PAN-OS - PPPoE on a VLAN Tagged Sub-Interface
About a year ago a new internet provider set up shop in The Netherlands. (https://freedom.nl) Up until then I was a happy camper with cable internet.
I had my modem configured for bridged mode and had my PA-220 connected using a DHCP enabled interface. Worked like a charm, solid as a rock. Freedom internet announced their bèta test and partly because of their ethics and ideals I decided to switch. I was lucky and got a spot on one of their bèta tests. I received a new modem and all worked straight out of the box. Awesome. Except for the fact I was not able to connect my PA-220 without the modem. At the time PAN-OS 9.1.x did not support PPPoE on a VLAN tagged sub-interface. Currently I’m running 10.0.x and it still doesn’t. Sad but true.
So what are my options here?
- Use the supplied modem and do double NAT.
- Use an extra device/VM to do the VLAN tagging.
Both not my favorite solution. I want a single device to handle my internet connection. Keep it simple, stupid. So the principle is pretty easy. We need a PPPoE enabled interface in VLAN 6. One option is to use a device that supplies the VLAN tagging. A switch for example. Why not configure that switch within the PA-220?
Configure a security zone for layer 2 traffic.:
Configure a layer 3 interface with PPPoE:
Create a VLAN, for my internet provider it needs to be VLAN 6.:
Configure a layer 2 interface as an access port on your VLAN:
Configure a layer 2 interface with a subinterface:
Make sure the layer 2 subinterface is tagged VLAN 6:
Overview of interfaces:
Connect your PPPoE layer 3 interface to your layer 2 access interface using a short patch cable.
In my case I connected port ethernet1/4 and ethernet1/5 using a green patch cable.
Connection details for my internet connection.
I used a ZTE ZXHN F3100 Media Converter to connect my optical network terminal (ONT) with interface ethernet1/4 on the PA-220.