Access Mailserver through VPN from Firewall itself
-
Hi,
forget about the topic , it try to explain my problem.
Two pfsense connected with ipsec. Everything works great.
Behind pfsense-01 (10.10.0.0/16) is a Mailserver, Clients behind pfsense-02 (10.11.0.0/16) can connect without a problem.
I now want pfsense-02 itself to send notifications (System -> Advanced -> Notifications) to this MailserverIf I do a test, the Error is:
Error: Failed to connect to MAILSERVER:587 [SMTP: Failed to connect socket: Permission denied (code: -1, response: )]
I think the problem is, pfsense-02 i trying to send the Mail as localhost 127.0.0.1 and gets a "Permission denied" Error.
Same error occurs with a ping test in the ssh console:
[2.4.5-RELEASE][PFSENSE-02]/: ping 10.10.0.200 PING 10.10.0.200 (10.10.0.200): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied [2.4.5-RELEASE][PFSENSE-02]/: ping -S 127.0.0.1 10.10.0.200 PING 10.10.0.200 (10.10.0.200) from 127.0.0.1: 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied
Pinging directly from the interface IP-Address works without a problem:
[2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200 PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes 64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms 64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms 64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms
Is it possible to set an outgoing interface for the mailer-deamon?
Thanks for any help :-) -
If that is tunneled IPsec (not routed) then it's the same concept as this:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
-
Thanks, I already found that link, but the ping test in that article is working as expected:
ping -S <pfsense LAN ip> <remote IP address>
[2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200 PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes 64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms 64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms 64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms
I was looking for the alternative mentioned at the end of the article:
"Another alternative, depending on the version, would be to change the interface binding of the target service so that it only listens on the LAN IP address. [...] The interface binding for SNMP, NTP, the DNS Forwarder, and several other services can be set in this way."I need to do this for sendmail or whatever mailer is used for the webgui.
-
There is no sendmail, it's just a PHP mailing script. No way to bind to an interface, you must use the routing trick. (Or switch to routed IPsec...)
-
@morbo Hi, i've the same problem as you in 2020! Do you have solved it and if yes, how? Thanks for a short response! Regards, Norbert
-
@nsuttner Kind of, but not satisfying.. I'm using an external smarthost relay-server to send the mails over the internet an not the tunnel. A bit dirty, but it works..
-
@morbo Haha, smile, i had the same idea a few minutes ago and it works with our Office365 mailer! Thanks for your answer and have a nice day! Regards, Norbert