1

Ssory for, maybe, stupid question(and bad english), i'm newbie in system administration, but task it is.

We have this net scheme - simple view:

ISP Gateway

   ||

Juniper SRX240H(our gateway)

   ||

D-Link DGS1210-48

   ||

pfSense

We have two IP-addresses: 62.213.xxx.86/30 with ISP Gateway 62.213.xxx.85 217.22.xxx.162/30 with ISP Gateway 217.22.xxx.161

On Juniper interface ge0/0/0.0 we have ip 217.22.xxx.162/30. All gates from provider available from juniper, also all LAN-clients can go to internet through our gate=>ISP gate.

But how i can give second WAN ip address for pfSense with access to internet? If i create WAN interface with ip 62.213.xxx.86/30 and default gateway 62.213.xxx.85, pfSense give me info about "gate is offline". LAN is work perfectly, but WAN don't want. I cannot ping gate 62.213.xxx.85 from pfSense. I can ping Juniper-gate over LAN, but cannot ping Juniper-gate over WAN.

I think, i need to set up route, but where and how? On a juniper, or on a pfSense? Or, maybe, i need set up on a port on D-Link?

I'm confused with this already, could you help me? Or give a tip, where i must look.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Yan
  • 11
  • 2
  • If u are looking to set a public IP on the PFsense device, you should look into NAT. you should Translate the public IP address 62.213.xxx.86 to the segment on the inside that the pfsense device has. – Hugo Garcia Jun 13 '18 at 19:54

1 Answers1

0

you should configure Destination NAT

This example has the following requirements: 1. Traffic to destination 62.213.xxx.86 is translated to 192.168.1.100 The real IP address and port numbers of the hosts are configured as the destination IP pool. Proxy ARP must be configured for the device to respond to ARP for the addresses in the IP pool.

Security policies to permit traffic from untrust zone to trust zone must be created. Since the destination NAT rule-sets are evaluated before a security policy, the addresses referred in the security policy must be the real IP address of the end host.

[edit security]
set zones security-zone trust address-book address server-1 192.168.1.100/32
[edit security policies from-zone untrust to-zone trust]
set policy server-access match source-address any destination-address [server-1 server-2]
application any
set policy server-access then permit
[edit security nat destination]
set pool dst-nat-pool-pfsense address 192.168.1.100
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 62.213.xxx.86
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set rule-set rs1 rule r2 match destination-address 1.1.1.101
set rule-set rs1 rule r2 match destination-port 80
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2 
[edit security nat]
set proxy-arp interface ge-0/0/2.0 address 62.213.xxx.86

also take a look on this: https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Hugo Garcia
  • 478
  • 1
  • 3
  • 18