About Falk-Schneider

Hello,   I'm having trouble setting this up correctly.   We have eth1/2 where a PPPoE Connection is available that we use for Internet Traffic from our guest wifi. We also have eth1/14 where our main Connection is running. We have a GP Configuration which allows external Users to connect to via an external IP Address which is then NATted to the internal IP, which works great from anywhere BUT the PPPoE on the eth1/2 interface from the palo.   Due to an ISP switch from our main provider I moved all the external services to new ip addresses. Everything is working fine from external and internal, just the NATting from the guest net on eth1/2 does not. Before the ISP switch on the old external GP IP this worked.   The Setup from internal guest net:   1. Connect Notebook to guest wifi going out via PPPoE on eth1/2 using Google DNS 8.8.8.8 to resolve our FQDN for the GP Adress - it resolves to the new IP 2. Have a destination NAT rule from source guest and WAN zone to destination WAN pointing to eth1/14 where the new ISP connection is which translates the public GP IP to the internal IP 3. The NAT policy gets hit and i see traffic coming from the public IP of the PPPoE connection to our external GP IP which does not get blocked because its allowed by a corresponding security rule but the a ping just times out 4. The traffic I see has source eth1/14 and I see the NAT source IP as the public IP from the PPPoE connection from eth1/2 There is no traffic blocking at this stage, it's all allowed.       The NAT Session data looks like this (eth1/12) is a DMZ zone where the GP Portal is located. I had to censor a few things, I hope it's still understandable.   Session 848193 c2s flow: source: 212.110.XXX.XX [WAN] dst: 93.159.XXX.XXX proto: 1 sport: 8720 dport: 11 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 192.168.50.1 [XX-Client-VPN] dst: 212.110.XXX.XX proto: 1 sport: 11 dport: 8720 state: INIT type: FLOW src user: unknown dst user: unknown start time : Wed Oct 26 13:22:37 2022 timeout : 6 sec total byte count(c2s) : 98 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : ping rule : From-Any-To-GlobalProtect service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source + destination nat-rule : XXX - GlobalProtect NAT Policy(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : True session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/14 egress interface : ethernet1/12 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out         We still have the old ISP on eth1/1 and we have the same NAT rule in place as for eth1/14 just the external IP of the GP is different. With this IP the traffic goes directly from the Guest Zone to the Zone where the GP Portal is located and I do not understand why. So with the old IP the same Setup works, but I dont understand why it's not going over the WAN connection?   Here is the NAT session to the old external IP:   Session 970134 c2s flow: source: 10.0.106.220 [XX-Guest] dst: 195.37.XX.XXX proto: 1 sport: 11536 dport: 22 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 192.168.50.1 [XX-Client-VPN] dst: 10.0.106.220 proto: 1 sport: 22 dport: 11536 state: INIT type: FLOW src user: unknown dst user: unknown start time : Wed Oct 26 13:24:24 2022 timeout : 6 sec total byte count(c2s) : 98 total byte count(s2c) : 98 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 1 vsys : vsys1 application : ping rule : From-Any-To-GlobalProtect service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source + destination nat-rule : GlobalProtect NAT Policy(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : True session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/11 egress interface : ethernet1/12 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out   As you can see it directly uses eth1/11 as ingress (which is the guest net) and goes directly to eth1/12 and I don't understand why, can anyone help me out? ... View more