Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Special NAT-question

    Scheduled Pinned Locked Moved NAT
    9 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hex2bin
      last edited by

      Hi community,

      I'm using pfSense V1.0.1 for web-filtering purposes. I can't use bridge mode (do not ask me why, the firewall becomes unresponsible) so I am forced to use the NAT-mode.
      At the moment my network "looks" like this:

      Netscreen5XP->WLAN AP->Clients{with pfSense in same subnet}

      As I already mentioned, the pfSense firewall is only used for filtering purposes. Atm, the WAN-IP is set to 192.168.2.200/32 and the LAN-IP is set to 192.168.2.100. I am using Squid for filtering, and I am able to connect to websites using the proxy IP 192.168.2.100. The problem I face is that the firewall does not use the WAN-interface to connect to the internet, it uses the LAN interface what makes it impossible to deny specific traffic.
      I think it is a NAT-issue but I don't know what to do know.

      The firewall log contains the following entries:

      Apr 28 22:09:27 WAN 192.168.2.22:138 192.168.2.255:138 UDP
      Apr 28 22:09:27 WAN 192.168.2.22:138 192.168.2.255:138 UDP
      Apr 28 22:10:18 WAN 192.168.2.76:138 192.168.2.255:138 UDP
      Apr 28 22:17:24 WAN 192.168.2.76:137 192.168.2.255:137 UDP

      The system-log contains the following entries:

      Apr 29 16:46:55 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 16:51:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 16:52:05 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 16:53:14 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 16:54:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 16:56:18 last message repeated 2 times
      Apr 29 16:56:43 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
      Apr 29 16:57:13 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 16:57:21 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 16:58:20 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 16:59:09 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
      Apr 29 16:59:29 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:00:17 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:02:10 last message repeated 2 times
      Apr 29 17:02:18 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:03:16 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:04:08 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:06:22 last message repeated 3 times
      Apr 29 17:07:39 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:11:00 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:12:31 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:12:46 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:13:33 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:14:51 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:16:34 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:16:45 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
      Apr 29 17:16:51 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:17:55 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:18:52 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:19:08 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1
      Apr 29 17:21:44 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:23:19 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:25:31 last message repeated 2 times
      Apr 29 17:27:27 dnsmasq[44352]: exiting on receipt of SIGTERM
      Apr 29 17:27:27 check_reload_status: reloading filter
      Apr 29 17:27:28 dnsmasq[66498]: started, version 2.22 cachesize 150
      Apr 29 17:27:28 dnsmasq[66498]: read /etc/hosts - 4 addresses
      Apr 29 17:27:28 dnsmasq[66498]: reading /etc/resolv.conf
      Apr 29 17:27:28 dnsmasq[66498]: using nameserver 195.62.99.42#53
      Apr 29 17:28:08 check_reload_status: reloading filter
      Apr 29 17:29:45 last message repeated 2 times
      Apr 29 17:30:25 check_reload_status: reloading filter
      Apr 29 17:31:57 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:32:53 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:32:54 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:34:20 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:37:20 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:39:21 kernel: arp: 192.168.2.9 is on le0 but got reply from 00:0c:41:8a:ed:70 on le1
      Apr 29 17:39:28 kernel: arp: 192.168.2.33 is on le0 but got reply from 00:0c:29:11:61:4b on le1
      Apr 29 17:39:41 kernel: arp: 192.168.2.99 is on le0 but got reply from 00:10:db:36:b0:f2 on le1

      What can I do to make the firewall connect to the internet using the WAN-interface?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Those ARP messages indicate some Layer2 issues. This also might explöain why bridging did not work for you. The Bridge uses spanningtreeprotocol, so in case there is a loop it will shut down the bridge. I recommend investigating what's going on. You shouldn't see these messages.

        1 Reply Last reply Reply Quote 0
        • H
          hex2bin
          last edited by

          So what am I supposed to do to get the firewall working? The firewall runs in a virtual machine (VMware Server).

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Fix your network. It's not a pfsense issue. pfSense is just reporting it.

            1 Reply Last reply Reply Quote 0
            • H
              hex2bin
              last edited by

              Honestly, I do not know where to start. This network configuration worked well for more then 2 years, I just switched from Astaro to pfSense because pfSense does need less ressources.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                did you plug in WAN and LAN into the same physical network?

                Atm, the WAN-IP is set to 192.168.2.200/32 and the LAN-IP is set to 192.168.2.100.

                192.168.2.200/32 is part of 192.168.2.0/24
                maybe that could be a problem too.

                might you be able to put the Pfsense between your Netscreen5XP and the WLAN AP?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  @hex2bin:

                  The firewall runs in a virtual machine (VMware Server).

                  Might be a wrong vmware config as well.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hex2bin
                    last edited by

                    did you plug in WAN and LAN into the same physical network?

                    Jepp, the firewall just acts as a webfilter, so it is no security problem.

                    might you be able to put the Pfsense between your Netscreen5XP and the WLAN AP?

                    That is the problem I face. The pfSense Firewall runs under VMwareServer that is connected via WLAN with the AP. So the AP is necessary.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      @hex2bin:

                      did you plug in WAN and LAN into the same physical network?

                      Jepp, the firewall just acts as a webfilter, so it is no security problem.

                      But it is a networking problem - your firewall can't have two interfaces on the same subnet, and it's never good to have both on the same broadcast domain.

                      What do you mean by web filter? What are you wanting to accomplish?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.