Palo Alto Networks Knowledgebase: Getting Started: Firewall as a PPPoE or DHCP Client
Getting Started: Firewall as a PPPoE or DHCP Client
Created On 09/25/18 19:02 PM - Last Updated 07/18/19 20:11 PM
When setting up a firewall in a smaller office or in an off-the-grid location, the local ISP may only be able to connect you through a cable or DSL modem which requires your external interface to be configured as a DHCP client or PPPoE client.
Tip: If your ISP supports it, try to obtain a connection in 'bridge' mode so the external IP address is directly served to your external interface, rather than to the DSL or cable modem. This will ensure NAT is only done on the firewall.
Configuring the Untrust interface as client
The first step to get your firewall connected is to configure the external interface so it is able to receive DHCP parameters or set up PPPoE negotiations and connect to the ISP.
In the Interfaces tab, the interface needs to be set to Layer3 mode. Please first take a look at this article if you have not seen this step and your interfaces are still configured in vVirtual Wire mode: Getting Started: Layer 3, NAT, and DHCP
Make sure the intervace is assigned to a Virtual Router and a Zone.
If the ISP provides normal DHCP services, select
'DHCP Client' from the IPv4 tab (note: the firewall does not currently support IPv6 DHCP Client mode).
Ensure DHCP Client mode is enabled.
Elect to automatically create a default route from the DHCP parameters received from the ISP. If this option is not checked, a default route needs to be added manually in the Virtual Router.
If the ISP requires PPPoE authentication, select the PPPoE radio button, make sure 'enable' is selected and provide the username and password your ISP provided for your connection.
Select the advanced tab to enter additional connection parameters.
The authentication protocol can be set to PAP, CHAP or auto
If the ISP was able to provide a static IP address or subnet, it needs to be configured here. If the ISP assigns an IP dynamically, this field should be set to 'None'
Enable the automatic default route to receive this information from the PPPoE peer, if this option is left unselected a manual default route needs to be created in the Virtual Router.
If this is required by the ISP, an Access Concentrator and Service string can be added to the PPPoE configuration, the PPPoE end point can also be set in a passive state in which case the client waits for the Access Concentrator to send the first frame.
Once the desired method has been selected, click OK and Commit the configuration. Once the commit has completed, the 'Show PPPoE/DHCP Client Runtime Info' links will start working and will provide feedback on the current status of the interface.
The DHCP client status wil include renew and release buttons, the PPPoE client status has a connect or disconnect button.
DHCP or PPPoE inheritance on the local subnet
The information received from the ISP DHCP or PPPoE server can in turn be used to populate the clients on the local network with DNS, WINS, NIS, NTP, pop3, smtp and DNS suffic by enabling inheritance. This way, users can be assigned region specific DNS servers for example that can improve responsiveness.
When configuring the LAN interface, make sure it is assigned to the same Virtual Router as the Untrust interface, and assign it an appropriate zone:
Assign an IP address and subnet mask to the interface
Next, create a new DHCP profile and assign an IP Pool in the interface's subnet
In the options tab the inheritance can be enabled:
Your clients will now receive the same DNS settings as distributed by the ISP.
Since the Untrust interface does not have a static interface, any outbound NAT rules will simply need to be set to only the interface name in source Translation
In the system logs, the subtype 'dhcp' will return both DHCP server and DHCP client information, subtype 'pppoe' will return PPPoE connectivity logs.
or using the following command from the CLI:
> show log system subtype equal dhcp direction equal backwards