• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfBlockerNG blocking SMTP

pfBlockerNG
configuration multiwan mail smtp pfblockerng
2
13
2.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Alek
    last edited by Apr 12, 2022, 7:48 AM

    Hello there,

    I have a pfsense box with pfBlockerNG set up like that :

    default gateway x.x.x.13/29
    
    VIP x.x.x.14/29
    

    I'm trying to set up a mail server on my x.x.x.14 IP. I setup Outbound rule and NAT on all necessary port between my host and my VIP x.x.x.14.

    I find out that pfBlocker is blocking SMTP request on my VIP.

    Any idea how I can either :

    • exclude regex domain (outlook.protection.microsoft.com or .mailjet.com....) from pfBlockerNG

    • exclude my VIP from pfBlockerNG

    ?

    G 1 Reply Last reply Apr 12, 2022, 8:19 AM Reply Quote 0
    • G
      Gertjan @Alek
      last edited by Apr 12, 2022, 8:19 AM

      @alek

      What about : don't use feeds within pfBlockerNG that include your IPs § DNSBLs ?
      Or, white list them .

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      A 1 Reply Last reply Apr 12, 2022, 8:23 AM Reply Quote 0
      • A
        Alek @Gertjan
        last edited by Apr 12, 2022, 8:23 AM

        @gertjan
        It's Microsoft, Mailjet, Google...etc SMTP servers that are blocked.
        These IPs are in multiple feeds so seems a bit too much to disable all these feeds

        G 1 Reply Last reply Apr 12, 2022, 8:43 AM Reply Quote 0
        • G
          Gertjan @Alek
          last edited by Apr 12, 2022, 8:43 AM

          You can white list here :
          login-to-view

          and whatever you list will be removed from all the lists.

          You are hosting a mail server : be very careful with what you block, because if you block them, they can start to block you, as "Microsoft, Mailjet, Google...etc SMTP" can also send you ligit mails ....

          I'm use myself a mail server (postfix), with a dozen or so domain names and as much IPv4 (and IPv6).
          No pfSense in front of it, and certainly not something like pfBlockerNG, as it isn't ment to be used like that ( IMHO ).

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          A 1 Reply Last reply Apr 12, 2022, 8:51 AM Reply Quote 1
          • A
            Alek @Gertjan
            last edited by Apr 12, 2022, 8:51 AM

            @gertjan
            My mail server is in my lab so behind my pfsense.
            That why i'm looking for a way to exluce my VIP from pfBlockerNG

            G 1 Reply Last reply Apr 12, 2022, 1:02 PM Reply Quote 0
            • G
              Gertjan @Alek
              last edited by Gertjan Apr 12, 2022, 1:03 PM Apr 12, 2022, 1:02 PM

              @alek

              I understood.

              Why would you need a VIP ? What about a dedicated interface network for your mail server, NAT port 25 from WAN to the 'mail' interface, mail server IP port 25 and done.
              Exclude this mail server interface from any pfblockerng interference. This will also solve your issue (subject).

              Your WAN IP isn't an IP from some ISP, right ? As most, if not all, of them are known, and serious mail servers (the big ones) will not accept mail from servers "@home".

              As soon as you are able to send a mail, send one to gmail.
              Your mission : don't stop before you have 3 x ¨PASS". SPF+DKIM+DMARC isn't optional any more. I wonder if they will be strict with the PTR of your WAN IP ....

              edit :

              login-to-view

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              A 2 Replies Last reply Apr 13, 2022, 8:01 AM Reply Quote 1
              • A
                Alek @Gertjan
                last edited by Apr 13, 2022, 8:01 AM

                @gertjan
                Great idea, didn't think about that !
                I've asked my ISP to fix my VIP on available ports.
                I already have PTR on these VIP.
                Thanks mate 👍

                1 Reply Last reply Reply Quote 0
                • A
                  Alek @Gertjan
                  last edited by Apr 13, 2022, 12:20 PM

                  @gertjan
                  This solution brought me another problem ^^
                  Did you find a way to assign a dedicated interface ?
                  My ISP gave me multiple IPs but with only one WAN.
                  As you may know, it's impossible to assign another interface with the same gateway.

                  G 1 Reply Last reply Apr 13, 2022, 12:43 PM Reply Quote 0
                  • G
                    Gertjan @Alek
                    last edited by Gertjan Apr 13, 2022, 12:49 PM Apr 13, 2022, 12:43 PM

                    @alek said in pfBlockerNG blocking SMTP:

                    My ISP gave me multiple IPs but with only one WAN.

                    Ok, I get it, I think : you've created VIP using Firewall > Virtual IPs and multiple IP aliases to your WAN interface.

                    These IP+port 25 could be NATted to the right local IP+port 25 == mail server, right ?

                    Assigning an interface to a gateway is needed here (I think again).
                    You will have to map the mailserver's outgoing traffic through to VIP IP. (I keep on thinking ;))

                    Can say more, as I have never dealt with these multi IPs on WAN before.
                    I do use a lot of IPv4 addresses on the NIC of my mail server, :

                    root@ns311465:~# ifconfig
                    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 188.xxx.201.123  netmask 255.255.255.0  broadcast 188.xxx.201.255
                            inet6 2001:41d0:2:xxx::10  prefixlen 128  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::2  prefixlen 128  scopeid 0x0<global>
                            inet6 fe80::225:yyy:fe71:bf86  prefixlen 64  scopeid 0x20<link>
                            inet6 2001:41d0:2:xxxx::11  prefixlen 128  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::15  prefixlen 128  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::3  prefixlen 128  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::  prefixlen 64  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::20  prefixlen 128  scopeid 0x0<global>
                            inet6 2001:41d0:2:xxxx::1  prefixlen 128  scopeid 0x0<global>
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            RX packets 152768770  bytes 37714762815 (35.1 GiB)
                            RX errors 2  dropped 123638  overruns 0  frame 2
                            TX packets 201134377  bytes 186610834588 (173.7 GiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 46.xxx.79.38  netmask 255.255.255.255  broadcast 46.xxx.79.38
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 87.xxx.136.44  netmask 255.255.255.255  broadcast 87.xxx.136.44
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 5.xxx.43.182  netmask 255.255.255.255  broadcast 5.xxx.43.182
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 87.xxx.174.106  netmask 255.255.255.255  broadcast 87.xxx.174.106
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 188.165.53.87  netmask 255.255.255.255  broadcast 188.165.53.87
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    
                    eth0:5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                            inet 217.xxxx.46.28  netmask 255.255.255.255  broadcast 217.xxx.46.28
                            ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
                            device interrupt 16  memory 0xfbce0000-fbd00000
                    

                    My firewall (iptables) is close to empty - no NAT rules neither.
                    Works great for the last 15 years or so.
                    This is a dedicated bare bone server in a data centre.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    A 1 Reply Last reply Apr 13, 2022, 12:47 PM Reply Quote 1
                    • A
                      Alek @Gertjan
                      last edited by Apr 13, 2022, 12:47 PM

                      @gertjan
                      Yes I did it this way.
                      I got a port forward + outbound rule between one VIP to my local IP.
                      I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw.

                      G A 2 Replies Last reply Apr 13, 2022, 12:52 PM Reply Quote 0
                      • G
                        Gertjan @Alek
                        last edited by Apr 13, 2022, 12:52 PM

                        @alek said in pfBlockerNG blocking SMTP:

                        I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw

                        I thought it was like adding interfaces, but it isn't.
                        I've edited my post above to show you that I also add several IPv4 (and IPv6) to the same physical interface. That is a standard Debian based web mail server.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 1
                        • A
                          Alek @Alek
                          last edited by Apr 13, 2022, 12:53 PM

                          @alek
                          My bad, didn't get the whole text.
                          I guess the best way would be to have a dedicated pfsense box without pfblocker, assigned to one of my VIP and serving my mails servers. No ?

                          G 1 Reply Last reply Apr 13, 2022, 1:41 PM Reply Quote 0
                          • G
                            Gertjan @Alek
                            last edited by Apr 13, 2022, 1:41 PM

                            @alek said in pfBlockerNG blocking SMTP:

                            No ?

                            That's the easy / easier way.

                            Have a look at this list : Youtube Netgate everything you always wanted to know, and more.
                            There is a Muti WAN video. There is a video about VIP, Carps, etc.

                            The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 1
                            10 out of 13
                            • First post
                              10/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.