Palo Alto Networks Knowledgebase: Getting Started: Firewall as a PPPoE or DHCP Client

Getting Started: Firewall as a PPPoE or DHCP Client

17825
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Resolution

When setting up a firewall in a smaller office or in an off-the-grid location, the local ISP may only be able to connect you through a cable or DSL modem which requires your external interface to be configured as a DHCP client or PPPoE client.

 

Tip: If your ISP supports it, try to obtain a connection in 'bridge' mode so the external IP address is directly served to your external interface, rather than to the DSL or cable modem. This will ensure NAT is only done on the firewall.

 

 

Configuring the Untrust interface as client

 

The first step to get your firewall connected is to configure the external interface so it is able to receive DHCP parameters or set up PPPoE negotiations and connect to the ISP.

 

In the Interfaces tab, the interface needs to be set to Layer3 mode. Please first take a look at this article if you have not seen this step and your interfaces are still configured in vVirtual Wire mode: Getting Started: Layer 3, NAT, and DHCP

 

Make sure the intervace is assigned to a Virtual Router and a Zone.

2016-08-23_12-39-49.jpg

 

If the ISP provides normal DHCP services, select

 

  1. 'DHCP Client' from the IPv4 tab (note: the firewall does not currently support IPv6 DHCP Client mode).
    2016-08-23_12-41-07.jpg

     

  2. Ensure DHCP Client mode is enabled.

  3. Elect to automatically create a default route from the DHCP parameters received from the ISP. If this option is not checked, a default route needs to be added manually in the Virtual Router.

     

If the ISP requires PPPoE authentication, select the PPPoE radio button, make sure 'enable' is selected and provide the username and password your ISP provided for your connection.

 

2016-08-23_12-41-45.jpg

 

Select the advanced tab to enter additional connection parameters.

2016-08-23_12-43-19.jpg

  1. The authentication protocol can be set to PAP, CHAP or auto2016-08-23_12-43-40.jpg
  2. If the ISP was able to provide a static IP address or subnet, it needs to be configured here. If the ISP assigns an IP dynamically, this field should be set to 'None'
  3. Enable the automatic default route to receive this information from the PPPoE peer, if this option is left unselected a manual default route needs to be created in the Virtual Router.
  4. If this is required by the ISP, an Access Concentrator and Service string can be added to the PPPoE configuration, the PPPoE end point can also be set in a passive state in which case the client waits for the Access Concentrator to send the first frame.

Once the desired method has been selected, click OK and Commit the configuration. Once the commit has completed, the 'Show PPPoE/DHCP Client Runtime Info' links will start working and will provide feedback on the current status of the interface.

 

2016-08-24_15-35-10.jpg

The DHCP client status wil include renew and release buttons, the PPPoE client status has a connect or disconnect button.

2016-08-24_13-39-31.jpg

 

 

 

DHCP or PPPoE inheritance on the local subnet

 

The information received from the ISP DHCP or PPPoE server can in turn be used to populate the clients on the local network with DNS, WINS, NIS, NTP, pop3, smtp and DNS suffic by enabling inheritance. This way, users can be assigned region specific DNS servers for example that can improve responsiveness.

 

When configuring the LAN interface, make sure it is assigned to the same Virtual Router as the Untrust interface, and assign it an appropriate zone:

2016-08-24_16-17-56.jpg

 

Assign an IP address and subnet mask to the interface

2016-08-24_16-19-55.jpg

 

 Next, create a new DHCP profile and assign an IP Pool in the interface's subnet

2016-08-24_15-52-44.jpg

 

In the options tab the inheritance can be enabled:2016-08-24_15-54-08.jpg

 

Your clients will now receive the same DNS settings as distributed by the ISP.

 

NAT

 

Since the Untrust interface does not have a static interface, any outbound NAT rules will simply need to be set to only the interface name in source Translation

 

2016-08-24_16-33-59.jpg

 

Reviewing logs

 

In the system logs, the subtype 'dhcp' will return both DHCP server and DHCP client information, subtype 'pppoe' will return PPPoE connectivity logs.

 

2016-08-24_16-04-30.jpg

 

 

or using the following command from the CLI:

 

> show log system subtype equal dhcp direction equal backwards

 

 

Please feel free to comment below!

Reaper



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language