SMTP over WANB? (Multi-WAN config)

danswartz

No, you don't need a NAT rule - the normal invisible NAT should work. What I was saying was: you want a rule in Firewall:Rules in the LAN tab. There should be a default any => any rule. Do one that looks like:

Proto Src Port Dst Port Gateway Queue Schedule
TCP * * * 25 192.168.2.16 None

And make sure that rule is before the default one.

pfnewbe

???
Getting crazy about this….

1st I've created a new gateway:
mailgw LAN 192.168.2.16 192.168.2.16 route to mailgw
Then created new rule as you said.
1st rule in LAN-tab is now:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * * 25 (SMTP) mailgw none SMTP to mailgw
And still no mail received on mailgw :'(

danswartz

Why did you create a new gateway? Also, sorry, I made a typo. The gateway in the LAN rule should be the WANB IP, not the internal SMTP server…

pfnewbe

Because:

Proto Src Port Dst Port Gateway Queue Schedule
TCP * * * 25 192.168.2.16 None

My 1st two rules on the LAN-tab are:

Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * * 25 (SMTP) WANB none SMTP to mailgw

192.168.2.16 * * * WANB none mailgw route via WANB

In the firewall-log I see the SMTP's coming in but are not delivered to my mailgw (192.168.2.16 - I've checked it with a 'tcpdump -i eth0'):

Act Time If Source Destination Proto
pass
Aug 20 11:54:03 WANB 151.60.156.44:22285 [My ip]:25 TCP:S
pass
Aug 20 11:53:57 WANB 151.60.156.44:22221 [My ip]:25 TCP:S
pass
Aug 20 11:53:55 WANB 88.177.208.23:35421 [My ip]:25 TCP:S

Any ideas?

danswartz

that is inbound smtp - i thought that worked and we were trying to fix outbound smtp to use WANB? I went back and re-read your OP and saw you don't receive either. It is hard to tell what is wrong this way. Can you post screen captures of the rules (inbound and outbound) and NAT (inbound and outbound.)

pfnewbe

;D
Found my outbound problem on the mailserver….
Outbount route for the mailgw was working, but was forgotten to change the def.gw and namesever of the mailserver.
sorry.
Outbound mail is working perfect.
Now only inbound to mailgw to solve... (yes, def.gw. and nameservers are ok on mailgw ;))

danswartz

Still would like to see screenshot of portforward and permission rules.

pfnewbe

My outbound is working!
My inbound still doesn't work.

My only NAT-rule:

If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

All my WANB-rules:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
UDP * * WANB address 1194 (OpenVPN) * none
TCP * * 192.168.2.16 25 (SMTP) * none NAT NAT SMTP

![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb)

pfnewbe

This screenshot om my rules

![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb)

danswartz

Hmmm, looks okay. Are you sure the inbound smtp server has a default gateway pointing back to the pfsense? If so, can you do a packet capture on the LAN interface while you try to connect from outside?

pfnewbe

Yup. Looks OK.

0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0

pfnewbe

Hmmmmm… This looks interesting! I've put all logging on and see this.

block
Aug 23 22:34:51 LAN 192.168.2.16:25 65.55.34.215:43338 TCP:SA
[…]
pass
Aug 23 22:33:17 WANB 65.55.34.215:43338 192.168.2.16:25 TCP:S

Look to the difference between the two timestamps.
What can be the cause of this?

[update]
My rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description

192.168.2.14 * * * WANB none mail route via WANB
192.168.2.16 * * * WANB none mailgw route via WANB
LAN net * * * * none Default allow LAN to any rule

danswartz

that is odd for sure. i am surprised you only see one SYN packet - if mailhost is not replying within a couple of seconds, we should have seen another. instead of logging on the pfsense, please do a packet capture as i asked.

pfnewbe

LAN or WANB?

danswartz

LAN for starters.

pfnewbe

lol….. wasn't able to upload here. I've send it to you mail.

pfnewbe

with my old firewall works it okay!
So, I cannot imagine that it is a problem on the 192.168.2.16

danswartz

please don't email me things like that. i didn't want an entire packet capture - tracing only inbound SMTP requests should have created a more manageable file.

pfnewbe

Sorry. It was a capture of only port 25.
What do I need to look for?

danswartz

Can you do a numeric one instead? This was on the LAN?