Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advice requested on e-mail server

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kronso
      last edited by

      I am going to set up an SMTP server behind our pfSense firewall. For now it is just SMTP, not POP3 or IMAP. There is just the one firewall, pfSense. We have a few static IPs from our DSL connection, and I'd like to give the SMTP server one of them.

      It seems straightforward. The server itself is a Windows Server 2003. We have a domain, but I don't want to put a member server on the public Internet. If it were taken over, it could be used to run dictionary attacks on the domain controller to attempt to login as different users. Nevertheless, I do want to use our Active Directory to authenticate to our e-mail server. I think we will have one e-mail server in the LAN subnet, on the domain. This e-mail software, hmailserver, will run on our domain controller. It will be an SMTP relay server that will talk to the SMTP server on the public IP. The main SMTP server, with the public IP, will be a standalone Windows server (not a member of the domain). It will also run hmailserver to handle SMTP.

      So how would a smart person connect the main SMTP server to pfSense? There are three NICs (actually there are four, but we only need three right now) on the PC that runs pfSense. The hardware connections look like this.

      ADSL modem–-WAN---pfSense

      domain controller---switch----LAN----pfSense

      e-mail server---DMZ---pfSense

      I tried using bridge mode to put the DMZ and WAN on the same segment. That didn't work. It requires the DMZ NIC to have its own IP address, even though that address would seem to be useless.

      Nevertheless, I tried using bridge mode while giving the DMZ NIC one of our public IP addresses. That didn't allow connections to the Internet. I tried all the different combination of gateway settings I could imagine.

      I tried putting the DMZ on its own subnet, 192.168.253.0/24. Maybe with some IP aliasing that would work. Yet, that didn't work. When I did that, the server couldn't ping the pfSense box, the pfSense box couldn't ping the server. When I connect my known-good laptop to each one, it can ping the server, but not pfSense.

      I have tried multiple firewall rules, but I couldn't make this work.

      Whenever I set up a DMZ interface, it didn't work. I can't even ping the interface from any box, no matter how open the firewall rules that I create would seem to be.

      I know the network cables are good, the NICs are good, the computers are good, and so on. I just can't make this simple thing work.

      Is the default rule in pfSense "traffic is blocked"?

      How do you enable ping on an interface?

      How do you enable routing between interfaces?

      Any help is welcome. Thanks.

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        Are you aware it is usually necessary to reset firewall states after major changes to rules? See Diagnostics -> states and click on the Reset States tab to see more. Click on the Reset button to force the state table reset.

        @kronso:

        Is the default rule in pfSense "traffic is blocked"?

        Effectively, yes except on LAN.

        @kronso:

        How do you enable ping on an interface?

        If I recall correctly, enabled by default unless blocked by firewall rules.

        @kronso:

        How do you enable routing between interfaces?

        Firewall rules apply on the input side of an interface so you need to add an appropriate rule (or rules) on the interface receiving the traffic then reset firewall states as described above.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kronso
          last edited by

          Thank you for your reply. That was a huge help.

          I tried that, and it was taking a long time. I just rebooted the pfSense firewall. As a result, it now can ping. That feels great.

          Now I have to work out how to enable DNS on the new interface. I tried both the firewall's local IP address, 192.168.253.254 (DNS forwarding is enabled), and Google's 8.8.8.8. I can ping 8.8.8.8, and the firewall, from the e-mail server, but DNS doesn't work.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • W Offline
            wallabybob
            last edited by

            You just have to get your client systems to use pfSense as the name server. If the client systems aren't using DHCP for configuration you will probably have to change a name server configuration file and restart the name server (or even reboot).

            Tools like dig and nslookup (I'm pretty sure I've seen a Windows version of nslookup) are often useful for debugging this sort of problem since they report the name server used. Example:

            nslookup www.google.com

            It might also be useful to post what you have seen that causes you to say DNS doesn't work and explain where you saw this.

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              To elaborate on Wallabybob's excellent response, it will be helpful for you to troubleshoot this issue working backwards from the pfSense box.  The best setup is going to involve using the DNS forwarder on pfSense to answer DNS requests for all clients in your LAN.  To troubleshoot DNS then, you want to make sure that pfSense is able to resolve IP addresses (ping google.com for example).  Assuming this works, try from a client machine to resolve DNS using pfSense's LAN IP as their DNS server.  Depending on which of these tests fails, you'll have a good idea what's broken.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kronso
                last edited by

                Thank you for the replies.

                I did do the things you suggested.

                It turned out I had two firewall rules for the DMZ. One allowed all TCP traffic. Another allowed all ICMP traffic. Of course, DNS uses UDP. I added UDP to the list of allowed traffic, and DNS worked great.

                Then I had trouble with Windows Update (Microsoft Update). At that point, I just allowed all protocols, and now that works, too.

                I'm in the process of figuring out the virtual IPs, and that seems to be working.

                Thanks a lot!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.