Dual-Stack PPPoE on a Palo Alto Firewall

If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)

So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:

I’m using a PA-440 with PAN-OS 11.2.4-h2, connected through a DrayTek Vigor167 modem to the German ISP “Deutsche Telekom” on ethernet1/2. No VLAN config is needed since the DSL modem already encapsulates the traffic within VLAN 7 on the ISP side.

Side note: Unfortunately, we don’t have static IP addresses or static IPv6 subnets on most German residential ISPs. Hence, after every DSL reconnect or firewall reboot, we’ll get new public IPv4/IPv6 addresses along with a new IPv6 prefix. 🤦

PPPoE for legacy IP

Quite straightforward: Layer 3 interface of type PPPoE, adding username & password:

PPPoEv6 & DHCPv6-PD for IPv6

A few more options and submenus regarding IPv6. In addition, note the quite good documentation from Palo Alto Networks itself.

  • Type PPPoEv6 Client, enable, and “Apply IPv4 Parameters” since the same login should be used
  • followed by the address assignment that “Accept Router Advertised Route” along with the Autoconfig enabled, since, in my case, the firewall gets its WAN IPv6 address through a Router Advertisement (SLAAC) from the ISP’s router rather than through stateful DHCPv6
  • still at the address assignment: enabling DHCPv6 but only with the Prefix Delegation options, giving the pool a name, in my case: DTAG. Note that the DHCP prefix length is just a hint and probably not honored by the ISP
  • and finally, the DNS support, at least for the DNS resolver while the search list remains useless from the ISP

For IPv4 client networks, you can now add (sub-)interfaces with RFC 1918 addresses together with an SNAT rule using the WAN interface. For IPv6 downstream interfaces, you have to configure “Inherited” networks that are using a /64 prefix out of the proposed one from your ISP, such as shown here. No NAT is needed. ✅

Commit ;)

Client Runtime Information

Through the GUI, you can look up several runtime information such as the PPPoE and PPPoEv6 IP addresses, the DHCPv6-PD prefix, the actually assigned prefixes to downstream interfaces, the (default) routes within the forwarding table of the logical router, as well as appropriate system logs:

Some basic show commands are these: (Always remember that you can find all CLI commands concerning a keyword such as “pppoe” in the following way: find command keyword pppoe.)

A Little Wiresharking

This is what it looks like on the wire between the Palo and the modem, captured with a real network TAP, the ProfiShark 1G. You can see the whole PPPoE process with its sub-protocols PPP LCP, PPP PAP, PPP IPCP, and PPP IPV6CP 😂, followed by an RA from the ISP with the O-flag and a prefix option (packet nr. 30, red arrows down below), the DAD message from the Palo (31), and the DHCPv6-PD process (35ff). This capturing took place at a later date, hence the shown IP addresses are different from the screenshots above. Never mind.

That’s it. Happy networking. ;)

Soli Deo Gloria!

Photo by Jonny Gios on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *