SMTP notification uses default gateway instead of IPSEC
-
Yup.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
Steve
-
Or use VTI IPsec and a regular route. Easy peasy.
-
Hi,
I have the same problem, I tried your solution but it doesn't work.
has anyone solved the problem?
Thanks
fabio
-
these are our GW
SMTP is 172.16.43.254
this is the static route
disabled because is not working.
fabio
-
That route should be a subnet not an address. Use /32 there if you want a single IP.
Can we see the IPSec Phase 2 config? Is it actually carrying that?
Steve
-
Hi Steve,
thanks a lot for your help.
I try to explain better:
The problem is on our PFsense Firewall installed on our China Plant; We don’t have a ipsec VPN tunnel, but we have a dedicated line for our Italy plant.
So the PFsense has a default gateway for the local traffic, and an Interface for the traffic to the IT LAN with a static route.
This is the logical schema:
These are the interfaces:
gatewas
static route to IT LAN
everything is working well, but the SMTP notification NOT.
We have a SMTP gateway server on the IT LAN and we have to use it.
SMTP server: 172.16.43.254
If I try to ping from firewall it fails:
but if I choose the interface the ping is OK:
the solution should be can choose from which interface to start the SMTP connection, but I don't know if it is possible.
If I activated the gateway as suggested:
it don't works, this is the ping response:
also don't work ping from other hosts from LAN, but first yes.
thanks againg for your support.
fabio
-
Ok, then you don't need the LAN gateway or the statis route. That only applies to policy based IPSec connections. Remove them.
With a direct routed connection as you have both smtp and ping traffic should use the system routing table to decide which gateway to use. The route you have to 172.16.40.0/22 should be sufficient, if it is in there correctly. Can we see the routing table from pfSense?
Steve
-
@stephenw10 said in SMTP notification uses default gateway instead of IPSEC:
ufficient, if it is in there correctly. Can we see the routing table from
fabio
-
Ok, that should work.
Maybe you have something that was already trying to connect and opened a state via the default gateway and it's still open.
Check the state table for any states to 172.16.43.254. Delete any ICMP or SMTP that are present.Steve
-
Hi Steve,
I understood: it was a NAT problem!
For BT interface the NAT from China LAN is disabled, but other network are not trasported to Italy!
Now I have defined this new NAT rule:
details:
now the ping is working:
and also the SMTP test is OK:
many thanks for your time and help!
I'm sorry I didn't understand earlier that the problem was somewhere else and it was a NAT problem.
bye
fabio
-
Ah, cool.
-
@Fabio-Giacobbe The scenario I posted was specific to IPSec. But don't feel bad, we've all been in similar NAT-induced (read: confusing) situations. Glad you got it figured out!
