New User of PFsense needs help
-
I want to retire my 15 year old firewall router, an old Cisco RV 120W, that I have used at my home.
I have a set of fixed IP addresses from my ISP as I run a mail server and a web server from home.
On my internal network I run a 10.0.0.x network. I have the ISP modem running in bridged (stupid) mode.
So we have: ISP>Model (bridged)>router/firewall>switch>computers
For the life of me, I cannot get PFsense to pass through to my servers. I can get out via browsing. I just keep getting a timeout then I try to connect to the mail server from out of my network. My Thunderbord (IMAP) also cannot connect on the inside which is odd as I use the 10.0.0.x in the Thunderbird set up on my workstation.
Can someone post for me a "clean" minimalist example of the port forwarding or 1:1 NAT and rules needed to allow a mail (SMTP) server to communicate with the outside world on PFsense?
I suspect I am missing something basic that is under my nose.
My outside IP is xxx.xxx.xxx.216 and my actual mail server is on 10.0.0.216
I am using the ISP DNS and it seems to be working fine in PFsense.
Thanks, JD
PS, the logs are showing the SMTP connections that are trying to be made and PFsense denying them.
-
@sfjames said in New User of PFsense needs help:
PS, the logs are showing the SMTP connections that are trying to be made and PFsense denying them.
What rules did you create.. If you have more than 1 IP, you would need to create a VIP and then either port forward with that, or setup a 1:1 nat..
-
Ahhhh...
Perhaps that is the issue. I have 8 IP addresses that are being "pointed" down to me by my ISP. My appliance router-firewalls take care of that by selecting or auto detecting the bridge mode in the set up.
When I get home tonight, I will try setting up an VIP and see if my NAT and Rules work then.
JD
-
Are these IPs routed to you, or your just directly attached? There is a difference.
But if these IPs will hit your wan, and you want them to go to something behind.. You can either nat them, or if routed you could put this /X subnet directly behind pfsense if routed.
If directly attached then you have to create a VIP to use other IPs
-
I must be going mad!
I have time this morning to work on this and I am getting no place. I know I am getting old and my retired brain is not what it used to be...but really this should not be that hard.
Something very basic is wrong.
I can ping both of the Intel NUC interfaces from my internal network. Both 10.0.0.28 and 10.0.0.29. I can browse out from the machine and the like.
It looks like for some reason I cannot get anything past the firewall.
I am running the Intel NUC with Windows and an Oracle VM VirtualBox. For some reason the thing just blocks everything inbound.
For my mail server, the public IP is 50.0.191.216 and the server itself is 10.0.0.216.
So, can someone walk me through all the necessary configuration steps to get a mail server to work with PFsense. I am using 50.0.191.217 for the WAN address and 10.0.0.10 for the gateway.
I have tried NAT, adding VIP and the like and nothing seems to work.
James
-
@sfjames You need a VIP and a port-forward.
- VIP: Add an IP Alias VIP:
Interface - WAN
Address type - Single address
Address - one of your IPs (not the WAN one) and the mask you got from your ISP, likely a /29.- Create a NAT Port-forward:
Interface: WAN
Address family: IP4
Protocol: TCP
Destination: Your VIP
Destination port range: whatever ports you need for your server. You can create a ports alias via Aliases and then use that here.
Redirect target IP: Your LAN server
Redirect target port: Use the same port(s) or alias as aboveThat's all you need to do. pfSense will automagically create the required firewall rule on WAN. To test, you need to go outside your network via your phone or VPN. You will have to update your domain's DNS records to point to that VIP if you want to access your server via it's public name. From inside on your LAN, you should create some host overrides in pfSense DNS (Resolver or Forwarder, whichever you use) to resolve your servers FQDNs to their LAN IPs.