Dual internet but want mail to only go out thru one connection, how?
-
Do you have advanced outbound NAT setup? Rule order matters, so you will need to make sure that special rules like this are above any other rules.
It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.
-
Diagonistics -> States -> Reset States.
-
It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.
Diagnostics -> States -> Reset States
-
^–- Haha ... beat you to it.
-
It is still trying to deliver email on the cable internet interface :( I have attached a screenshot showing my LAN rules. 192.168.16.2 is the server.
The outbound nat is set for "Automatic outbound NAT rule generation"
-
Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.
-
Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.
I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?
-
Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.
I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?
At the very least you should change the source port in your rule to "*" since it is unlikely the mail server will use 25 as its source port.
-
ah. Thank you! :)
-
For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).
When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like:
Source address: IP/s of the clients
Source port: any
Destination address: IP/s of the server
Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI)and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.