ADSL TO FIBRE STATIC IP
-
guys please can you help
using pFsense 2.4.3
i have changed from an adsl static ip connection to a fibre static ip connection
everything is functioning however i have one issue with regards to my roaming users ( laptop users )
when pfsense was on the adsl static ip my laptop users had the adsl static ip address for incoming and outgoing mail setup. with the result when the laptop users where at the main office where the mail server resides they could still send and receive mail.
since i placed pfsense on a fibre static ip the laptop users cannot send or receive email using the fibre static ip address as their incoming and outgoing when they are at the main office where the mail server resides.
how do i overcome this issue?
-
Are you still with same ISP or did you change providers to get fibre.
-
1. Did your IP address change when you moved to the fiber?
2. Was NAT/access rules adjusted according to #1?
3. You should use FQDNs to configure the mail client settings. These should resolve to internal IPs when used on the LAN side of the network. You may be having issues with traffic not being allowed to loop back through the interface. If you point a laptop at the office to the local address of the mail server, not the fiber address, is the laptop able to at least receive new mail?*. Do you have a PTR record? Reverse DNS setup for the old and/or new IP?
*. Do you have an SPF record for the domain that lists new IP address if #1 is yes. -
guys thank you for helping, much appreciated
1. Did your IP address change when you moved to the fiber? - Yes I am using a new service provider so the IP Address has Changed
2. Was NAT/access rules adjusted according to #1? - No, what do i need to change?
3. You should use FQDNs to configure the mail client settings. These should resolve to internal IPs when used on the LAN side of the network. You may be having issues with traffic not being allowed to loop back through the interface. If you point a laptop at the office to the local address of the mail server, not the fiber address, is the laptop able to at least receive new mail? - If i change the incoming and outgoing for the laptops at the head office to the local server IP they do receive and send mail.
You may be having issues with traffic not being allowed to loop back through the interface - I think that this is the Issue How do i create a loop back through the interface ?
*. Do you have a PTR record? Reverse DNS setup for the old and/or new IP? - No, how do i do this?
*. Do you have an SPF record for the domain that lists new IP address if #1 is yes - Not sure. I will check thisThanks again guys. :)
-
#. Did your IP address change when you moved to the fiber? - Yes I am using a new service provider so the IP Address has Changed
–Ok this requires multiple changes to keep email flowing.1. Do you have multiple public IPs or only one static?
2. What kind of email server are you running? Does it offer web access etc?
3. Can you show any Network Address Translation rules and/or access rules that involve the email server?Please redact/censor your info do not reveal anything private, but seeing what exists will help me tell you what to change vs what to add.
-
Your new provider might block port 25.
-
NAT etc must be working because only local clients have trouble.
1. Setup Alias for Mail server and Mail server ports.
2. Setup/Enable DNS resolver in pfSense.
3. Set mail clients to use FQDN NOT IP of mail server.
4. Set DHCP server to give pfSense IP as first DNS serer, move existing DNS servers down the list.
5. Configure host override in pfSense DNS resolver to resolver FQDN of mail server to LOCAL IP.
6. Configure domain forwarder in pfSense DNS resolver to use existing DNS server if any.I. PTR <– Must be setup by ISP, call them. For fighting Spam. You may be blocked as spam.
II. Setup for the domain in your mail server FQDN, this helps fight spam and needs to list your new IP. You may be blocked as spam.https://mxtoolbox.com/SPFRecordGenerator.aspx <– SPF generator if you need help.
![2018-04-07 03_03_40-hail.cleverintuiton.com - Services_ DNS Resolver_ General Settings_ Edit Host Ov.png](/public/imported_attachments/1/2018-04-07 03_03_40-hail.cleverintuiton.com - Services_ DNS Resolver_ General Settings_ Edit Host Ov.png)
![2018-04-07 03_03_40-hail.cleverintuiton.com - Services_ DNS Resolver_ General Settings_ Edit Host Ov.png_thumb](/public/imported_attachments/1/2018-04-07 03_03_40-hail.cleverintuiton.com - Services_ DNS Resolver_ General Settings_ Edit Host Ov.png_thumb)
![2018-04-07 02_52_42-hail.cleverintuiton.com - Firewall_ Aliases_ Edit.png](/public/imported_attachments/1/2018-04-07 02_52_42-hail.cleverintuiton.com - Firewall_ Aliases_ Edit.png)
![2018-04-07 02_52_42-hail.cleverintuiton.com - Firewall_ Aliases_ Edit.png_thumb](/public/imported_attachments/1/2018-04-07 02_52_42-hail.cleverintuiton.com - Firewall_ Aliases_ Edit.png_thumb)
![2018-04-07 02_55_35-hail.cleverintuiton.com - Firewall_ NAT_ Port Forward.png](/public/imported_attachments/1/2018-04-07 02_55_35-hail.cleverintuiton.com - Firewall_ NAT_ Port Forward.png)
![2018-04-07 02_55_35-hail.cleverintuiton.com - Firewall_ NAT_ Port Forward.png_thumb](/public/imported_attachments/1/2018-04-07 02_55_35-hail.cleverintuiton.com - Firewall_ NAT_ Port Forward.png_thumb) -
Your new provider might block port 25.
Considered this.
He states issue is only with clients using laptops in the office.
Assuming clients outside the office work, and the server itself is receiving new emails over port 25.Seems like firewall is blocking traffic looping back to the public IP. Maybe their were multiple public IPs previously, or some settings which allowed the loopback to work when the local clients were pointed to the old public IP.
-
thank you people for your valuable input
lftiv
He states issue is only with clients using laptops in the office. - Yes the issue is Only with my roaming clients using laptops in the head officeAssuming clients outside the office work, and the server itself is receiving new emails over port 25. - This is correct, email is working and functioning for all users except for the roaming laptop users INSIDE the main office as i am using the Static Fibre IP Address for both incoming and outgoing for the roaming laptop clients
Seems like firewall is blocking traffic looping back to the public IP. Maybe their were multiple public IPs previously, or some settings which allowed the loopback to work when the local clients were pointed to the old public IP. - This is what i think the problem is for the roaming laptop clients. How do i allowed the loopback to work when the local clients were pointed to the old public IP, and now that i have changed it to the New Static Fibre IP the mail and other links do not resolve or work for the roaming laptop clients. I think that it definitely has something to do with loopback
I have noticed one thing. I have port forwarding for a few addresses and one of them is for the pFsense Server. The port forward for pFsense eg. port 88. This works perfectly at the main office including outside of the main office ie. when i do the following inside the main office for pFsense access:
1. http://localIP:88 - This works inside the main office for access to the pFsense Server
2. http://staticFIBREIP:88 - This ALSO works inside the main office for access to the pFsense Server
3. http://staticFIBREIP:88 OUTSIDE OF MAIN OFFICE, Works perfectly outside of the main office for access to the pFsense ServerHOWEVER, when i try the same to any another port forward eg: port 80
1. http://localIP:80 - This works inside the main office for access to another service
2. http://staticFIBREIP:80 - This DOES NOT work inside the main office for access to another service
3. http://staticFIBREIP:80 OUTSIDE OF MAIN OFFICE, Works perfectly outside of the main office for access to another serviceWhy can i connect and use the Static FibreIP address for pFsense access without any issues inside the main office but the Static FibreIP address does not work for any other port forward port service inside the main office?
thanks guys, much appreciated. really need to get this sorted :)
-
Ok,
Not sure exactly what your issue is but you can fix it a few different ways.
FIRST
- The way you want it to work is generally considered bad or poor policy. NAT Reflection/no loopback is the proper way for the firewall to operate in general.
SUPER IMPORTANT!!!
- You say you access your pfSense webGui on port 88, and that you can access the webGui from public networks, outside the LAN, from the Internet.
YOU SHOULD DISABLE THIS AS SOON AS POSSIBLE. WebGUI should NEVER be accessible from the internet. Only the LAN, Only trusted hosts, use a VPN to access WebGui remotely.Now, for the Email issue, I would recommend following my earlier advice and setup split DNS and configure all your mail clients to use the FQDN not static IP.
I will place links and screen shots at the end of this to help explain.Assuming, we need email to work with static IP and NAT Reflection if only temporarily:
1. Find the NAT rules for the mail server, change the NAT Reflection drop down box to use 'Pure NAT'. This should reflect requests to the public IP on the LAN interface back to the private IP. This should only effect traffic that matches the other settings on your NAT rules for the email server.
OR
2. Goto System–>Advanced-->Firewall & NAT
- Find the section labeled Network Address Translation
- Change the default NAT Reflection mode for port forwards to pure NAT and/or check the Enable automatic outbound NAT for reflection.
(I'm assuming you have only one public static IP and there is no 1:1 NAT setup, and your WAN is statically configured no DHCP.)So,
1. Fix webGui so its only accessible from private networks.
2. Setup proper FQDN for mail server, use it in the mail clients, and setup split DNS.
That's my advice.
If you MUST.- Enable Pure NAT for ONLY your mail server rules.
Don't change the default NAT reflection mode in system->advanced unless you have compelling reasons you've not yet disclosed.
You can use this Guide. Remember it would be better to use Method 2 in this link>
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networksGood Luck!
![Firewall_ NAT_ Port Forward_ Edit.png](/public/imported_attachments/1/Firewall_ NAT_ Port Forward_ Edit.png)
![Firewall_ NAT_ Port Forward_ Edit.png_thumb](/public/imported_attachments/1/Firewall_ NAT_ Port Forward_ Edit.png_thumb)
![System_ Advanced_ Firewall & NAT.png](/public/imported_attachments/1/System_ Advanced_ Firewall & NAT.png)
![System_ Advanced_ Firewall & NAT.png_thumb](/public/imported_attachments/1/System_ Advanced_ Firewall & NAT.png_thumb) - Enable Pure NAT for ONLY your mail server rules.
-
lftiv thank you very much!!
it works!
i have also done as you recommended
thank you all for your support and help, much appreciated :D
-
My Pleasure, glad you were able to get your users working.