PA-415 Multiple interfaces into one VLAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-415 Multiple interfaces into one VLAN

L2 Linker

Hello ALl,

I am hoping somebody can help with my configuration as I seem to be stumbling and hitting a brick wall the whole week.

 

The firewall is a PA-415 running SW 11.0.0

Ethernet 1/1 is set as a WAN interface.

Ethernet 1/2 = no configuration

Ethernet 1/3 = no configuration

Ethernet 1/4 = 192.168.4.1 / 24 [Set as default LAN, layer 3]

Ethernet 1/5 = no configuration

Ethernet 1/6 to Ethernet 1/9 = VLAN.100, 172.16.15.1/24

 

When I connect a test laptop to Ethernet 1/4, I am provided with a DHCP IP address from the firewall and can route outbound traffic.

 

If I connect any test laptop into Ethernet 1/6 -> Ethernet 1/9 I am provided with an DHCP IP address from 172.16.15.15, but I can not route any outbound traffic through WAN ethernet 1/1. I tried tracert and there are no hops to ethernet 1/1. There is no traffic logs either from 172.16.15.x/24

 

From the web interface I can see the DHCP table showing an IP address allocation to the correct LAN test laptop. There are default NAT and Security Firewall rules in place, as Ethernet 1/4 routes outbound traffic correctly. My assumption from my diagnostics would be the VLAN tag of 100 is not carried through and routed to the next hop to the wan interface.  I cant find a support or a knowledge base article on configuring ports on the router a separate LAN with a VLAN Tag. 

 

The reason for using Ethernet 1/6 to Ethernet 1/9 is because these are PoE ports and I need everything connected into the PA-415. Has anybody got product notes, KB articles or ideas how I can run route the VLAN traffic through WAN interface ethernet 1/1?

 

Thank you

From jatin patel

 

35 REPLIES 35

L4 Transporter

Hi there,

Good to hear. Please mark this thread as Solved.

Regarding DHCP on the WAN interface, why not statically assign it and set up an address reservation within the DHCP address scope on the device which is serving the DHCP requests? This will mitigate the commit problem you are seeing and also ensure that you do not get any duplicate addresses on the WAN.

 

cheers,

Seb.

L2 Linker

Hello Seb,

Thank you for the message,

Normally I always set up DHCP IP reservations on my network from the LAN side. I think and hope I can change the virginmedia router into modem which I should be presented with an external facing IP address..

Ill try this later on tonight.

One question, I don't have a WAN block rule,  So I have set up  rule from zone wan-internet for source any and destination to block all inbound wan traffic. This blocked me out, I guess I forgot to allow me in from the wan interface and MGMT profile. However for an inbound WAN block rule, whats recommended to block all inbound traffic.

 

From Jatin

 

L4 Transporter

By default there is a default inter-zone policy that denies flows between two security zones. This will cover your usecase. 

It sounds like you need to setup a Management Profile allowing ssh and https, and attach it to the WAN interface. For added security configure a permitted IP list for the management profile and limit it to subnets which exists within your network outside of the WAN interface.

 

cheers,

Seb.

L2 Linker

Hello Seb,

Thanks, I fixed the WAN IP MGMT and WAN BLOCK rule by setting up HTTP and HTTPS access to the wan port. Retested and can access everything and even configured the rule for the VLAN home network.

 

I noticed none of my security settings license's were working, so I downloaded the license's from the support site and uploaded all them from scratch and individually. Question, if the firewall is already authenticated and registered, why does the licences and updated not update automatically after a reset?

 

Reran the commit and the Anti-Spware outputted an database error, ill show you that next time.

 

I started to add further more security settings such as DDoS protection and managed to lock myself out again, #DoughnutMoment. There is DDoS protection in two sections from the web interface, so im not sure which one has blocked me access from the web interface. Tomorrow morning, ill double check the DDoS and update you.

 

From the URL I noticed I cant enable the SafeSearch,  do I need to create a separate profile?

For Wildfire, I noticed the database was not activated, now im hoing with the manual licences this should update automatically.

For DHCP reservation or static IP address that is already on my network, I saw their is a reservation table, Question: once I plug the PA-415 into my network offically, where is the DHCP and ARP table, as I couldnt see how I add the static IP addresses automatically onto a ARP or DHCP table so I dont have to enteries manually from my old router?

Question : Or is there I can upload a fixed DHCP reservation table to the PA-415 to save me the time and effort?

 

From Jatin

L4 Transporter

Hi there,

Regarding the reset, the license information is held in the configuration so will need to reapply them in that scenario.

 

On the PA if you are using the DHCP service you can add reservations in each scope, the CLI format looks like:

set network dhcp interface ethernet1/1 server reserved 192.168.1.200 mac aa:bb:cc:dd:ee:ff
set network dhcp interface ethernet1/1 server reserved 192.168.1.200 description server_001

 

...obviously change the interface and subnet information to suit your environment.

 

Can I suggest that to make this thread useful to community members that you make it solved and create new posts to cover any additional questions as I think we are drifting away from the core question about Layer2 switch interfaces and VLANs. 🙂

 

cheers,

Seb.

L2 Linker

Hey Seb,

Thank you very much for your help on this very long and detailed issues. I have selected accept as solution on the last part when I had to change the zone on the nat rule.

-> I have also swapped out the WAN side to the virgin media router, amended the static route and all working.

-> I have left in the draytel connection into the Mgmt Of the PA-415 for now to ensure everything is okay.

-> The VLAN interface with DHCP server is working as expectated on the test machine, and DNS and internet is working.

-> My sub interface and VLAN on the zone is still okay. I am not going to delete my sub interface incase it goes wrong. But im sure thats needed.

jatin_2023_0-1689331020515.png

 

-> I am starting to see a small percentage of threat logs on the PA-415, so will monitor this .

All in all i think we are good to go on the Layer 2 with VLAN segragration.

Most blessed of your time and patience on this question and response.

From Jatin patel

  • 10376 Views
  • 35 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!