SMTP over WANB? (Multi-WAN config)
-
Why did you create a new gateway? Also, sorry, I made a typo. The gateway in the LAN rule should be the WANB IP, not the internal SMTP server…
-
Because:
Proto Src Port Dst Port Gateway Queue Schedule
TCP * * * 25 192.168.2.16 NoneMy 1st two rules on the LAN-tab are:
Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * * 25 (SMTP) WANB none SMTP to mailgw- 192.168.2.16 * * * WANB none mailgw route via WANB
In the firewall-log I see the SMTP's coming in but are not delivered to my mailgw (192.168.2.16 - I've checked it with a 'tcpdump -i eth0'):
Act Time If Source Destination Proto
pass
Aug 20 11:54:03 WANB 151.60.156.44:22285 [My ip]:25 TCP:S
pass
Aug 20 11:53:57 WANB 151.60.156.44:22221 [My ip]:25 TCP:S
pass
Aug 20 11:53:55 WANB 88.177.208.23:35421 [My ip]:25 TCP:SAny ideas?
-
that is inbound smtp - i thought that worked and we were trying to fix outbound smtp to use WANB? I went back and re-read your OP and saw you don't receive either. It is hard to tell what is wrong this way. Can you post screen captures of the rules (inbound and outbound) and NAT (inbound and outbound.)
-
;D
Found my outbound problem on the mailserver….
Outbount route for the mailgw was working, but was forgotten to change the def.gw and namesever of the mailserver.
sorry.
Outbound mail is working perfect.
Now only inbound to mailgw to solve... (yes, def.gw. and nameservers are ok on mailgw ;)) -
Still would like to see screenshot of portforward and permission rules.
-
My outbound is working!
My inbound still doesn't work.My only NAT-rule:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTPAll my WANB-rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
UDP * * WANB address 1194 (OpenVPN) * none
TCP * * 192.168.2.16 25 (SMTP) * none NAT NAT SMTP
 -
This screenshot om my rules
 -
Hmmm, looks okay. Are you sure the inbound smtp server has a default gateway pointing back to the pfsense? If so, can you do a packet capture on the LAN interface while you try to connect from outside?
-
Yup. Looks OK.
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
-
Hmmmmm… This looks interesting! I've put all logging on and see this.
block
Aug 23 22:34:51 LAN 192.168.2.16:25 65.55.34.215:43338 TCP:SA
[…]
pass
Aug 23 22:33:17 WANB 65.55.34.215:43338 192.168.2.16:25 TCP:SLook to the difference between the two timestamps.
What can be the cause of this?[update]
My rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description-
192.168.2.14 * * * WANB none mail route via WANB
-
192.168.2.16 * * * WANB none mailgw route via WANB
-
LAN net * * * * none Default allow LAN to any rule
-
-
that is odd for sure. i am surprised you only see one SYN packet - if mailhost is not replying within a couple of seconds, we should have seen another. instead of logging on the pfsense, please do a packet capture as i asked.
-
LAN or WANB?
-
LAN for starters.
-
lol….. wasn't able to upload here. I've send it to you mail.
-
with my old firewall works it okay!
So, I cannot imagine that it is a problem on the 192.168.2.16 -
please don't email me things like that. i didn't want an entire packet capture - tracing only inbound SMTP requests should have created a more manageable file.
-
Sorry. It was a capture of only port 25.
What do I need to look for? -
Can you do a numeric one instead? This was on the LAN?
-
Yup. This was on LAN.
Here's another one in numeric.
23:43:18.825387 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:18.825445 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:21.747190 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:21.747222 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:23.358357 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:27.765613 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:27.765646 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:29.358662 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:41.359231 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:43.759388 IP 192.168.2.16.smtp > 212.61.26.38.sdo-tls: S 3698667821:3698667821(0) ack 1312522795 win 5792 <mss 6="" 25655941="" 1460,nop,nop,timestamp="" 1212769185,nop,wscale="">23:44:05.570420 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:44:53.782771 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">Firewall log says:
block
Aug 23 23:42:47 LAN 192.168.2.16:25 65.55.34.203:19470 TCP:SApass
Aug 23 23:41:11 WANB 65.55.34.203:19470 192.168.2.16:25 TCP:S</mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss> -
Okay, I am seeing the inbound SYN and the server is sending back SYN/ACK, and the sender is retrying with backoff which all looks good. The question is why the SYN/ACK is not getting to the remote host. Looking at your NAT and Rules, I note they are for the WAN side only. Can you post your LAN rules and outbound (if any) NAT?