Juniper to pfSense WAN

tomward16

Hi All,

I'm trying to connect pfSense to a Juniper SSG20 firewall. The Juniper has the untrusted port acting as PPPoe for a BT hub. I then want to pass that traffic to pfSense WAN to do the grunt of the work. the Juniper is purely to block all traffic apart from OpenVPN reaching the pfSense OpenVPN server. I've tried all sorts to get pfSense to connect it's WAN port and receive internet but I can't seem to figure out how to make it work! I have the Juniper trusted ports setup with a local IP and a DHCP server. I've then setup the pfSense WAN port to get an address via DHCP. However I the gateway still shows as offline.

Am I going about this completely the wrong way? (I'm pretty new to all this and have ZERO juniper knowledge!)

Hope someone can point me in the right direction.
Many Thanks

johnpoz

Does pfsense get a IP on its wan? If pfsense can not ping what it gets for its gateway from the upstream dhcp server then it will think this gateway down.

Allow the juniper IP to be pinged if you want the gateway to show up, or set it be considered always up.

Not really getting the point of the juniper? Why not just put pfsense at the edge? That is where it is meant to go..

SSG-20 end of support is fast approaching, Jan 2020 I do belive.. Some models already no longer have support.

pfsense would be great replacement for the ssg-20 and should be at the edge..

tomward16

Thanks johnpoz. pfSense currently has a multi-wan setup. on wan1 which is setup as PPPoe I get an external IP no problem. WAN2 is coming from the trusted port of the Juniper. The reason I have the juniper is because I have been told I have to use it (long story!) as been told I need to have two firewalls (of different makes for extra security). So that aside, The juniper takes the connects to the router via the untrusted port (PPPoe) the trusted ports have a dhcp server running and if I connect a laptop straight to that port I can see the internet. However the WAN2 interface is setup as DHCP but doesn't seem to receive and IP as it shows 0.0.0.0 with a green up arrow and the gateway sits at pending.

You mention allowing the juniper to be pinged? Is this something I have to manually enable? If so, any clues as to where/how?!

Sorry I know this is a trivial ask, but it's something I've been tasked to do despite shouting until I'm blue in the face that pfSense is more than capable of being the edge device.

Many Thanks again

johnpoz

@tomward16 said in Juniper to pfSense WAN:

two firewalls (of different makes for extra security).

Utter NONSENSE!!! Who told you this? Your boss? Some consultant? Its NONSENSE!!!

An untrusted interface on juniper is not going to allow ping, unless you set it.

tomward16

A class consultant.... ok Thanks for your help.

johnpoz

He doesn't freaking have a clue to what he is talking about! Plain and simple..

You know what is a good idea, to use a firewall that is NOT end of life in a few months.. What you going to do after Jan 2020? ;) Support for same day and even next day has already been discontinued on those ssg-20s

edit: Clearly this guy has never actually worked in the field ;)
There has been old school thought that edge firewall and internal firewalls should be different vendors.. But in real life this is not going to happen... Many companies don't even use internal firewalls, They don't even acl between segments on their internal L3 switches.. Why because they don't have staff sitting around doing nothing.. This sort of stuff takes time to manage.. And does it really get them any added security? More likely than not going to cost them time in lost productivity when something is done wrong, or time taken to spin up something.

Having 2 different only makes it more complex.. Now your IT staff needs to be proficient in both of these vendors products, more then likely this leads to mistakes.. A does something this way and B does it differently, as example.

Now you need manage support contracts with 2 different vendors, now you need to manage updates on 2 different vendors.

Logs prob not even in same format - so more complexity in reading them.. Just makes no sense - and your not even using 1 internal and other internal.. You have them both on the edge in your explanation.

bmeeks

I agree with @johnpoz here. From your description you have a multi-WAN setup with one WAN edge being a Juniper device and you want to make the other WAN edge a pfSense device. This is not the model of "two firewalls from different vendors". In the setup you describe, if I get past either firewall I'm into the protected network. The theory behind having two firewalls from different vendors assumes they are in series. To do multi-WAN in that scenario you would need at least 4 firewalls where one WAN connection is say a series pair of Juniper then pfSense and the other WAN connection is a series pair of pfSense then Juniper.

johnpoz

@bmeeks said in Juniper to pfSense WAN:

two firewalls from different vendors assumes they are in series.

Which again is just BS.. if I forward port X through 1 and then through 2.. What does it matter?

There is so much BS on the internet its not even funny - if you want to talk security, then lets talks security.. But stating you want to use 2 different firewalls because billy bob said that is what you "should" do do is just BS!!!

bmeeks

@johnpoz said in Juniper to pfSense WAN:

@bmeeks said in Juniper to pfSense WAN:

two firewalls from different vendors assumes they are in series.

Which again is just BS.. if I forward port X through 1 and then through 2.. What does it matter?

There is so much BS on the internet its not even funny - if you want to talk security, then lets talks security.. But stating you want to use 2 different firewalls because billy bob said that is what you "should" do do is just BS!!!

Yeah, I am agreeing with you. The original way this was explained to me way back was assuming there is a backdoor or zero-day type exploit out there for say firewall 1 but not yet for firewall 2. Two different vendor firewalls with different operating systems were assumed to not be vulnerable to the same zero-day. While technically true, in the real world that's way down the list of probability. Much more likely is a configuration thing like you stated whereby the actual configuration needed to make applications work across the firewall pair (port forwards, etc.) is where the real vulnerability exists. And that configuration can totally kill any theoretical advantage you thought you obtained by using two different firewalls.

johnpoz

thats a pretty freaking costly setup for the possible issue with backdoor or exploit.. Cost, Man hours to maint 2 systems. Since they are diffrerent, now you need people that proficient in both.. What the likely hood they make a mistake in the system they are not?

Where do you think the weakest link is... The code running on your firewall, or the user inside the sweet chewy center of your network?

bmeeks

Yep! I put that theory into the category of an expensive consultant who feels obligated to tell you something esoteric so you feel better about what you paid him or her for their "expert" advice ... . It's one of those things where there is very, very faint ring of truth in it to make it sound good in a meeting, but the cold reality is more like what you said. There are many more and larger holes within the inner network itself than exist in some edge firewall device (or devices).

BTW, I never subscribed to that advice personally. And thankfully my company never fell for it either, but it was mentioned a time or two by so called "consultants" as a practice to examine. It was couched in the "zero-day" theory I described earlier.

johnpoz

Yeah have heard it over the years as well - from the same sort of "consultants" that got paid way to much money for nothing of value ;)