Connect PFSense to JuniperSRX

olivermv

Hi,

Thanks to @Lucky06480 for helping me out with my issue (topic: 118941.0).

And now facing another issue connecting PFSense to Juniper SRX550.
Here is my current setup:
See attached: Current_Diag.png
Modem is directly connected to Juniper and it works fine, however I want the Traffic shaping and squid so that I setup PFSense. Now I am in trouble connecting PFSense and Juniper.

This what I want to build.
See attached: Target_Diag.png

PFSense work this way. Modem>PF>Laptop.
I really dont know how to start. I think I need to change some settings on Juniper (like NAT) idk.
Please help.

muswellhillbilly

I'm not sure if I have all the facts here, but why are you daisy-chaining two firewalls? Why not replace the Juniper with just the PFS?

olivermv

Juniper purchased by the company and no one know how juniper works on even the role of it.
It appeared that juniper needs to purchased license to use UTM or the traffic shapping.
So we decided to add PFSense to join the network.

So do you think we need to removed Juniper from the network?

We had to junipers connected to the modems.

muswellhillbilly

If you're running a Juniper that nobody knows how to use, then I would think this is an obvious weak point in your security overall. Either educate yourselves in how to use the Juniper and make an informed decision about whether to keep it or not, or remove it altogether and substitute it for something you know something about. The PFS, perhaps, although make sure you are comfortable managing it before making it live. Keeping existing kit running after the last person who knew how it worked has left the company is a recipe for disaster.

divsys

There might also be an argument for involving professional pfSense support.

If budget allows (always a big if) it could add some design stability to your environment.

At least they can tell you if you're on the right path…..

johnpoz

Thread management lic for juniper is not cheap..  Lookup on CDW shows it going for like 11K for 3 years.

I am with muswellhillbilly here.. This is a great statement
"If you're running a Juniper that nobody knows how to use, then I would think this is an obvious weak point in your security overall. Either educate yourselves in how to use the Juniper and make an informed decision about whether to keep it or not, or remove it altogether and substitute it for something you know something about"

I could not have said it better..

While there are clearly some things that juniper can do that pfsense can not..  Your going to pay for those somethings ;)  Do you need those somethings is the big question.  The srx can be a bit tricky.  They are not as straight forward as say the ISGs or SSGs