Juniper ex3300 layer 3 with pfsense

cooldude · Mar 14, 2017, 4:39 PM

I am trying to connect the juniper ex3300 with transit vlan to pfsense.

in ex3300 i have 4 vlan's
vlan 20 172.168.20.0/24 rvi:172.168.20.1
vlan 30 172.168.30.0/24 rvi:172.168.30.1
vlan 50 172.168.50.0/24 rvi:172.168.50.1
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network
default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IP

i have added static routes for vlan's 20,30,50 in pfsense via 192.168.30.1 as gateway
also added firewall rules to allow traffic from vlan's 20,30,50
But host on ex3300 can not ping 192.168.30.1 or get to internet. I can ping 192.168.30.2 from host.
Any help is appreciated..

johnpoz · Mar 14, 2017, 4:55 PM

huh??

default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IP
vlan 30 172.168.30.0/24 rvi:172.168.30.1

to me this seems like your ex3300 ip is 172.168.30.1

This is a typo?
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network

so on your ex3300 should have a IP in each vlan

"172.168.20.0/24"

So your wanting to use a public IP??

So your ex3300 should have IP in each vlan, pfsense would have an IP in the same network your doing for your transit..

So 192.168.30.1/24 on pfsense, 192.168.30.2 on your ex3300, its default gateway on the ex3300 would be 192.168.30.1

On pfsense your going to have to allow all the other subnets on this transit interface rules. And your also going to have to edit the outbound nat to nat those other networks if you want them to get to the internet.

you could need to create a gateway in pfsense to point to your 192.168.30.2 IP - not on the interface but in routing/gateways. You would then create routes on pfsense to use this gateway to get to your downstream networks.

cooldude · Mar 14, 2017, 5:10 PM

Yes i have RVI in each vlan for EX3300..
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network this was a typo.

Yes i have created a gateway in pfsense along with static routes via the gateway.I may need to double check the ip address though.

I was not aware of public ip's.I will change the vlan ip's
Thanks

johnpoz · Mar 14, 2017, 7:41 PM

The rfc1918 that starts with 172 is 172.16/12 or 172.16-31.x.x

172.128 is owned by

NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
Organization: AOL Inc. (AOLIN-1)

cooldude · Mar 15, 2017, 1:12 PM

So now i have updated both ex3300 and pfsense
in ex3300 i have 4 vlan's
vlan 20 10.1.20.0/24 rvi:10.1.20.1
vlan 30 10.1.30.0/24 rvi:10.1.30.1
vlan 50 10.1.50.0/24 rvi:10.1.50.1
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network
default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IP

I do have static routes in pfsense via 192.168.30.2 as gateway.
Also NAT is fine for vlan 20,30,50 to WAN.
But host on ex3300 can not ping 192.168.30.1 or get to internet. I can ping 192.168.30.2 from host.
Also can not ping 192.168.30.2 from pfsense.

johnpoz · Mar 15, 2017, 1:52 PM

"Also can not ping 192.168.30.2 from pfsense."

Well that is going to be a problem ;)

So again a typo??
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network

That is not going to work if that is what you really have..

cooldude · Mar 15, 2017, 2:51 PM

Sorry typo again.
This is what i have.
vlan 2 192.168.30.0/24 rvi: 192.168.30.2

Do you think i have somthing wrong on juniper?

johnpoz · Mar 15, 2017, 3:31 PM

Well can your pfsense see the mac of this 192.168.30.2 IP in its arp table?

Going to be impossible to ping if you can not see the mac.. You sure you have this vlan tagged or untagged correctly?

So with a transit network to a downstream L3 switch. The connection on the switch for the uplink to pfsense could just be untagged and on the switch it would just be a access port in cisco terms. But the PVID/Native vlan would need to be this vlan 2 that your using as transit.

In pfsense this would just be on the interface it would not be a vlan interface.

cooldude · Mar 15, 2017, 6:48 PM

I will check the ARP table.
Right now transit network was on tagged vlan 2 on both juniper and esxi. I will reconfigure those to be untagged and try again
Thanks

johnpoz · Mar 15, 2017, 6:51 PM

"and esxi. "

You made no mention of this before - or if you did I missed it.

So how exactly do you have this connected. Pfsense is running on esxi I take it - where is the ex3300? What interface and vswitch is it connected too on esxi.

A drawing of your network would be most helpful.

cooldude · Mar 16, 2017, 1:25 PM

I have now updated the transit network to untagged. Now internet is working on hosts attached juniper but with only IP address. Looks like DNS forwarding is not happening..

johnpoz · Mar 16, 2017, 6:30 PM

pfsense out of the box does not use forwarding.. So you changed to using the forwarder? Or have unbound in forward mode - where are you forwarding?

Can pfsense lookup stuff? ie use the diag, dns lookup.

Can clients query pfsense dns for say pfsense fqdn? If using unbound and your coming from downstream networks you will most likely have to adjust the ACLs to allow for the downstream networks. If using the unbound auto rules it prob only added your local lan network to the ACL..