pfSense+Postfix via Port Foward

viragomann

@t-sato
This is masquerading! pfSense translates the origin source address into the DMZ interface address in outgoing packets on DMZ.

If you need this to get access to your mail server the server doesn't accept outside sources. He blocks it by its own firewall.
So you have to configure the server properly to accept access from the internet.

There is nothing what pfSense can do here.

t.sato

@viragomann said in pfSense+Postfix via Port Foward:

@t-sato
This is masquerading! pfSense translates the origin source address into the DMZ interface address in outgoing packets on DMZ.

Earlier, you mentioned that pfSense does not masquerade source IPs on incoming traffic by default.

I just want to clarify port forward or 1:1 NAT on pfSense does masquerading, therefore the server can not log source IP and log interface IP of pfSense.

If you need this to get access to your mail server the server doesn't accept outside sources. He blocks it by its own firewall.
So you have to configure the server properly to accept access from the internet.

My server accept everything properly. I think now I need to find a way to assign public IP on the mail server and bridge it or tunnel or use proxy protocol via HAproxy outside of pfsense to know the source IP.

There is nothing what pfSense can do here.

I was reading this article and was looking for a way to know source IP at server via pfsense port forward, but I was wrong I assume.

https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/?_gl=1g5bk2y_gaMTcwNjExMDIzMi4xNjcwOTk2Nzg3_ga_MGHPDQ7WFP*MTY3MjE2Mjg2OS4xNi4xLjE2NzIxNjI5MjAuMC4wLjA.

Thank yo so much for your advice. It really helped me to find different way to achieve the goal.

BTW, cheap router provided by ISP here has simple DMZ function (1:1 NAT or similar) and somehow same mail server was able to obtain source IP in maillog. Since I replaced with pfsense, it doesn't log sorce IP. I assume the way pfsense works sounds normal and correct while the cheap router worked was useful but not right.

t.sato

@rcoleman-netgate

On your server log (maillog), is source IP recorded? Or log shows interface IP that serves for 10.50.1.3?

rcoleman-netgate

@t-sato
When receiving email from the outside:

Dec 27 11:59:05 mail postfix/qmgr[1120]: 7091B40E87: removed
Dec 27 11:59:31 mail postfix/smtpd[2472233]: connect from unknown[185.55.243.205]
Dec 27 11:59:33 mail postfix/smtpd[2472233]: CA5E940956: client=unknown[185.55.243.205]

Dovecot when I check my email:

Dec 27 12:00:07 imap-login: Info: Login: user=<sales@domain.com>, method=PLAIN, rip=174.2x.1xx.xx, lip=10.50.1.3, mpid=2472478, TLS, session=<!@#$%^RTDFG#@>
Dec 27 12:00:07 imap-login: Info: Login: user=<support@domain.com>, method=PLAIN, rip=174.2x.1xx.xx, lip=10.50.1.3, mpid=2472479, TLS, session=<!@#$%^RTDFG#@>

viragomann

@t-sato said in pfSense+Postfix via Port Foward:

Earlier, you mentioned that pfSense does not masquerade source IPs on incoming traffic by default.

This is still true. pfSenes doesn't masquerade incoming packets by default. You have added the outbound NAT rule by yourself.

I just want to clarify port forward or 1:1 NAT on pfSense does masquerading, therefore the server can not log source IP and log interface IP of pfSense.

1:1 does both, DNAT (port forwarding) and SNAT (masquerading). But if the rule is configured correctly, the latter is applied only on outbound traffic on WAN.

You didn't show your NAT 1:1 rules. Maybe there is something wrong.
Ensure to add the rule on WAN.

I was reading this article and was looking for a way to know source IP at server via pfsense port forward, but I was wrong I assume.
https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/?_gl=1g5bk2y_gaMTcwNjExMDIzMi4xNjcwOTk2Nzg3_ga_MGHPDQ7WFP*MTY3MjE2Mjg2OS4xNi4xLjE2NzIxNjI5MjAuMC4wLjA.

HAproxy is not the solution for this. As I mentioned above HAproxy does masquerading by default.
It can insert the forward-for header though to provide the origin source to the web server, but this is only done in HTTP traffic. So there is no benefit of this for an MTA at all.

BTW, cheap router provided by ISP here has simple DMZ function (1:1 NAT or similar) and somehow same mail server was able to obtain source IP in maillog.

Cheap router often does masquerading on forwarded traffic.

Since I replaced with pfsense, it doesn't log sorce IP.

So I cannot believe that.

Bob.Dig

@t-sato Also you outbound NAT looks horrible. Why do you use hybrid in the first place?

t.sato

@viragomann

Thank you for the clarification. You are really helping me to understand pfSense.

No, I do not use 1:1NAT for this.

I will review outbound NAT settings and documents to ensure my setting is correct to maintain DNAT w/o masquerade and proper outbound traffic.

My mail server works no problem sending and receiving with WAN if I do not mind log shows LAN interface IP....

You are correct, x-forward-for works only for HTTP, won't work for SMTP. The article cites proxy protocol for SMTP not XFF. I understand it not pfsense issues.

Again, I really appreciate you for taking your time to share your knowledge and experience. Not so many pfSense users in Japan and I could not find much information or discussion about pfsense in Japanese environment.

t.sato

@rcoleman-netgate

Thank you! This is what I wanted to see on my server. I will review my outbound NAT settings.

viragomann

@t-sato said in pfSense+Postfix via Port Foward:

Again, I really appreciate you for taking your time to share your knowledge and experience. Not so many pfSense users in Japan and I could not find much information or discussion about pfsense in Japanese environment.

However, DNAT, SNAT, port forwarding, masquerading are all networking basics. I think, you might find also much stuff in Japanese regarding this.
But yeah, some terms for these settings might be different in pfSense than in other routers.

t.sato

@bob-dig said in pfSense+Postfix via Port Foward:

@t-sato Also you outbound NAT looks horrible. Why do you use hybrid in the first place?

That is a good question. I honestly do not know why I did exactly. I remember I found some articles to switch hybrid to make something work. You are correct. I know I should not do thing that way. I have no excuse.

I left the part alone since everything else is working.

I will review and confirm all setting from clean install in test environment.

Thank you for guiding me to right direction!

rcoleman-netgate

@t-sato said in pfSense+Postfix via Port Foward:

I remember I found some articles to switch hybrid to make something work.

If you're doing PBR then you will want it to make sure your specific routes use the outbound interface (typically a VPN) but I think in your situation it's unneeded

t.sato

@rcoleman-netgate

To make this accessable from WAN and other LAN, I had to add this outbound NAT.

After I learned my outbound NAT settings are not right from experts here, I have been researching document and tutorials on the net, it seems that port forward should work without outbound NAT. I have been testing on test pfsense box with simple setup to simulate my environment.

Without outbound NAT States returns "CLOSED:SYN_SENT".
With the outbound NAT, everything works, but leaving DMZ interface IP as my original problem behaves.

I checked all server gateway setting to point the pfsense as the gateway.

I wonder if PPPOE on WAN may affect the result.

I will keep test and find the way to solve this, but I just wanted to have my status update here as you and other experts helped me.

t.sato

[Status Update]

Happy New year to all.

I was able to review and revise my setting to make everything work.

The cause of problem that required to have DMZ outbound NAT which makes me to give up DNAT was the routing setting on the mail server.

The mail server has correct IP/Subnet/Gateway/DNS to use the DMZ interface, however, returning traffic from the mail server was not able to reach DMZ interface. Buit I had to have DMZ outbound NAT on hte pfsense box to work around the issues.

So I added routing IP 0.0.0.0/Sub 0.0.0.0/10.0.0.2 on the NIC setting on the mail server to see if the traffic reach back to the DMZ interface on pfsense box. It worked without outbound NAT on pfsense box.

All traffic between WAN and the mail server via DMZ interface is all good.

One interesting thing is I had to select NAT reflect type NAT+Proxy on the mail server related port forward to access from other net. Pure NAT did not work from other LAN interfaces.

t.sato

@rcoleman-netgate

Thank you so much for showing your setting and log. That really helped me to know it's possible and assured me to find issues.

@viragomann

Thank you so much for your guidance and educational explanation. It really helped me to put terminologies in 2 different languages together. I appreciate you know things are called different even in same language and it gets more difficult after translated to different language.

@bob-dig

Thank you for guiding me to right direction to review my setting. You are correct and helped me to find the break thru.

viragomann

@t-sato said in pfSense+Postfix via Port Foward:

One interesting thing is I had to select NAT reflect type NAT+Proxy on the mail server related port forward to access from other net. Pure NAT did not work from other LAN interfaces.

This does masquerading again, but it is only applied to traffic from inside your network.

NAT reflection helps you to access your inside service by requesting its public IP.
To avoid the need of NAT reflection, we add host overrides to the internal DNS (maybe DNS resolver on pfSense) and point it to the internal IP of the service.

But nice, that you got sorted the outside access without masquerading.