Mail servers imap behind pfsense not reachable
-
@daan said in Mail servers imap behind pfsense not reachable:
When I use my IP as IMAP and SMTP it can't connect either.
What IP?? Again you need to be OUTSIDE YOUR NETWORK!! If your going to do it from inside, you need to setup nat reflection. Or just use your internal IP.
I can connect to your IP just fine from outside..
Just tested again, and pops right in...
-
Yes I understand, chill bro. I got it working I did not know that I had to setup NAT reflection, like I said earlier I am new to pfsense.
Thanks for the help and detailed explanations, have a good day! -
Then what was the point of this
When I use my IP as IMAP and SMTP it can't connect either.
If you have it working?
-
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz this is my capture with 143|465|587|993 as ports
It looks to me like you are closer than you think - you're simply using all encrypted ports. I see traffic on port 993, which is imap over SSL. I also see port 465, which is SMTP over SSL.
Furthermore, the traffic is actually flowing in both directions. You can see port 993 going from left to right in the first line, and you can see the reply coming back on the second line. The conversation is taking place with ports 993 and 7256. (Original connection on port 993 with reply requested on 7256). Later down you see the same thing happening with port 465.
It looks like everything is working. I'm wondering why you don't see IMAP mail in your mail client, because the connection is there.
Incidentally, the way I would test something like this is to put a laptop directly on the WAN side of the firewall - you can use it in place of your cable modem and use the same IP address on the laptop as the gateway. Or plug it in in parallel with the internet but give yourself a public IP in the same subnet as the WAN IP address. Then test to the pfSense IP while running wireshark to see if your mail client is even sending port 143.
-
-
@PhxAzCraig It is working now I had to setup NAT reflection, Thanks!
-
@johnpoz In my home setup, I can "test port" my own email server on my public IP. I also can connect my xmpp Client to my XMPP Server. I have not setup any NAT Reflection in my pfsense or rules.
-
@daan said in Mail servers imap behind pfsense not reachable:
@daan, when we say from "inside the LAN" we meant put in the actual internal RFC1918 address of your mail server. So maybe something like 192.168.1.xxx or whatever -- NOT your DNS entry IP (in other words, not the public IP). If using the actual internal non-NAT IP of the mail server didn't work, then a firewall rule must have been blocking. Is that mail server on a separate interface perhaps such as some kind of DMZ?
Glad you got it working with NAT reflection, but the preferred way of doing this is with a split-DNS arrangement such that clients on your LAN connect directly to the mail server using it's local non-NAT IP address. For users out on the Internet, they would get the WAN public IP when asking for the mail server. You can research split-DNS to see how this works and why it is the preferred solution over NAT reflection.
-
@bmeeks Ah okay, I'll take a look at that. Thanks for the tip!
-
@Bob-Dig, then its setup without your knowledge or understanding that you did it.
You can not hit your public IP from your lan side to be reflected back in without nat reflection being enabled.
-
@johnpoz My ISP is doing 1:1-NAT, maybe that is why this works? How to test for that easily, if of any interest?
One reason I don't use split-DNS on everything is to get easily notified of "hosting"-problems, like not have ports reachable, which sometimes is happening with my ISP after an IP change.
-
@Bob-Dig said in Mail servers imap behind pfsense not reachable:
My ISP is doing 1:1-NAT
Huh? You mean you have a rfc1918 address on pfsense wan, and they do a 1:1 nat with a public IP upstream?
-
@johnpoz It is a CG-NAT-address (100.65..), but yes.
-
Well nat reflection isn't done on your end then its done on their end..
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
When if you used split dns and just pointed to local IP, you just go through your local network to get to your server when your on the local network..
-
@johnpoz said in [Mail servers imap behind pfsense not
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 14ms, Maximum = 18ms, Average = 15ms PS C:\WINDOWS\system32>It is ok for some messages I guess.
Suricata things I got attacked..
SERVER-OTHER MRLG fastping echo reply memory corruption attemptThen this mystery is solved and I will not mention it anymore, because I am special.
-
Yeah for small amounts of traffic its not all that big of deal, but it sure isn't "optimal"
Be like walking to the front door in your house from your bedroom when you want to go kitchen.. vs just going to the kitchen.
But lets take for example your plex server sitting right next to your client.. Streaming some movie at XMbps..
Your plex server hands out 2 IPs with plex.tv - it lists your public IP, so that remote clients can talk to your plex server when they are out and about on the internet.
But when your client is local, it uses your local rfc1918 address. Which you have to make sure resolves by turning off rebind protection.. If not you would have to nat reflect to get to your own plex server
What is better when you say streaming a 20Mbps movie, or lets say multiple streams of that when your watching something, your kids watching something else, and the wife is watching her show on her ipad, etc..
In your scenario, not only would you be running traffic through pfsense that doesn't need to, you would also be limited by your internet connection speed.
