Focus

Configure a PPPoE Client on a Subinterface

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Upgrade 5G Firmware

Configure an IPv6 PPPoE Client

Configure a PPPoE Client on a Subinterface

Configure a PPPoE Client on a subinterface to connect to your ISP using an 802.1Q VLAN tag.

Beginning with PAN-OS 11.0.1, you can configure a PPPoE (Point-to-Point Protocol over Ethernet) client on a Layer 3 subinterface when your ISP indicates that PPPoE over 802.1Q VLAN is the way in which to connect to its internet services. The firewall establishes a PPPoE connection to the ISP using an 802.1Q VLAN tag. The PPPoE client that you configure on the subinterface learns its IPv4 address from the ISP, along with other information such as the IP address of the server, DNS information, and MTU.

The subinterface supports an IPv4 address. You can configure a PPPOE client on either a physical interface or a subinterface, but not both at the same time. Only one PPPoE subinterface is supported on a physical interface. Before you begin configuring a PPPoE client, ask your ISP what VLAN tag to use for your connection. You must enter that tag when you configure the subinterface number and the Tag. The task below assumes you have already configured a Layer 3 Ethernet interface on the firewall with a security zone.

The following example topology has a PPPoE connection between the firewall and the access concentrator.

The firewall encapsulates northbound traffic (a PPPoE packet) from a host in an 802.1Q frame and sends it to the opposite end of the PPPoE link, on its way to the ISP network. Likewise, the firewall decapsulates the southbound traffic from the 802.1Q frame before sending the PPPoE packet to the host.

Configure a subinterface as a PPPoE client (termination point).
1. Select NetworkInterfacesEthernet and highlight a Layer 3 Ethernet interface.
2. Add Subinterface.
3. To the right of the Interface Name and dot, enter the subinterface number; use the VLAN tag number that your ISP provided. This subinterface number is for reference purposes; the VLAN tag ID is read from the Tag field.
4. Enter the Tag, which is the VLAN tag number that your ISP provided. The actual VLAN tag ID is read from this Tag field.
5. Select IPv4.
6. Select the Type of address as PPPoE.
7. Select General and Enable the subinterface.
8. Enter the Username for the authentication you will choose in the next step.
9. Enter the Password and Confirm Password.
Configure additional characteristics of the PPPoE subinterface.
1. Select Advanced.
2. Select the type of Authentication:
  None—(default) If you keep this setting, the firewall selects auto as the authentication protocol.
  CHAP—Firewall uses Challenge Handshake Authentication Protocol (CHAP).
  PAP—Firewall uses Password Authentication Protocol (PAP). PAP sends usernames and passwords in plain text, and is less secure than CHAP.
  auto—Firewall negotiates the authentication method (CHAP or PAP) with the PPPoE server.
3. To request that the PPPoE server assign a certain IPv4 address for the subinterface, specify a Static Address. (The PPPoE server may assign the requested address or a different address at its discretion.) Default is None.
4. To automatically create a default route that points to the default gateway that the PPPoE server provides, select automatically create default route pointing to peer.
5. Enter the Default Route Metric (priority level) of the PPPoE connection; range is 1 to 65,535; default is 10. A route with a lower number has higher priority during route selection. For example, a route with a metric of 10 is used before a route with a metric of 100.
6. Enter the name of the Access Concentrator that your ISP provided, if any (string value of 0 to 255 characters). The firewall will connect with this Access Concentrator.
7. Enter the Service that your ISP provided, if any (string value of 0 to 255 characters).
8. If you want the PPPoE client (firewall) to wait for the PPPoE server to initiate a connection, select Passive. If Passive is not selected, the firewall is allowed to initiate a connection.
Click OK.
Commit the changes.
View information about the PPPoE client. The Local IP Address, Primary DNS, Secondary DNS, Primary WINS, Secondary WINS, Remote IP Address, Access Concentrator name, and AC MAC address were received from the PPPoE server.
1. Select NetworkInterfacesEthernet and in the row of the subinterface that you configured, select Dynamic-PPPoE.
  
  Alternatively, you can select the subinterface, IPv4, and Show PPPoE Client Runtime Info.
2. Close the window.