Juniper ex3300 layer 3 with pfsense
-
Yes i have RVI in each vlan for EX3300..
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network this was a typo.Yes i have created a gateway in pfsense along with static routes via the gateway.I may need to double check the ip address though.
I was not aware of public ip's.I will change the vlan ip's
Thanks -
The rfc1918 that starts with 172 is 172.16/12 or 172.16-31.x.x
172.128 is owned by
NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
Organization: AOL Inc. (AOLIN-1) -
So now i have updated both ex3300 and pfsense
in ex3300 i have 4 vlan's
vlan 20 10.1.20.0/24 rvi:10.1.20.1
vlan 30 10.1.30.0/24 rvi:10.1.30.1
vlan 50 10.1.50.0/24 rvi:10.1.50.1
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network
default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IPI do have static routes in pfsense via 192.168.30.2 as gateway.
Also NAT is fine for vlan 20,30,50 to WAN.
But host on ex3300 can not ping 192.168.30.1 or get to internet. I can ping 192.168.30.2 from host.
Also can not ping 192.168.30.2 from pfsense. -
"Also can not ping 192.168.30.2 from pfsense."
Well that is going to be a problem ;)
So again a typo??
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit networkThat is not going to work if that is what you really have..
-
Sorry typo again.
This is what i have.
vlan 2 192.168.30.0/24 rvi: 192.168.30.2Do you think i have somthing wrong on juniper?
-
Well can your pfsense see the mac of this 192.168.30.2 IP in its arp table?
Going to be impossible to ping if you can not see the mac.. You sure you have this vlan tagged or untagged correctly?
So with a transit network to a downstream L3 switch. The connection on the switch for the uplink to pfsense could just be untagged and on the switch it would just be a access port in cisco terms. But the PVID/Native vlan would need to be this vlan 2 that your using as transit.
In pfsense this would just be on the interface it would not be a vlan interface.
-
I will check the ARP table.
Right now transit network was on tagged vlan 2 on both juniper and esxi. I will reconfigure those to be untagged and try again
Thanks -
"and esxi. "
You made no mention of this before - or if you did I missed it.
So how exactly do you have this connected. Pfsense is running on esxi I take it - where is the ex3300? What interface and vswitch is it connected too on esxi.
A drawing of your network would be most helpful.
-
I have now updated the transit network to untagged. Now internet is working on hosts attached juniper but with only IP address. Looks like DNS forwarding is not happening..
-
pfsense out of the box does not use forwarding.. So you changed to using the forwarder? Or have unbound in forward mode - where are you forwarding?
Can pfsense lookup stuff? ie use the diag, dns lookup.
Can clients query pfsense dns for say pfsense fqdn? If using unbound and your coming from downstream networks you will most likely have to adjust the ACLs to allow for the downstream networks. If using the unbound auto rules it prob only added your local lan network to the ACL..
