Special NAT-question

hex2bin

Hi community,

I'm using pfSense V1.0.1 for web-filtering purposes. I can't use bridge mode (do not ask me why, the firewall becomes unresponsible) so I am forced to use the NAT-mode.
At the moment my network "looks" like this:

Netscreen5XP->WLAN AP->Clients{with pfSense in same subnet}

As I already mentioned, the pfSense firewall is only used for filtering purposes. Atm, the WAN-IP is set to 192.168.2.200/32 and the LAN-IP is set to 192.168.2.100. I am using Squid for filtering, and I am able to connect to websites using the proxy IP 192.168.2.100. The problem I face is that the firewall does not use the WAN-interface to connect to the internet, it uses the LAN interface what makes it impossible to deny specific traffic.
I think it is a NAT-issue but I don't know what to do know.

The firewall log contains the following entries:

Apr 28 22:09:27 WAN 192.168.2.22:138 192.168.2.255:138 UDP
Apr 28 22:09:27 WAN 192.168.2.22:138 192.168.2.255:138 UDP
Apr 28 22:10:18 WAN 192.168.2.76:138 192.168.2.255:138 UDP
Apr 28 22:17:24 WAN 192.168.2.76:137 192.168.2.255:137 UDP

The system-log contains the following entries:

Apr 29 16:46:55 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 16:51:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 16:52:05 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 16:53:14 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 16:54:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 16:56:18 last message repeated 2 times
Apr 29 16:56:43 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
Apr 29 16:57:13 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 16:57:21 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 16:58:20 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 16:59:09 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
Apr 29 16:59:29 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:00:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:02:10 last message repeated 2 times
Apr 29 17:02:18 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:03:16 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:04:08 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:06:22 last message repeated 3 times
Apr 29 17:07:39 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:11:00 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:12:31 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:12:46 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:13:33 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:14:51 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:16:34 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:16:45 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
Apr 29 17:16:51 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:17:55 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:18:52 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:19:08 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
Apr 29 17:21:44 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:23:19 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:25:31 last message repeated 2 times
Apr 29 17:27:27 dnsmasq[44352]: exiting on receipt of SIGTERM
Apr 29 17:27:27 check_reload_status: reloading filter
Apr 29 17:27:28 dnsmasq[66498]: started, version 2.22 cachesize 150
Apr 29 17:27:28 dnsmasq[66498]: read /etc/hosts - 4 addresses
Apr 29 17:27:28 dnsmasq[66498]: reading /etc/resolv.conf
Apr 29 17:27:28 dnsmasq[66498]: using nameserver 195.62.99.42#53
Apr 29 17:28:08 check_reload_status: reloading filter
Apr 29 17:29:45 last message repeated 2 times
Apr 29 17:30:25 check_reload_status: reloading filter
Apr 29 17:31:57 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:32:53 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:32:54 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:34:20 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:37:20 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:39:21 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
Apr 29 17:39:28 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
Apr 29 17:39:41 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1

What can I do to make the firewall connect to the internet using the WAN-interface?

hoba

Those ARP messages indicate some Layer2 issues. This also might explöain why bridging did not work for you. The Bridge uses spanningtreeprotocol, so in case there is a loop it will shut down the bridge. I recommend investigating what's going on. You shouldn't see these messages.

hex2bin

So what am I supposed to do to get the firewall working? The firewall runs in a virtual machine (VMware Server).

hoba

Fix your network. It's not a pfsense issue. pfSense is just reporting it.

hex2bin

Honestly, I do not know where to start. This network configuration worked well for more then 2 years, I just switched from Astaro to pfSense because pfSense does need less ressources.

GruensFroeschli

did you plug in WAN and LAN into the same physical network?

Atm, the WAN-IP is set to 192.168.2.200/32 and the LAN-IP is set to 192.168.2.100.

192.168.2.200/32 is part of 192.168.2.0/24
maybe that could be a problem too.

might you be able to put the Pfsense between your Netscreen5XP and the WLAN AP?

hoba

@hex2bin:

The firewall runs in a virtual machine (VMware Server).

Might be a wrong vmware config as well.

hex2bin

did you plug in WAN and LAN into the same physical network?

Jepp, the firewall just acts as a webfilter, so it is no security problem.

might you be able to put the Pfsense between your Netscreen5XP and the WLAN AP?

That is the problem I face. The pfSense Firewall runs under VMwareServer that is connected via WLAN with the AP. So the AP is necessary.

cmb

@hex2bin:

did you plug in WAN and LAN into the same physical network?

Jepp, the firewall just acts as a webfilter, so it is no security problem.

But it is a networking problem - your firewall can't have two interfaces on the same subnet, and it's never good to have both on the same broadcast domain.

What do you mean by web filter? What are you wanting to accomplish?