Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Juniper to pfSense WAN

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    12 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      Does pfsense get a IP on its wan? If pfsense can not ping what it gets for its gateway from the upstream dhcp server then it will think this gateway down.

      Allow the juniper IP to be pinged if you want the gateway to show up, or set it be considered always up.

      Not really getting the point of the juniper? Why not just put pfsense at the edge? That is where it is meant to go..

      SSG-20 end of support is fast approaching, Jan 2020 I do belive.. Some models already no longer have support.

      pfsense would be great replacement for the ssg-20 and should be at the edge..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • T
        tomward16
        last edited by

        Thanks johnpoz. pfSense currently has a multi-wan setup. on wan1 which is setup as PPPoe I get an external IP no problem. WAN2 is coming from the trusted port of the Juniper. The reason I have the juniper is because I have been told I have to use it (long story!) as been told I need to have two firewalls (of different makes for extra security). So that aside, The juniper takes the connects to the router via the untrusted port (PPPoe) the trusted ports have a dhcp server running and if I connect a laptop straight to that port I can see the internet. However the WAN2 interface is setup as DHCP but doesn't seem to receive and IP as it shows 0.0.0.0 with a green up arrow and the gateway sits at pending.

        You mention allowing the juniper to be pinged? Is this something I have to manually enable? If so, any clues as to where/how?!

        Sorry I know this is a trivial ask, but it's something I've been tasked to do despite shouting until I'm blue in the face that pfSense is more than capable of being the edge device.

        Many Thanks again

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @tomward16 said in Juniper to pfSense WAN:

          two firewalls (of different makes for extra security).

          Utter NONSENSE!!! Who told you this? Your boss? Some consultant? Its NONSENSE!!!

          An untrusted interface on juniper is not going to allow ping, unless you set it.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • T
            tomward16
            last edited by

            A class consultant.... ok Thanks for your help.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              He doesn't freaking have a clue to what he is talking about! Plain and simple..

              You know what is a good idea, to use a firewall that is NOT end of life in a few months.. What you going to do after Jan 2020? ;) Support for same day and even next day has already been discontinued on those ssg-20s

              edit: Clearly this guy has never actually worked in the field ;)
              There has been old school thought that edge firewall and internal firewalls should be different vendors.. But in real life this is not going to happen... Many companies don't even use internal firewalls, They don't even acl between segments on their internal L3 switches.. Why because they don't have staff sitting around doing nothing.. This sort of stuff takes time to manage.. And does it really get them any added security? More likely than not going to cost them time in lost productivity when something is done wrong, or time taken to spin up something.

              Having 2 different only makes it more complex.. Now your IT staff needs to be proficient in both of these vendors products, more then likely this leads to mistakes.. A does something this way and B does it differently, as example.

              Now you need manage support contracts with 2 different vendors, now you need to manage updates on 2 different vendors.

              Logs prob not even in same format - so more complexity in reading them.. Just makes no sense - and your not even using 1 internal and other internal.. You have them both on the edge in your explanation.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 1
              • bmeeksB
                bmeeks
                last edited by

                I agree with @johnpoz here. From your description you have a multi-WAN setup with one WAN edge being a Juniper device and you want to make the other WAN edge a pfSense device. This is not the model of "two firewalls from different vendors". In the setup you describe, if I get past either firewall I'm into the protected network. The theory behind having two firewalls from different vendors assumes they are in series. To do multi-WAN in that scenario you would need at least 4 firewalls where one WAN connection is say a series pair of Juniper then pfSense and the other WAN connection is a series pair of pfSense then Juniper.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  @bmeeks said in Juniper to pfSense WAN:

                  two firewalls from different vendors assumes they are in series.

                  Which again is just BS.. if I forward port X through 1 and then through 2.. What does it matter?

                  There is so much BS on the internet its not even funny - if you want to talk security, then lets talks security.. But stating you want to use 2 different firewalls because billy bob said that is what you "should" do do is just BS!!!

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @johnpoz
                    last edited by bmeeks

                    @johnpoz said in Juniper to pfSense WAN:

                    @bmeeks said in Juniper to pfSense WAN:

                    two firewalls from different vendors assumes they are in series.

                    Which again is just BS.. if I forward port X through 1 and then through 2.. What does it matter?

                    There is so much BS on the internet its not even funny - if you want to talk security, then lets talks security.. But stating you want to use 2 different firewalls because billy bob said that is what you "should" do do is just BS!!!

                    Yeah, I am agreeing with you. The original way this was explained to me way back was assuming there is a backdoor or zero-day type exploit out there for say firewall 1 but not yet for firewall 2. Two different vendor firewalls with different operating systems were assumed to not be vulnerable to the same zero-day. While technically true, in the real world that's way down the list of probability. Much more likely is a configuration thing like you stated whereby the actual configuration needed to make applications work across the firewall pair (port forwards, etc.) is where the real vulnerability exists. And that configuration can totally kill any theoretical advantage you thought you obtained by using two different firewalls.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      thats a pretty freaking costly setup for the possible issue with backdoor or exploit.. Cost, Man hours to maint 2 systems. Since they are diffrerent, now you need people that proficient in both.. What the likely hood they make a mistake in the system they are not?

                      Where do you think the weakest link is... The code running on your firewall, or the user inside the sweet chewy center of your network?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        Yep! I put that theory into the category of an expensive consultant who feels obligated to tell you something esoteric so you feel better about what you paid him or her for their "expert" advice ... ☺ . It's one of those things where there is very, very faint ring of truth in it to make it sound good in a meeting, but the cold reality is more like what you said. There are many more and larger holes within the inner network itself than exist in some edge firewall device (or devices).

                        BTW, I never subscribed to that advice personally. And thankfully my company never fell for it either, but it was mentioned a time or two by so called "consultants" as a practice to examine. It was couched in the "zero-day" theory I described earlier.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Yeah have heard it over the years as well - from the same sort of "consultants" that got paid way to much money for nothing of value ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.