Advice requested on e-mail server
-
I am going to set up an SMTP server behind our pfSense firewall. For now it is just SMTP, not POP3 or IMAP. There is just the one firewall, pfSense. We have a few static IPs from our DSL connection, and I'd like to give the SMTP server one of them.
It seems straightforward. The server itself is a Windows Server 2003. We have a domain, but I don't want to put a member server on the public Internet. If it were taken over, it could be used to run dictionary attacks on the domain controller to attempt to login as different users. Nevertheless, I do want to use our Active Directory to authenticate to our e-mail server. I think we will have one e-mail server in the LAN subnet, on the domain. This e-mail software, hmailserver, will run on our domain controller. It will be an SMTP relay server that will talk to the SMTP server on the public IP. The main SMTP server, with the public IP, will be a standalone Windows server (not a member of the domain). It will also run hmailserver to handle SMTP.
So how would a smart person connect the main SMTP server to pfSense? There are three NICs (actually there are four, but we only need three right now) on the PC that runs pfSense. The hardware connections look like this.
ADSL modem–-WAN---pfSense
domain controller---switch----LAN----pfSense
e-mail server---DMZ---pfSense
I tried using bridge mode to put the DMZ and WAN on the same segment. That didn't work. It requires the DMZ NIC to have its own IP address, even though that address would seem to be useless.
Nevertheless, I tried using bridge mode while giving the DMZ NIC one of our public IP addresses. That didn't allow connections to the Internet. I tried all the different combination of gateway settings I could imagine.
I tried putting the DMZ on its own subnet, 192.168.253.0/24. Maybe with some IP aliasing that would work. Yet, that didn't work. When I did that, the server couldn't ping the pfSense box, the pfSense box couldn't ping the server. When I connect my known-good laptop to each one, it can ping the server, but not pfSense.
I have tried multiple firewall rules, but I couldn't make this work.
Whenever I set up a DMZ interface, it didn't work. I can't even ping the interface from any box, no matter how open the firewall rules that I create would seem to be.
I know the network cables are good, the NICs are good, the computers are good, and so on. I just can't make this simple thing work.
Is the default rule in pfSense "traffic is blocked"?
How do you enable ping on an interface?
How do you enable routing between interfaces?
Any help is welcome. Thanks.
-
Are you aware it is usually necessary to reset firewall states after major changes to rules? See Diagnostics -> states and click on the Reset States tab to see more. Click on the Reset button to force the state table reset.
Is the default rule in pfSense "traffic is blocked"?
Effectively, yes except on LAN.
How do you enable ping on an interface?
If I recall correctly, enabled by default unless blocked by firewall rules.
How do you enable routing between interfaces?
Firewall rules apply on the input side of an interface so you need to add an appropriate rule (or rules) on the interface receiving the traffic then reset firewall states as described above.
-
Thank you for your reply. That was a huge help.
I tried that, and it was taking a long time. I just rebooted the pfSense firewall. As a result, it now can ping. That feels great.
Now I have to work out how to enable DNS on the new interface. I tried both the firewall's local IP address, 192.168.253.254 (DNS forwarding is enabled), and Google's 8.8.8.8. I can ping 8.8.8.8, and the firewall, from the e-mail server, but DNS doesn't work.
Thanks again.
-
You just have to get your client systems to use pfSense as the name server. If the client systems aren't using DHCP for configuration you will probably have to change a name server configuration file and restart the name server (or even reboot).
Tools like dig and nslookup (I'm pretty sure I've seen a Windows version of nslookup) are often useful for debugging this sort of problem since they report the name server used. Example:
nslookup www.google.com
It might also be useful to post what you have seen that causes you to say DNS doesn't work and explain where you saw this.
-
To elaborate on Wallabybob's excellent response, it will be helpful for you to troubleshoot this issue working backwards from the pfSense box. The best setup is going to involve using the DNS forwarder on pfSense to answer DNS requests for all clients in your LAN. To troubleshoot DNS then, you want to make sure that pfSense is able to resolve IP addresses (ping google.com for example). Assuming this works, try from a client machine to resolve DNS using pfSense's LAN IP as their DNS server. Depending on which of these tests fails, you'll have a good idea what's broken.
-
Thank you for the replies.
I did do the things you suggested.
It turned out I had two firewall rules for the DMZ. One allowed all TCP traffic. Another allowed all ICMP traffic. Of course, DNS uses UDP. I added UDP to the list of allowed traffic, and DNS worked great.
Then I had trouble with Windows Update (Microsoft Update). At that point, I just allowed all protocols, and now that works, too.
I'm in the process of figuring out the virtual IPs, and that seems to be working.
Thanks a lot!