Using PFSense behind Juniper edge firewalls



  • I'm trying to redesign our network to keep Juniper SRX firewalls as edge firewalls but move some servers that are currently in our core switch controlled zones into a PFSense firewall controlled zone. To that end i've set up a new PFSense box, set a WAN interface of our current servers network and set a LAN interface of a new VLAN (150). I've then added routes on our core switches and firewalls for VLAN 150 with next hop of the WAN interface on PFSense.
    This all seems to work fine and i've got a test server on the new VLAN behind PFSense.

    However, for anything that's a juniper firewall controlled zone, i can set rules on the wan interface rules and it will block them. But anything that is core switch controlled doesn't get stopped  by any firewall rules i create.

    Any help/suggestions here would be greatly appreciated…..


  • Rebel Alliance Global Moderator

    Please draw up your network if you want to discuss.

    If your going to use pfsense as a downstream firewall/router than it should be connected to your edge via a transit network.  It for sure should not have its wan leg in your current server network.



  • I've attached a pretty basic overview of what i'm hoping to achieve



  • Netgate

    Well, for starters you have created an asymmetric routing situation for the 192.168.50.0/24 subnet.

    Other than that, please provide specific examples of specific source addresses connecting to specific destinations that you say are not "controlled" or being blocked. From your description I can't tell what is or is not working.



  • I've got a server on the PFSense server network - 192.168.100.20 with gateway 192.168.100.1 (pfsense)
    Access to/from that from the Juniper controlled network 192.168.10.40 is working with firewall rules both on the Juniper and the PFSense boxes
    However, my machine is on the 192.168.20.0 network (192.168.20.27) and a server on the 192.168.50.0 network (192.168.50.150) are able to hit the server on the pfsense network (192.168.100.20) irrespective of any block/allow rules i place on pfsense
    I initially tried setting it up with just a dummy wan interface and multiple lans, which might be the way to go and removing the any lan rule, but any better solutions would be appreciated for what i'm trying to achieve (removing load off Junipers, whilst securing local networks)


  • Netgate

    Then it is not configured how you think it is.

    Post the pfSense WAN rules.


  • Rebel Alliance Global Moderator

    Also I take it your switch is layer 3? And routing?

    Or do you have these 192.168.20 and .50 networks on your juniper as layer 2 vlans?  And that link from your switch to juniper is trunk?

    Are you servers on 192.168.100 behind pfsense on a different switch or are you just vlan same physical switch your other devices are connected too.  Maybe you just have your layer 2 messed up?



  • I've set routes on the switches for 192.168.100.0/24 via 192.168.50.99, the servers on 192.168.100 behind pfsense are on separate switches with the vlan tagging set on the ESX hosts they're on, and a trunk on the core switches to those server switches

    I think you're right on messing up layer 2 as am getting intermittent behaviour on which networks i can access….

    I've tried added blocks from my machine on every interface but still had access to servers, i've also just added a rule based on firewall logs showing server access from 192.168.50.151 being blocked to access 192.168.100.20 on port 3389, add the easy rule: passed from firewall log view, but it still gets blocked....

    wan rules
    protocol source port destination port gateway
    ipv4 tcp * * This firewall 80 * Allow
    ipv4 ICMP any * * * * * Allow
    ipv4 192.168.20.27 * * * * Block    (My PC)
    ipv4 tcp/udp * * 192.168.100.20 3389 * Allow
    ipv4 FW_alias_DMZ * * * * Block
    ipv4 * * * * * Allow

    PFSense server rules

    ipv4 tcp 192.168.50.151 * 192.168.100.20 3389 * Allow - Easy rule passed from firewall log view (still fails)


  • Rebel Alliance Global Moderator

    So only thing on this esxi host tis your 192.168.100 network on its own switching environment?  Ie different physical switches than your L3 switch?

    "PFSense server rules
    ipv4 tcp      192.168.50.151  *        192.168.100.20  3389  *              Allow - Easy rule passed from firewall log view (still fails)"

    In what scenario would you every see on the lan side (pfsense server) traffic from 192.168.50??  And you created that from an easy rule?  So something was blocked?  Yeah you have a problem at layer 2 if you would ever see traffic from that network on the lan side.

    Draw up your physical connections..  From your statement that your lan side is on its own switches, it would seem impossible to have traffic on lan from wan network..



  • Sorry, our esxi hosts have a dozen or more networks on them, including the 192.168.50.0/24 server vlan.

    from a pfsense point of view i don't actually want it to have a wan interface as i want it to control internal specific vlans, and for the Junipers to control wan traffic. It's just in following setup instructions, other than setting a dummy wan interface, i thought putting this as our server vlan may be a viable way round it, but think this is actually causing the issue

    I might go back to setting a dummy wan interface with multiple lan interfaces, one of which will be the 192.168.50.0/24 (existing server network) and then the new pfsense server vlan (192.168.100.0/24) and have policies between these vlans to control access


  • Rebel Alliance Global Moderator

    A wan is going to be any interface that can be used to get to other networks.  You can nat or not nat to this wan connection.  As mentioned already you have an asymmetrical problem putting this "wan" network of pfsense where there are devices..

    If you want networks behind pfsense, and you want a "wan" network that will be used to get to networks not behind and directly attached to pfsense then this network should be a transit network..

    Thats fine if all of these networks all connected physically on the same switch, you just need to make sure you break that switch up correctly at layer 2 to provide isolation.

    Your going to run into asymmetrical problems as well if you just put all your networks behind pfsense on "lan" networks directly attached that use different gateway to get off their network other than pfsense.  You would have to do host routing on every single host, etc.

    Connect this pfsense to either your layer 3 or your edge with a transit network and correctly route..  Any network your going to put behind pfsense like this 192.168.100 should be isolated on their own layer 2 and use pfsense 192.168.100.x as their default gateway.