SMTP over WANB? (Multi-WAN config)
-
Still would like to see screenshot of portforward and permission rules.
-
My outbound is working!
My inbound still doesn't work.My only NAT-rule:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTPAll my WANB-rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
UDP * * WANB address 1194 (OpenVPN) * none
TCP * * 192.168.2.16 25 (SMTP) * none NAT NAT SMTP![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: NAT: Port Forward - Mozilla Firefox.png_thumb) -
This screenshot om my rules
![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png)
![Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb](/public/imported_attachments/1/Screenshot-fw1.lan - Firewall: Rules - Mozilla Firefox.png_thumb) -
Hmmm, looks okay. Are you sure the inbound smtp server has a default gateway pointing back to the pfsense? If so, can you do a packet capture on the LAN interface while you try to connect from outside?
-
Yup. Looks OK.
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
-
Hmmmmm… This looks interesting! I've put all logging on and see this.
block
Aug 23 22:34:51 LAN 192.168.2.16:25 65.55.34.215:43338 TCP:SA
[…]
pass
Aug 23 22:33:17 WANB 65.55.34.215:43338 192.168.2.16:25 TCP:SLook to the difference between the two timestamps.
What can be the cause of this?[update]
My rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description-
192.168.2.14 * * * WANB none mail route via WANB
-
192.168.2.16 * * * WANB none mailgw route via WANB
-
LAN net * * * * none Default allow LAN to any rule
-
-
that is odd for sure. i am surprised you only see one SYN packet - if mailhost is not replying within a couple of seconds, we should have seen another. instead of logging on the pfsense, please do a packet capture as i asked.
-
LAN or WANB?
-
LAN for starters.
-
lol….. wasn't able to upload here. I've send it to you mail.
-
with my old firewall works it okay!
So, I cannot imagine that it is a problem on the 192.168.2.16 -
please don't email me things like that. i didn't want an entire packet capture - tracing only inbound SMTP requests should have created a more manageable file.
-
Sorry. It was a capture of only port 25.
What do I need to look for? -
Can you do a numeric one instead? This was on the LAN?
-
Yup. This was on LAN.
Here's another one in numeric.
23:43:18.825387 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:18.825445 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:21.747190 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:21.747222 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:23.358357 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:27.765613 IP 65.55.34.203.19470 > 192.168.2.16.smtp: S 3691429999:3691429999(0) win 65535 <mss 1452,nop,nop,sackok="">23:43:27.765646 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:29.358662 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:41.359231 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:43:43.759388 IP 192.168.2.16.smtp > 212.61.26.38.sdo-tls: S 3698667821:3698667821(0) ack 1312522795 win 5792 <mss 6="" 25655941="" 1460,nop,nop,timestamp="" 1212769185,nop,wscale="">23:44:05.570420 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">23:44:53.782771 IP 192.168.2.16.smtp > 65.55.34.203.19470: S 3797698790:3797698790(0) ack 3691430000 win 5840 <mss 1460,nop,nop,sackok="">Firewall log says:
block
Aug 23 23:42:47 LAN 192.168.2.16:25 65.55.34.203:19470 TCP:SApass
Aug 23 23:41:11 WANB 65.55.34.203:19470 192.168.2.16:25 TCP:S</mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss></mss> -
Okay, I am seeing the inbound SYN and the server is sending back SYN/ACK, and the sender is retrying with backoff which all looks good. The question is why the SYN/ACK is not getting to the remote host. Looking at your NAT and Rules, I note they are for the WAN side only. Can you post your LAN rules and outbound (if any) NAT?
-
I've only 1 NAT-rule:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description[Firewall rule ID is managed with this rule] WANB TCP * * WANB address 25 (SMTP) 192.168.2.16 25 (SMTP) NAT SMTP
and my LAN-rules are as mentioned in my post of Reply #20
-
That is the inbound NAT rule - you have no outbound one? Can you post /tmp/rules.debug?
-
Nope. This is the only NAT-rule!
When i'm back home I'll post the /tmp/rules.debugIs the LAN-rule not enough? Everything is allowed to go outside. ???
* LAN net * * * * none Default allow LAN to any rule
-
There are rules that can be added invisibly to what you see in the GUI.