Weird issue with certain traffic "dissapearing" when going in wireguard tunnel

DonZalmrol

Hi all,

So I got a weird issue going and I can't figure it out and keeps me going in circles.
I have a Pfsense firewall hosted in Hetzner cloud and my home lab firewall with Opnsense. The WG is working fine (AFAIK) and allows traffic from my FW to my home lab servers and services (e.g. http, https, snmp, ...) but when I try to route SMTP 25 it simply isn't going through the tunnel.

I've created an example network drawing.
Network home-hetzner.jpg

What works without any issues?

Hetzner Pfsense (240.0.0.1) with HAProxy to my homelab opnsense (224.0.0.1) -> homelab webserver 192.168.0.10
Same for mailserver 1 and 2, librenms can retrieve SNMP (161) from Hetzner Pfsense firewall
Hetzner WAN -> Spamserver (192.168.128.3) -> Port 2500 to Mailserver 1 (Exchange)

What doesn't work:

Hetzner WAN (240.0.0.1) -> Portwarding -> Port 25 TCP to Mailserver 2 (Mailcow)
Hetzner WAN - Floating IP (250.0.0.1) -> Portwarding -> Port 25 TCP to Mailserver 2 (Mailcow)

When I do a direct test port on Pfsense to my mailcow = success, I receive the EHLO back
When I test the mailserver through MXtoolbox it fails :(

It's like it takes the traffic and then does not forward it. The state is in CLOSED:SYN_SENT and the bytes incoming is increment, yet the outgoing is always 0, example below

All static routes are in place on both sides and the tunnel network is 172.16.0.8/30, all other traffic seems to be working. It's driving me nuts!

EDIT: Yes, SMTP is allowed on the Hetzner VMs :)

Bob.Dig

@DonZalmrol It should work if you haven't made any mistake.

DonZalmrol

@Bob-Dig yeah lol, but I'm pretty sure I've followed everything to the letter as the other services are working or it's something small I'm overlooking....