PAN-OS - PPPoE on a VLAN Tagged Sub-Interface

About a year ago a new internet provider set up shop in The Netherlands. (https://freedom.nl) Up until then I was a happy camper with cable internet.

I had my modem configured for bridged mode and had my PA-220 connected using a DHCP enabled interface. Worked like a charm, solid as a rock. Freedom internet announced their bèta test and partly because of their ethics and ideals I decided to switch. I was lucky and got a spot on one of their bèta tests. I received a new modem and all worked straight out of the box. Awesome. Except for the fact I was not able to connect my PA-220 without the modem. At the time PAN-OS 9.1.x did not support PPPoE on a VLAN tagged sub-interface. Currently I’m running 10.0.x and it still doesn’t. Sad but true.

So what are my options here?

  • Use the supplied modem and do double NAT.
  • Use an extra device/VM to do the VLAN tagging.

Both not my favorite solution. I want a single device to handle my internet connection. Keep it simple, stupid. So the principle is pretty easy. We need a PPPoE enabled interface in VLAN 6. One option is to use a device that supplies the VLAN tagging. A switch for example. Why not configure that switch within the PA-220?

Configure a security zone for layer 2 traffic.:

Configure a security zone for layer 2 traffic.

Configure a layer 3 interface with PPPoE:

Configure a layer 3 interface with PPPoE.

Configure PPPoE:

Configure PPPoE

Create a VLAN, for my internet provider it needs to be VLAN 6.:

Create a VLAN, for my internet provider it needs to be VLAN 6.

Configure a layer 2 interface as an access port on your VLAN:

Configure a layer 2 interface as an access port on your VLAN

Configure a layer 2 interface with a subinterface:

Configure a layer 2 interface with a subinterface

Make sure the layer 2 subinterface is tagged VLAN 6:

Make sure the layer 2 subinterface is tagged VLAN 6

Overview of interfaces:

Overview of interfaces

Connect your PPPoE layer 3 interface to your layer 2 access interface using a short patch cable.

Connect your PPPoE layer 3 interface to your layer 2 access interface using a short patch cable.

In my case I connected port ethernet1/4 and ethernet1/5 using a green patch cable.

Connected! yay!

Connected

Connection details for my internet connection.

I used a ZTE ZXHN F3100 Media Converter to connect my optical network terminal (ONT) with interface ethernet1/4 on the PA-220.