Juniper ex3300 with pfsense

[acmcool]

I am trying to connect the juniper ex3300 with transit vlan to pfsense.

in ex3300 i have 4 vlan's
vlan 20 172.168.20.0/24 rvi:172.168.20.1
vlan 30 172.168.30.0/24 rvi:172.168.30.1
vlan 50 172.168.50.0/24 rvi:172.168.50.1
vlan 2 192.169.30.0/24 rvi: 192.168.30.2 this the transit network
default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IP

i have added static routes for vlan's 20,30,50 in pfsense via 192.168.30.1 as gateway
also added firewall rules to allow traffic from vlan's 20,30,50
But host on ex3300 can not ping 192.168.30.1 or get to internet. I can ping 192.168.30.2 from host.
Any help is appreciated..

 

[Blinky 42]

Don't you want pfSense to have the next hop for 172.168.{20,30,50}.0/24 to be 192.168.30.2 (on the Juniper) not .1 which is the pfSense box itself?

 

[namike]

Agreed you should have static routes on our PFSense box pointing back to your "transit" network and the next hop should be the Juniper's IP address.

 

[fractal]

I never had to add static routes on PFSense boxes to go to directly connected networks. I did have to jump through hoops to get it to route anything other than the original LAN out the WAN. Their configuration has hidden rules for NAT that they enable by default so it is not obvious you need to add them for extra interfaces.

Do you have rules under Firewall -> NAT -> Outbound to NAT your 172 networks onto your WAN? I just remembered that the new version of pfSense no longer hides it but calls it "mode automatic". My older configuration got upgraded to "mode manual" but "hybrid" may allow the automatic rules to stay hidden when you add your rules for your 172 networks.

 

[namike]

They need to add the static routes on the PFSense box because their 172 networks are not directly connected, and thus not in the routing table on the PFSense box. If his VLANs/subnets were all interfaces/subinterfaces directly off the PFSense box (Router on a Stick), then they wouldn't need any additional routes on the PFSense box.

 

[acmcool]

So now i have updated both ex3300 and pfsense.
As i realised i was using public ip's in previous VLAN config...
in ex3300 i have 4 vlan's
vlan 20 10.1.20.0/24 rvi:10.1.20.1
vlan 30 10.1.30.0/24 rvi:10.1.30.1
vlan 50 10.1.50.0/24 rvi:10.1.50.1
vlan 2 192.168.30.0/24 rvi: 192.168.30.2 this the transit network
default route on juniper 0.0.0.0/0 192.168.30.1 this is pfsense interface IP

I do have static routes in pfsense via 192.168.30.2 as gateway.
Also NAT is fine for vlan 20,30,50 to WAN.
But host on ex3300 can not ping 192.168.30.1 or get to internet. I can ping 192.168.30.2 from host.
Also can not ping 192.168.30.2 from pfsense.

 

[acmcool]

They need to add the static routes on the PFSense box because their 172 networks are not directly connected, and thus not the routing table on the PFSense box. If his VLANs/subnets were all interfaces/subinterfaces directly off the PFSense box (Router on a Stick), then they wouldn't need any additional routes on the PFSense box.

Yes. Because i want to run switch in layer 3 mode

 

[namike]

Can you screenshot us your routing table from the ex3300 (show route) and also on the PFsense box?

I don't understand from PFSense why it cannot ping 30.2, because that is a directly connected network.

 

[acmcool]

This is resolved now...Had to change the transit network from tagged vlan to untagged vlan..