SMTP over WANB? (Multi-WAN config)

pfnewbe

I'm using 2.0 BETA4 with a Multi-WAN config in this setup:
WANA __                     __ 192.168.2.14/24 (outbound SMTP)
      _ pfSense __ LAN / 192.168.2.16/24 (inbound SMTP)
WANB /          \        _ 192.168.2.xxx/24 (outbound 80,443 etc)
                  _ 192.168.2.254
All inbound SMTP is comming in on WANB and should be delivered to 192.168.2.16
All outbound SMTP needs to go also over WANB (send from 192.168.2.14)
All other addresses needs to go over WANA (what's also no problem)

How can I configure pfSense so that all (in and out) SMTP-traffic goes over WANB?
(WANA and WANB are different providers)

danswartz

Inbound should be handled by your MX records pointing inbound smtp at WANB.  Outbound can be handled by having a specific LAN rule that says smtp goes to gateway WANB.

pfnewbe

MX records are OK. Thats not the problem.
My problem is the correct rules!  :-
Currently I've a rule on:
WANB: all SMTP must be forwarded to 192.168.2.16
LAN: SMTP from 192.168.2.14 should be forwarded to the gateway of WANB

As far as I know I have the rules correctly defined but still doesn't receive or send mail.
Since I've created the rules all the SMTP-messages in the firewall-log also stopped.

danswartz

I didn't say you had a problem, I was saying what you needed to do.  Your OP wasn't clear as to whether you had actually tried to do this all.  That said, post your rules?

pfnewbe

NAT:

If  Proto  Src. addr  Src. ports  Dest. addr  Dest. ports  NAT IP  NAT Ports  Description 
WANB TCP * 25 (SMTP) LAN address 25 (SMTP) 192.168.2.16 25 (SMTP) SMTP to mailgw

On WANB-tab:

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
  TCP * 25 (SMTP) 192.168.2.16 25 (SMTP) * none   NAT SMTP to mailgw

danswartz

You are trying this in the wrong place.  I don't think you need any special NAT rule - the place the policy routing is done should be in the LAN rules section.  That is where you tell it source IP = any, source port = any, dest IP = any, dest port = SMTP, gw = WANB.  Don't forget to put that rule before the default one.

pfnewbe

For the outbound connection I can follow it what you mean.
But for the inbound?

danswartz

sorry i was referring only to the outbound being wrong.  the inbound is standard port forward.

pfnewbe

Still a problem…  :-
NAT rule says:
WANB  TCP  *  25 (SMTP)  WANB address  25 (SMTP)  192.168.2.16  25 (SMTP)  SMTP forward to mailgw
Filrewall-log says:
  pass Aug 19 20:14:05 WANB 212.61.26.38:3534 [my-address]:25 TCP:S

But it's not delivered to my mailgw.
What do I miss???

danswartz

No, you don't need a NAT rule - the normal invisible NAT should work.  What I was saying was: you want a rule in Firewall:Rules in the LAN tab.  There should be a default any => any rule.  Do one that looks like:

Proto Src Port Dst Port Gateway      Queue Schedule
TCP  *  *    *    25  192.168.2.16 None

And make sure that rule is before the default one.

pfnewbe

???
Getting crazy about this….

1st I've created a new gateway:
mailgw  LAN  192.168.2.16  192.168.2.16  route to mailgw 
Then created new rule as you said.
1st rule in LAN-tab is now:

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
TCP * * * 25 (SMTP) mailgw none   SMTP to mailgw
And still no mail received on mailgw  :'(

danswartz

Why did you create a new gateway?  Also, sorry, I made a typo.  The gateway in the LAN rule should be the WANB IP, not the internal SMTP server…

pfnewbe

Because:

Proto Src Port Dst Port Gateway      Queue Schedule
TCP  *  *    *    25  192.168.2.16 None

My 1st two rules on the LAN-tab are:

Proto  Source      Port  Destination  Port        Gateway  Queue  Schedule  Description 
TCP     *        *          *                 25 (SMTP) WANB none                   SMTP to mailgw

• 192.168.2.16    *        *                      *         WANB none                   mailgw route via WANB

In the firewall-log I see the SMTP's coming in but are not delivered to my mailgw (192.168.2.16 - I've checked it with a 'tcpdump -i eth0'):

Act  Time  If  Source  Destination  Proto
pass
Aug 20 11:54:03 WANB 151.60.156.44:22285 [My ip]:25 TCP:S
pass
Aug 20 11:53:57 WANB 151.60.156.44:22221 [My ip]:25 TCP:S
pass
Aug 20 11:53:55 WANB 88.177.208.23:35421 [My ip]:25 TCP:S

Any ideas?

danswartz

that is inbound smtp - i thought that worked and we were trying to fix outbound smtp to use WANB?  I went back and re-read your OP and saw you don't receive either.  It is hard to tell what is wrong this way.  Can you post screen captures of the rules (inbound and outbound) and NAT (inbound and outbound.)

pfnewbe

;D
Found my outbound problem on the mailserver….
Outbount route for the mailgw was working, but was forgotten to change the def.gw and namesever of the mailserver.
sorry.
Outbound mail is working perfect.
Now only inbound to mailgw to solve... (yes, def.gw. and nameservers are ok on mailgw  ;))

danswartz

Still would like to see screenshot of portforward and permission rules.

pfnewbe

My outbound is working!
My inbound still doesn't work.

My only NAT-rule:

If  Proto  Src. addr  Src. ports  Dest. addr  Dest. ports  NAT IP  NAT Ports  Description 
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

All my WANB-rules:

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
UDP * * WANB address 1194 (OpenVPN) * none    
TCP * * 192.168.2.16 25 (SMTP) * none   NAT NAT SMTP


pfnewbe

This screenshot om my rules


danswartz

Hmmm, looks okay.  Are you sure the inbound smtp server has a default gateway pointing back to the pfsense?  If so, can you do a packet capture on the LAN interface while you try to connect from outside?

pfnewbe

Yup. Looks OK.

0.0.0.0        192.168.2.254  0.0.0.0        UG        0 0          0 eth0