SMTP over WANB? (Multi-WAN config)

pfnewbe · Aug 20, 2010, 10:00 AM

Because:

Proto Src Port Dst Port Gateway Queue Schedule
TCP * * * 25 192.168.2.16 None

My 1st two rules on the LAN-tab are:

Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * * 25 (SMTP) WANB none SMTP to mailgw

192.168.2.16 * * * WANB none mailgw route via WANB

In the firewall-log I see the SMTP's coming in but are not delivered to my mailgw (192.168.2.16 - I've checked it with a 'tcpdump -i eth0'):

Act Time If Source Destination Proto
pass
Aug 20 11:54:03 WANB 151.60.156.44:22285 [My ip]:25 TCP:S
pass
Aug 20 11:53:57 WANB 151.60.156.44:22221 [My ip]:25 TCP:S
pass
Aug 20 11:53:55 WANB 88.177.208.23:35421 [My ip]:25 TCP:S

Any ideas?

danswartz · Aug 20, 2010, 12:27 PM

that is inbound smtp - i thought that worked and we were trying to fix outbound smtp to use WANB? I went back and re-read your OP and saw you don't receive either. It is hard to tell what is wrong this way. Can you post screen captures of the rules (inbound and outbound) and NAT (inbound and outbound.)

pfnewbe · Aug 20, 2010, 6:31 PM

;D
Found my outbound problem on the mailserver….
Outbount route for the mailgw was working, but was forgotten to change the def.gw and namesever of the mailserver.
sorry.
Outbound mail is working perfect.
Now only inbound to mailgw to solve... (yes, def.gw. and nameservers are ok on mailgw ;))

danswartz · Aug 20, 2010, 6:33 PM

Still would like to see screenshot of portforward and permission rules.

pfnewbe · Aug 20, 2010, 8:00 PM

My outbound is working!
My inbound still doesn't work.

My only NAT-rule:

If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

All my WANB-rules:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
UDP * * WANB address 1194 (OpenVPN) * none
TCP * * 192.168.2.16 25 (SMTP) * none NAT NAT SMTP

![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb)

pfnewbe · Aug 20, 2010, 8:05 PM

This screenshot om my rules

![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb)

danswartz · Aug 20, 2010, 8:10 PM

Hmmm, looks okay. Are you sure the inbound smtp server has a default gateway pointing back to the pfsense? If so, can you do a packet capture on the LAN interface while you try to connect from outside?

pfnewbe · Aug 20, 2010, 8:55 PM

Yup. Looks OK.

0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0

pfnewbe · Aug 23, 2010, 8:47 PM

Hmmmmm… This looks interesting! I've put all logging on and see this.

block
Aug 23 22:34:51 LAN 192.168.2.16:25 65.55.34.215:43338 TCP:SA
[…]
pass
Aug 23 22:33:17 WANB 65.55.34.215:43338 192.168.2.16:25 TCP:S

Look to the difference between the two timestamps.
What can be the cause of this?

[update]
My rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description

192.168.2.14 * * * WANB none mail route via WANB
192.168.2.16 * * * WANB none mailgw route via WANB
LAN net * * * * none Default allow LAN to any rule

danswartz · Aug 23, 2010, 8:46 PM

that is odd for sure. i am surprised you only see one SYN packet - if mailhost is not replying within a couple of seconds, we should have seen another. instead of logging on the pfsense, please do a packet capture as i asked.

pfnewbe · Aug 23, 2010, 8:48 PM

LAN or WANB?

danswartz · Aug 23, 2010, 8:50 PM

LAN for starters.

pfnewbe · Aug 23, 2010, 8:55 PM

lol….. wasn't able to upload here. I've send it to you mail.

pfnewbe · Aug 27, 2010, 6:41 PM

with my old firewall works it okay!
So, I cannot imagine that it is a problem on the 192.168.2.16

danswartz · Aug 23, 2010, 9:02 PM

please don't email me things like that. i didn't want an entire packet capture - tracing only inbound SMTP requests should have created a more manageable file.

pfnewbe · Aug 23, 2010, 9:09 PM

Sorry. It was a capture of only port 25.
What do I need to look for?

danswartz · Aug 23, 2010, 9:38 PM

Can you do a numeric one instead? This was on the LAN?

pfnewbe · Aug 23, 2010, 9:46 PM

Yup. This was on LAN.

Here's another one in numeric.

23:43:18.825387 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:18.825445 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:21.747190 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:21.747222 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:23.358357 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:27.765613 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:27.765646 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:29.358662 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:41.359231 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:43.759388 IP 192.168.2.16.smtp > 212.61.26.38.sdo-tls: S 3698667821:3698667821(0) ack 1312522795 win 5792 <mss 6="" 25655941="" 1460,nop,nop,timestamp="" 1212769185,nop,wscale="">23:44:05.570420 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:44:53.782771 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">Firewall log says:

block
Aug 23 23:42:47 LAN 192.168.2.16:25 65.55.34.203:19470 TCP:SA

pass
Aug 23 23:41:11 WANB 65.55.34.203:19470 192.168.2.16:25 TCP:S</mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss>

danswartz · Aug 23, 2010, 10:29 PM

Okay, I am seeing the inbound SYN and the server is sending back SYN/ACK, and the sender is retrying with backoff which all looks good. The question is why the SYN/ACK is not getting to the remote host. Looking at your NAT and Rules, I note they are for the WAN side only. Can you post your LAN rules and outbound (if any) NAT?

pfnewbe · Aug 24, 2010, 5:44 AM

I've only 1 NAT-rule:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description

[Firewall rule ID is managed with this rule] WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

and my LAN-rules are as mentioned in my post of Reply #20