Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG blocking SMTP

    Scheduled Pinned Locked Moved pfBlockerNG
    configurationmultiwanmailsmtppfblockerng
    13 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alek
      last edited by

      Hello there,

      I have a pfsense box with pfBlockerNG set up like that :

      default gateway x.x.x.13/29
      
      VIP x.x.x.14/29
      

      I'm trying to set up a mail server on my x.x.x.14 IP. I setup Outbound rule and NAT on all necessary port between my host and my VIP x.x.x.14.

      I find out that pfBlocker is blocking SMTP request on my VIP.

      Any idea how I can either :

      • exclude regex domain (outlook.protection.microsoft.com or .mailjet.com....) from pfBlockerNG

      • exclude my VIP from pfBlockerNG

      ?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Alek
        last edited by

        @alek

        What about : don't use feeds within pfBlockerNG that include your IPs § DNSBLs ?
        Or, white list them .

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A
          Alek @Gertjan
          last edited by

          @gertjan
          It's Microsoft, Mailjet, Google...etc SMTP servers that are blocked.
          These IPs are in multiple feeds so seems a bit too much to disable all these feeds

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Alek
            last edited by

            You can white list here :
            e2e60f9e-b765-46d7-9838-c6261510a100-image.png

            and whatever you list will be removed from all the lists.

            You are hosting a mail server : be very careful with what you block, because if you block them, they can start to block you, as "Microsoft, Mailjet, Google...etc SMTP" can also send you ligit mails ....

            I'm use myself a mail server (postfix), with a dozen or so domain names and as much IPv4 (and IPv6).
            No pfSense in front of it, and certainly not something like pfBlockerNG, as it isn't ment to be used like that ( IMHO ).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            A 1 Reply Last reply Reply Quote 1
            • A
              Alek @Gertjan
              last edited by

              @gertjan
              My mail server is in my lab so behind my pfsense.
              That why i'm looking for a way to exluce my VIP from pfBlockerNG

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @Alek
                last edited by Gertjan

                @alek

                I understood.

                Why would you need a VIP ? What about a dedicated interface network for your mail server, NAT port 25 from WAN to the 'mail' interface, mail server IP port 25 and done.
                Exclude this mail server interface from any pfblockerng interference. This will also solve your issue (subject).

                Your WAN IP isn't an IP from some ISP, right ? As most, if not all, of them are known, and serious mail servers (the big ones) will not accept mail from servers "@home".

                As soon as you are able to send a mail, send one to gmail.
                Your mission : don't stop before you have 3 x ¨PASS". SPF+DKIM+DMARC isn't optional any more. I wonder if they will be strict with the PTR of your WAN IP ....

                edit :

                1971e6c3-6726-434b-a1db-dbf662f34d28-image.png

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                A 2 Replies Last reply Reply Quote 1
                • A
                  Alek @Gertjan
                  last edited by

                  @gertjan
                  Great idea, didn't think about that !
                  I've asked my ISP to fix my VIP on available ports.
                  I already have PTR on these VIP.
                  Thanks mate 👍

                  1 Reply Last reply Reply Quote 0
                  • A
                    Alek @Gertjan
                    last edited by

                    @gertjan
                    This solution brought me another problem ^^
                    Did you find a way to assign a dedicated interface ?
                    My ISP gave me multiple IPs but with only one WAN.
                    As you may know, it's impossible to assign another interface with the same gateway.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @Alek
                      last edited by Gertjan

                      @alek said in pfBlockerNG blocking SMTP:

                      My ISP gave me multiple IPs but with only one WAN.

                      Ok, I get it, I think : you've created VIP using Firewall > Virtual IPs and multiple IP aliases to your WAN interface.

                      These IP+port 25 could be NATted to the right local IP+port 25 == mail server, right ?

                      Assigning an interface to a gateway is needed here (I think again).
                      You will have to map the mailserver's outgoing traffic through to VIP IP. (I keep on thinking ;))

                      Can say more, as I have never dealt with these multi IPs on WAN before.
                      I do use a lot of IPv4 addresses on the NIC of my mail server, :

                      root@ns311465:~# ifconfig
                      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 188.xxx.201.123  netmask 255.255.255.0  broadcast 188.xxx.201.255
                              inet6 2001:41d0:2:xxx::10  prefixlen 128  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::2  prefixlen 128  scopeid 0x0<global>
                              inet6 fe80::225:yyy:fe71:bf86  prefixlen 64  scopeid 0x20<link>
                              inet6 2001:41d0:2:xxxx::11  prefixlen 128  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::15  prefixlen 128  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::3  prefixlen 128  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::  prefixlen 64  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::20  prefixlen 128  scopeid 0x0<global>
                              inet6 2001:41d0:2:xxxx::1  prefixlen 128  scopeid 0x0<global>
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              RX packets 152768770  bytes 37714762815 (35.1 GiB)
                              RX errors 2  dropped 123638  overruns 0  frame 2
                              TX packets 201134377  bytes 186610834588 (173.7 GiB)
                              TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 46.xxx.79.38  netmask 255.255.255.255  broadcast 46.xxx.79.38
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 87.xxx.136.44  netmask 255.255.255.255  broadcast 87.xxx.136.44
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 5.xxx.43.182  netmask 255.255.255.255  broadcast 5.xxx.43.182
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 87.xxx.174.106  netmask 255.255.255.255  broadcast 87.xxx.174.106
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 188.165.53.87  netmask 255.255.255.255  broadcast 188.165.53.87
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      
                      eth0:5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                              inet 217.xxxx.46.28  netmask 255.255.255.255  broadcast 217.xxx.46.28
                              ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                              device interrupt 16  memory 0xfbce0000-fbd00000
                      

                      My firewall (iptables) is close to empty - no NAT rules neither.
                      Works great for the last 15 years or so.
                      This is a dedicated bare bone server in a data centre.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      A 1 Reply Last reply Reply Quote 1
                      • A
                        Alek @Gertjan
                        last edited by

                        @gertjan
                        Yes I did it this way.
                        I got a port forward + outbound rule between one VIP to my local IP.
                        I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw.

                        GertjanG A 2 Replies Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @Alek
                          last edited by

                          @alek said in pfBlockerNG blocking SMTP:

                          I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw

                          I thought it was like adding interfaces, but it isn't.
                          I've edited my post above to show you that I also add several IPv4 (and IPv6) to the same physical interface. That is a standard Debian based web mail server.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 1
                          • A
                            Alek @Alek
                            last edited by

                            @alek
                            My bad, didn't get the whole text.
                            I guess the best way would be to have a dedicated pfsense box without pfblocker, assigned to one of my VIP and serving my mails servers. No ?

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan @Alek
                              last edited by

                              @alek said in pfBlockerNG blocking SMTP:

                              No ?

                              That's the easy / easier way.

                              Have a look at this list : Youtube Netgate everything you always wanted to know, and more.
                              There is a Muti WAN video. There is a video about VIP, Carps, etc.

                              The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.