How to configure multiple vlans to go through a layer 3 firewall interface

Hi there,
I am currently in the process of breaking one big corporate vlan into 3 smaller ones and am having issues with internet connectivity in my lab.

I am using an HP Layer 3 core that will support the 3 corporate vlans as follows:

vlan 10: Building 1 - vlan-interface10 - (current)
vlan 20: Building 2: vlan-interface20 - (future)
vlan 30: Building 3: vlan-interface30 - (future)

The core has a Palo Alto firewall off of vlan 10 access port that all internet traffic currently passes through.
It's address is The DHCP server is also on vlan 10 and has scopes for all 3 vlans (which are working).

All the LAN routing on the core is simple direct attach routes as everything comes back to the core's vlan-interfaces.

I can't seem to get vlan 20 or 30 to connect to the internet after adding a static next-hop route. VLAN 10 works fine.

If i am routing all internet traffic through will it get NATed properly going through a VLAN 10 access port to the firewall's LAN (trust) interface?

Another thing is that i can ping the firewall LAN interface from vlan 10 but not the other vlans but i'm not sure if that is just a security rule.

I've read on using sub-interfaces or using a physical interface on the Palo alto for each vlan and put them all in the same security zone.

Any ideas of how i should do this?

Who is Participating?
MIRSYSConnect With a Mentor Commented:
You need to add routes to the firewall as well.
When the fw receives the 20 and 30 packets it doesn't know where to reply to.
Schuyler DorseyCommented:
So if you are wanting the layer 3 interface of a vlan to be the PAN instead of your core router then you need to do sub-interfaces on the PAN and tag the sub-interfaces for those vlans. This approach would separate your 3 vlans by the firewall so they would have to go through the firewall to get to each other.

Are you want to separate your 3 segments by the firewall or just have 3 separate vlans?

Also, do you have IP routing enabled on your core switch?
GrayconAuthor Commented:
Right now my 3 vlans can ping each other (and hosts) through layer 3 routing using vlan-interfaces. Basically I am just hanging the firewall off of one of the layer 2 VLAN 10 access ports. The firewall port itself has an ip address in the same subnet as the vlan 10 network.

I was hoping that by adding the static default route to the core that directs all internet traffic to the firewall IP, it would work. No luck. All addresses coming from that firewall port out the external wan port is supposed to be NATed but because the source IP is a different subnet than that firewall pots subnet, maybe it doesn't work.

I'd like to keep my core doing the routing between vlans, and i think the HP switches are enabled for routing already.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Also you would need to tell the firewall that vlans 20 and 30 are trusted ranges as well.
And the ping not working is probably a security rule, or because the fw does not know where to route to reply.
Schuyler DorseyConnect With a Mentor Commented:
As MRSYS says.. try these things..

1. In the virtual router of the PAN, add two more static routes. Example
Destination next hop *switch vlan 10 ip*

2. Create a security rule which allows a ping from the internal zone TO the internal zone (same zone as an explicit deny causes it to block intra-zone traffic).

3. If you want to ping the internal interface of the PAN, it needs a mgmt profile which allows ping attached to the internal interface.
GrayconAuthor Commented:
Thanks guys, i'll give the static routes a try.
Bryant SchaperCommented:
A diagram may help too, we use a PAN for our network, and behind it we have probably 100 subnets, we use static routes as well to get back and the internal router handles the next hop over learned BGP routes.
AkinsdNetwork AdministratorCommented:
Check that all the addresses are included in the translations.
Some engineers use object-network for NAT translations, some use the interface, some use access list (though uncommon). If you are using object-network, confirm that the 20 and 30 networks are included. Interface includes everything going through it.

Confirm return routes exists on the firewall as mentioned above (by MIRSYS)
a route to 0 through should do the trick

Run a tracert from a pc to the internet eg to determine if the path is routed as desired

Check NAT translations to confirm the addresses are translated correctly
GrayconAuthor Commented:
thanks guys. the static routes on the PAN worked!
This just solved my problem as well, thanks for the solutions!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.