15.15, but I can not route any outbound traffic through WAN ethernet 1/1. I tried tracert and there are no hops to ethernet 1/1. There is no traffic logs either from 172.16.15.x/24

 

From the web interface I can see the DHCP table showing an IP address allocation to the correct LAN test laptop. There are default NAT and Security Firewall rules in place, as Ethernet 1/4 routes outbound traffic correctly. My assumption from my diagnostics would be the VLAN tag of 100 is not carried through and routed to the next hop to the wan interface.  I cant find a support or a knowledge base article on configuring ports on the router a separate LAN with a VLAN Tag. 

 

The reason for using Ethernet 1/6 to Ethernet 1/9 is because these are PoE ports and I need everything connected into the PA-415. Has anybody got product notes, KB articles or ideas how I can run route the VLAN traffic through WAN interface ethernet 1/1?

 

Thank you

From jatin patel

 

35 REPLIES 35

L4 Transporter

Good spot. since I was only trying to reach that VPC host which was on the other end of the connect WAN subnet I forgot to add a default route. I'll add it to the post above for the sake of completion.

 

cheers,

Seb.

Hello Seb,

Hi, just a short note this time, I saw this yesterday evening, and tried again this morning, the error message is confusing. All the IP address are standard /24, so not sure where and how this rule has occured. 

Any thoughts.

 

jatin_2023_0-1689151003622.png

 

 

L4 Transporter

hmmm, what is the output of:

show running nat-policy

 

...also what is the SKU of the firewall you are configuring?

L4 Transporter

I think I see what you have done.... in the NAT rule, make sure the 'translated address' does not include a CIDR, instead have just the interface IP: 10.0.0.2

 

cheers,

Seb.

Hello Seb,

Thank you for the message, after investigation, Strange one here, if the DHCP server has the options enabled with the subnet mask, this setting conflicts with the objects if you have a prefix / 24.

i have fixed it, the DHCP server issues out IP addresses correctly, but the NAT rule was not aware of the subnet mask. So I deleted the NAT rule, then edited the objects with the / prefix and the commit passed. 

Yes your right, there seems to be an issue when using the object instead of the manual entry.

I find the web interface sensitive when using objects of manual entries.

Once I sort out this IP address and its passed, i'll figure a way to test the connections.

 

Hi Seb, 

Here is the steps I have to do to fix the issue.

-> Remove the NAT rule,

-> Change the prefix in the objects to no prefix.

-> Run the commit and all passes with warnings about IP address reading has /32.

-> Add /24 to the static IP address and run commit, all passes and no warnings.

-> Reconfigure the NAT rule using objects and if you use Translated Interface you will have error message for IP address schema, if you use Interface interface with updated IP Prefix, the commit will pass.

L2 Linker

Hello Seb,

So it seems, I am back to the same problem with the VLAN interface not routing outbound through the wan interface. 

I dont know whether I need to have sub interfaces to carry the VLAN tags through ethernet 1/1. Previously I had a test port in layer 3 to check internet connectivity, but here I not done that. Ive left it default as ports 6 to 9 with VLAN 100, should be able to route out through ethernet 1/1.

 

This screen shot shows anything on the 172,16.15.0/24 is allowed route through ethernet 1/1 from vlan 100

jatin_2023_0-1689159611021.png

On the security rules, I even added in the wan interface to force the traffic. so anything on VLAN 17 on the 172.16.15.0.24 network is allowed through the wan interface.

jatin_2023_1-1689159972680.png

So it seems I cant add the zone because of the conflict in layer 2 and layer 3. Im not sure if its a routing issue or a interface issue.

From Jatin

 

 

L4 Transporter

Can you do me a favour and a share the running config as you have it currently. from the CLI run these commands and copy the output:

 

set cli pager off

set cli config-output-format set

configure

show

 

cheers,

Seb.

L2 Linker

Hello Seb,

Thank you for the message, please find my current working configuration. Im going to produce a diagram to prove my setup.

From jatin

L2 Linker

From the diagram I have multiple Layer 2 and layer 3 switches with a small PoE switches.
The aim is to remove the Draytek router, PoE switch and Layer 3 switch and use the PA-415 as a combination for all three.

You can see from the Draytek router its on a full flat LAN network 192.168.1.0/24 network

I need the same configuration on the Palo Alto PA-415 using ethernet 1.1 as the wan route to the virgin media router and the ethernet port 6 to 9 on a LAN network. At the moment I have set the LAN test network of 172.16.15.0/24 for testing purposes. At the moment ethernet ports 1/6 to ethernet 1/9 all recevied an DHCP IP address on a 172.16.15.0/24, but there no outbound route through ethernet 1/1.

My configuration on the PA-415 is as follows:
Ethernet 1/1 : 192.168.1.111
Managment IP : 192.168.1.210
VLAN 100 set on Ethernet 1/6 to 1/9
VLAN 100 IP interface 172.16.15.1/24
VLAN 100 DHCP server from 172.16.15.14 with pool size of 50.
Static Route, NAT and Security rule to send all traffic through ethernet 1/1

My assumption is because ethernet 1/1 is layer 3 and ethernet 1/6 to 1/9 are set to layer 2, I think we need a sub interface on ethernet 1/1 to route VLAN 100. When I configure a single port, for example ethernet 1/4 with ethernet address of 10.0.0.0/24 I can route outbound traffic through ethernet 1/1 because this is set to layer 3. But with an additional VLAN there is no routing into ethernet 1/1 from ethernet 1/6, 1/7, 1/8 or 1/9.

Any ideas?

From jatin

 

Hello Seb,

Out of curiosity I have also read this web sense and created sub-interfaces with VLAN tag 100. I added in a NAT and security rule. Still no luck.

Layer 2 Interfaces with VLANs (paloaltonetworks.com)

L4 Transporter

Hi there,

Looks like an issue with your security policy, for the rule 'Home_Network_Internet_Uplink' the destination zone should be set to 'WAN_internet' and the destination address should be set to 'any' .

 

Let us know if that works.

 

cheers,

Seb.

L2 Linker

Hello Seb,

Thank you for the message, I hope the CLI command output and the visio diagram was clear for you.

I tried a similiar configuration to what you suggested before, when I specify a destination zone I am presentated with the layer 3 issue:

 

jatin_2023_0-1689251859332.png

Do you want to jump on a zoom call or a teams call, as I am free now till 14:45 GMT.

 

From jatin

L4 Transporter

...in which case set the source zone as 'Home-Network' .

 

cheers,

Seb.

L2 Linker

hello Seb,

Well thats gone and done it now.....:-) FIXED IT...

 

C:\Users\jatin.patel>ping www.google.co.uk

Pinging www.google.co.uk [172.217.16.227] with 32 bytes of data:
Reply from 172.217.16.227: bytes=32 time=18ms TTL=55
Reply from 172.217.16.227: bytes=32 time=16ms TTL=55
Reply from 172.217.16.227: bytes=32 time=14ms TTL=55
Reply from 172.217.16.227: bytes=32 time=14ms TTL=55

Ping statistics for 172.217.16.227:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 18ms, Average = 15ms

C:\Users\jatin.patel>ipconfig

 

C:\Users\jatin.patel>ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Default Switch (Ethernet)):

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::da8d:1e18:47dd:ae39%43
IPv4 Address. . . . . . . . . . . : 172.17.80.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f88d:3c30:b817:20a2%16
IPv4 Address. . . . . . . . . . . : 172.16.15.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.15.100

 

ooooo looks like the internet and address space is working now and routing correctly...now for the dreaded bit....I wonder once I remove the DrayTek route and modify the LAN side to 192.168.1.1 to match my home network, and change the WAN to DHCP client whether everything will work. As before if you change the ethernet 1/1 to DHCP, the commit throws out a complaint message.

  • 10373 Views
  • 35 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!