Wednesday, June 6, 2018

Palo Alto PPPoE with vlan tag, it's stupid setup but it's working !!

Palo Alto is not allow L3 subinterface with PPPoE, but certain ISP require to perform PPPoE with VLAN tagging


at 2018, update from reaper


So I come out this setup. Yes, it is stupid but it work !



Basically, ethernet1/3 setup as Layer 3 with PPPoE

Select interface as Layer 3, virtual router and security zone

Go to IPV4 tab, check PPPoE then configure as request


ethernet 1/4
Create VLAN profile , security zone I left it blank and interface type as L2


Ethernet 1/5, edit select ethernet1/5 at bottom create sub-interface


subinterface configure as TAG (VLAN ID), as Malaysia ISP unifi is using VLAN ID 500, at VLAN must select the previous create VLAN profile at ethernet1/4



p/s by missing VLAN profile at ethernet1/4 and ethernet1/5.500 the packet unable unable reach to modem (laptop as my testing environment)


Tadahhh..................................................

My laptop receive PPPoE discovery broadcast packet with VLAN ID 500 tagged

Although is stupid setup but it work, LOL


alternative setup if with extra switch with VLAN feature


Summary, well Palo Alto is very common implementation via L3 sub-interface PPPoE, okay !
Posted by at

6 comments:

  1. JAugust 9, 2018 at 5:36 AM

    This is awesome as I'm stuck with the same issue of getting it working with Unifi. Maybe a silly question, but does the laptop go into Eth 1/5 (with nothing plugged into Eth 1/4)?

    ReplyDelete
  2. JAugust 9, 2018 at 10:05 AM

    Finally figured out what you meant and managed to get this working too :-D Still trying to figure out how to get the other public IPs routing though - right now only the ISPs default gateway is working.

    ReplyDelete
    Replies
    1. UnknownSeptember 17, 2020 at 5:33 PM

      Hi, I've tried this also but been unable to get it working for VLAN 2 on PanOS 8.1.16.

      Config used:

      Network -> Interfaces:
      Interface: 1/1 Type: Layer 3 IP: PPPoE VR: default Tag: Untagged VLAN: None Zone: untrust
      Interface: 1/3 Type: Layer 2 IP: none VR: none Tag: Untagged VLAN: 2 Zone: none
      Interface: 1/4 Type: Layer 2 IP: none VR: none Tag: Untagged VLAN: none Zone: none
      Interface: 1/4.2 Type: Layer 2 IP: none VR: none Tag: 2 VLAN: 2 Zone: none


      Network -> Interfaces -> VLAN:
      vlan.2: Assign Interface to: VLAN:2 VR: None : Zone: None


      Network cable connects 1/1 to 1/3.
      Laptop running Wireshark is connected to 1/4.
      PPPoE discover packets are captured but not tagged as VLAN 2.

      Can you please help?

      Regards,
      Raymond.

      Delete
  3. UnknownSeptember 17, 2020 at 5:31 PM

    Hi, I'm tried this but been unable to get it working for VLAN 2 on PanOS 8.1.16.

    Config used:

    Network -> Interfaces:
    Interface: 1/1 Type: Layer 3 IP: PPPoE VR: default Tag: Untagged VLAN: None Zone: untrust
    Interface: 1/3 Type: Layer 2 IP: none VR: none Tag: Untagged VLAN: 2 Zone: none
    Interface: 1/4 Type: Layer 2 IP: none VR: none Tag: Untagged VLAN: none Zone: none
    Interface: 1/4.2 Type: Layer 2 IP: none VR: none Tag: 2 VLAN: 2 Zone: none


    Network -> Interfaces -> VLAN:
    vlan.2: Assign Interface to: VLAN:2 VR: None : Zone: None


    Network cable connects 1/1 to 1/3.
    Laptop running Wireshark is connected to 1/4.
    PPPoE discover packets are captured but not tagged as VLAN 2.

    Can anyone please help?

    Regards,
    Raymond.

    ReplyDelete
  4. CSWORLDJanuary 18, 2023 at 8:50 PM

    I having same issue when TMnet gave Zyxel router with PA220. Please change the router to Dlink or Netis (dl4480v1) then configure the PA220 as PPPoe or Static IP . It will works. Modem -> Router -> PA220. Router function like bridge mode and strip off vlan500

    ReplyDelete
  5. CSWORLDMarch 12, 2024 at 11:13 PM

    Internet is to eth1/5 , then eth 1/3 cross connect to eth1/1

    ReplyDelete

Subscribe to: Post Comments (Atom)