Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple email servers behind pfsense

    Scheduled Pinned Locked Moved NAT
    13 Posts 5 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcol Banned
      last edited by

      I have two email servers I want to run behind pfsense. I have one WAN with multiple static IP's. 5 interface ports. One interface is dedicated to the LAN. One interface to wireless. One to WAN. I want to use the remaining two interface ports, one to each of the email servers each dedicated to its own static WAN IP.

      I have this running now with one email server using NAT and port forwarding the email ports to that NAT IP.
      Now I need to add another email server.

      Here is the question.
      Can I add another port forwarding rule with the new destination address and NAT IP with the same email ports as the other server? Both would use the same WAN interface. Or is there a better way to achieve this?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        sure if you have multiple wan IPs you can forward the same port from different IPs to different servers.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          Alternately, if you don't have a spare external IP to play with, you can set up an MTA that sits between your firewall and your mail servers. The MTA can then route emails to either of your internal mail servers depending on the recipient domain. You only change the NAT on the firewall to point to the new box and the mail routing is handled by that machine to the target mail server. You would also have to add the MX record for the new domain to point to the same WAN IP, of course.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            ^ but he stated he did have multiple IPs
            "I have one WAN with multiple static IP's"

            So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by

              So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.

              Your probably going to want to look up "VIP"  for any other IP addresses you want to add to the WAN side.

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                It also sounds like you're wasting router ports. Make one of those ports a (real) DMZ and put your mail servers on a switch behind it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  muswellhillbilly
                  last edited by

                  @johnpoz:

                  ^ but he stated he did have multiple IPs
                  "I have one WAN with multiple static IP's"

                  So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.

                  I was proposing the single NAT to a domain-routing MTA as just another option. I also have a WAN with multiple IPs, but all of them are being used for other purposes. I didn't know if the OP had a similar issue, so suggested this as a possible plan B. Never hurts to have multiple options.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    You can use port 25 on the IP addresses for email servers and use them for other things.

                    A port forward will be effective before a 1:1 NAT on the same address resulting in the port forward for port 25 going to a specific NAT/PAT and everything else going to the 1:1 NAT address.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      dcol Banned
                      last edited by

                      Ok I will try with 2 port 25 port forwards, each to the different WAN IP. Thanks

                      1 Reply Last reply Reply Quote 0
                      • D
                        dcol Banned
                        last edited by

                        Tried the 2 port forwarding rules and it does not work. Only the first rule passes to the port.
                        Is there any way to do this without using port forwarding? I simply want to run 2 email servers using all the email ports to 2 static IP's with one WAN port and one gateway. I have 4 static IP's assigned to me on one gateway and 5 external IP ports.

                        EXAMPLE:
                        gateway 96.97.98.113 - Assigned Static IPs: 96.97.98.114, 96.97.98.117, 96.97.98.124, 96.87.98.125
                        static IP 96.97.98.114 to LAN: 192.168.1.1/24
                        static IP 96.97.98.117 to Email server 1: ports 25,80,110,143,443 - 192.168.20.2 - Assigned VIP
                        static IP 96.97.98.124 to WLAN; 192.168.2.1/24
                        static IP 96.97.98.125 to Email server 2: ports 25,110,143 - 192.168.30.2 - Assigned VIP

                        I have 5 external ports connecting to: WAN, LAN, WLAN, Email 1, Email 2
                        WLAN, LAN, and Email server 1 has been working fine for quite a while.  (Email server 1 using Port Forwarding)
                        Just want to add Email server 2

                        So why do I need port forwarding when I have all dedicated ports? What I really want to do is the following:
                        Direct all traffic from IP:
                        96.97.98.114 to/from LAN traffic on External port 1
                        96.97.98.117 to/from EMAIL 1 Server traffic on External port 2
                        96.97.98.124 to/from WLAN traffic on External port 3
                        96.97.98.125 to/from EMAIL 2 Server traffic on External port 4
                        External port 5 is on the WAN 96.97.98.113/28 and is assigned as the gateway

                        117 and 125 IP's are assigned as VIP's and using 1:1 NAT. All can access the internet via the gateway. And have rules for LAN access.
                        Maybe all I need is some WAN firewall rules to pass all the traffic from the VIP's to the actual server IP without any Port Forwarding?
                        Maybe even specific WAN rules to just pass the ports I need to those EMAIL servers.
                        Question is, do I need to setup any other things to just use WAN rules without using Port Forwarding?
                        Can I use a VIP to go to the specific IP via WAN rules only? Or are VIP's used only for NAT rules?

                        I hope I provided enough info to ask the question. IP's have been changed, in my examples, to protect the innocent.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dcol Banned
                          last edited by

                          Bump….Anyone?

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC
                            chpalmer
                            last edited by

                            @dcol:

                            Bump….Anyone?

                            Did you set up any VIPs for your other static IP addresses?

                            Your probably going to want to look up "VIP"  for any other IP addresses you want to add to the WAN side.

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Post screenshots of what you have done.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.