SMTP over WANB? (Multi-WAN config)

danswartz

Still would like to see screenshot of portforward and permission rules.

pfnewbe

My outbound is working!
My inbound still doesn't work.

My only NAT-rule:

If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

All my WANB-rules:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
UDP * * WANB address 1194 (OpenVPN) * none
TCP * * 192.168.2.16 25 (SMTP) * none NAT NAT SMTP

![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb)

pfnewbe

This screenshot om my rules

![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb)

danswartz

Hmmm, looks okay. Are you sure the inbound smtp server has a default gateway pointing back to the pfsense? If so, can you do a packet capture on the LAN interface while you try to connect from outside?

pfnewbe

Yup. Looks OK.

0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0

pfnewbe

Hmmmmm… This looks interesting! I've put all logging on and see this.

block
Aug 23 22:34:51 LAN 192.168.2.16:25 65.55.34.215:43338 TCP:SA
[…]
pass
Aug 23 22:33:17 WANB 65.55.34.215:43338 192.168.2.16:25 TCP:S

Look to the difference between the two timestamps.
What can be the cause of this?

[update]
My rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description

192.168.2.14 * * * WANB none mail route via WANB
192.168.2.16 * * * WANB none mailgw route via WANB
LAN net * * * * none Default allow LAN to any rule

danswartz

that is odd for sure. i am surprised you only see one SYN packet - if mailhost is not replying within a couple of seconds, we should have seen another. instead of logging on the pfsense, please do a packet capture as i asked.

pfnewbe

LAN or WANB?

danswartz

LAN for starters.

pfnewbe

lol….. wasn't able to upload here. I've send it to you mail.

pfnewbe

with my old firewall works it okay!
So, I cannot imagine that it is a problem on the 192.168.2.16

danswartz

please don't email me things like that. i didn't want an entire packet capture - tracing only inbound SMTP requests should have created a more manageable file.

pfnewbe

Sorry. It was a capture of only port 25.
What do I need to look for?

danswartz

Can you do a numeric one instead? This was on the LAN?

pfnewbe

Yup. This was on LAN.

Here's another one in numeric.

23:43:18.825387 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:18.825445 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:21.747190 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:21.747222 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:23.358357 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:27.765613 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:27.765646 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:29.358662 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:41.359231 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:43.759388 IP 192.168.2.16.smtp > 212.61.26.38.sdo-tls: S 3698667821:3698667821(0) ack 1312522795 win 5792 <mss 6="" 25655941="" 1460,nop,nop,timestamp="" 1212769185,nop,wscale="">23:44:05.570420 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:44:53.782771 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">Firewall log says:

block
Aug 23 23:42:47 LAN 192.168.2.16:25 65.55.34.203:19470 TCP:SA

pass
Aug 23 23:41:11 WANB 65.55.34.203:19470 192.168.2.16:25 TCP:S</mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss>

danswartz

Okay, I am seeing the inbound SYN and the server is sending back SYN/ACK, and the sender is retrying with backoff which all looks good. The question is why the SYN/ACK is not getting to the remote host. Looking at your NAT and Rules, I note they are for the WAN side only. Can you post your LAN rules and outbound (if any) NAT?

pfnewbe

I've only 1 NAT-rule:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description

[Firewall rule ID is managed with this rule] WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP

and my LAN-rules are as mentioned in my post of Reply #20

danswartz

That is the inbound NAT rule - you have no outbound one? Can you post /tmp/rules.debug?

pfnewbe

Nope. This is the only NAT-rule!
When i'm back home I'll post the /tmp/rules.debug

Is the LAN-rule not enough? Everything is allowed to go outside. ???

* LAN net * * * * none Default allow LAN to any rule

danswartz

There are rules that can be added invisibly to what you see in the GUI.