SMTP port forwarding from internal server

viragomann

@lex-under-3182
I think, I got it.

My assumption was, you want to forward mails from any public IP first.
So you can limit the source in the outbound NAT rule to the clients IP then.

lex.under.3182

@viragomann @stephenw10

Ok guys I think the issue somewhere on other end of firewall.
When I am adding these settings I do see requests in logs but Firewall is blocking it, so the first though I have is to add Pass rule in firewall like this
https://nimb.ws/WkY0AZ

Then when I am doing telnet I do see that firewall stops blocking it
https://nimb.ws/8ClMy0

And connections times out which is probably means I cannot use 172.28.28.28 as my mail server host in application settings. (

root@vault-test:~# telnet 172.28.28.28 587
Trying 172.28.28.28...

telnet: Unable to connect to remote host: Connection timed out

viragomann

@lex-under-3182
Strange, the rule should allow the packets.

Switch to the nowmal log view, so you can see the rule which blocks the traffic.

lex.under.3182

@viragomann Should I use 587 port under translation area?
https://nimb.ws/NWw75O

viragomann

@lex-under-3182
No, that's the source port. I should be dynamic (any).
Only the destination port is 587.

lex.under.3182

@viragomann port for source is empty as you can see on last screenshot. For "Translation" should be empty as well? hmm
Does not that mean to route any traffic to any port at 172.28.28.28 from 192.168.0.136 to 85.13.135.13:587 ?

If I try to connect to 172.28.28.28:80 then it will masquerade it to 85.13.135.13:587 ?

viragomann

@lex-under-3182
The translation port has to be empty. This is the source port in outgoing packets and should be automatically selected by pfSense.

stephenw10

Yup, or check the 'static port' box to use the same source port the client is using. Either should work here though.

Steve

lex.under.3182

@stephenw10 @viragomann
Ok guys, thank you for help, but looks like I am stuck with this... It still does not work. May be it is because of some settings in hoster's NAT for pfsense public IP that I do not control.

Although from pfsense I can telnet mail server.

/root: telnet 85.13.135.13 587
Trying 85.13.135.13...
Connected to dd52114.kasserver.com.
Escape character is '^]'.
220 dd52114.kasserver.com ESMTP

From client's server I cannot

# telnet 172.28.28.28 587
Trying 172.28.28.28...
telnet: Unable to connect to remote host: Connection timed out

It is possible there are also some other settings in pfsense that I have not enabled and that prevent this from mapping correctly.

I cannot ask you for any further help. It is not ethical I think) You spent a lot of time helping me... I will try to remove everything and setup again on sunday but I think the issue will be there and I will have to add the second openVPN for this purpose. Connecting each server to VPN to be able to send emails looks not very stable solution for me but I am pretty sure this should work...

In any case if somebody still find an issue in my configs or have another solution then please share.
Just to repeat here is my outbound NAT config
https://nimb.ws/IRHqbn
THis is firewall rule for that NAT
https://nimb.ws/VPYBs3
System - Advanced - Firewall&NAT
https://nimb.ws/O8lYWH

By the way did an upgrade of pfsense to 2.6.0-RELEASE like few weeks ago. And also there is no Translation options in System - Advanced - Firewall&NAT menu. But I doubt it could be the cause.

viragomann

@lex-under-3182
Is the port forwarding rule still in place. It is necessary as well.

Are the packets still blocked? If so, what's the responsible rule?

For troubleshooting run a packets capture on pfSense WAN interface, filter for port 587. So you can clearly see what the packets do.

stephenw10

Try to connect from the client. Check the states in pfSense.

lex.under.3182

@stephenw10 @viragomann
through VPN it worked fine. Spent 40 mins and issue solved.

Just to update. Thanks you guys for help anyway