Multiple email servers behind pfsense


  • Banned

    I have two email servers I want to run behind pfsense. I have one WAN with multiple static IP's. 5 interface ports. One interface is dedicated to the LAN. One interface to wireless. One to WAN. I want to use the remaining two interface ports, one to each of the email servers each dedicated to its own static WAN IP.

    I have this running now with one email server using NAT and port forwarding the email ports to that NAT IP.
    Now I need to add another email server.

    Here is the question.
    Can I add another port forwarding rule with the new destination address and NAT IP with the same email ports as the other server? Both would use the same WAN interface. Or is there a better way to achieve this?


  • LAYER 8 Global Moderator

    sure if you have multiple wan IPs you can forward the same port from different IPs to different servers.



  • Alternately, if you don't have a spare external IP to play with, you can set up an MTA that sits between your firewall and your mail servers. The MTA can then route emails to either of your internal mail servers depending on the recipient domain. You only change the NAT on the firewall to point to the new box and the mail routing is handled by that machine to the target mail server. You would also have to add the MX record for the new domain to point to the same WAN IP, of course.


  • LAYER 8 Global Moderator

    ^ but he stated he did have multiple IPs
    "I have one WAN with multiple static IP's"

    So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.



  • So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.

    Your probably going to want to look up "VIP"  for any other IP addresses you want to add to the WAN side.


  • LAYER 8 Netgate

    It also sounds like you're wasting router ports. Make one of those ports a (real) DMZ and put your mail servers on a switch behind it.



  • @johnpoz:

    ^ but he stated he did have multiple IPs
    "I have one WAN with multiple static IP's"

    So yes just put one of your other IPs on your wan, and port forward from that IP to your 2nd server.

    I was proposing the single NAT to a domain-routing MTA as just another option. I also have a WAN with multiple IPs, but all of them are being used for other purposes. I didn't know if the OP had a similar issue, so suggested this as a possible plan B. Never hurts to have multiple options.


  • LAYER 8 Netgate

    You can use port 25 on the IP addresses for email servers and use them for other things.

    A port forward will be effective before a 1:1 NAT on the same address resulting in the port forward for port 25 going to a specific NAT/PAT and everything else going to the 1:1 NAT address.


  • Banned

    Ok I will try with 2 port 25 port forwards, each to the different WAN IP. Thanks


  • Banned

    Tried the 2 port forwarding rules and it does not work. Only the first rule passes to the port.
    Is there any way to do this without using port forwarding? I simply want to run 2 email servers using all the email ports to 2 static IP's with one WAN port and one gateway. I have 4 static IP's assigned to me on one gateway and 5 external IP ports.

    EXAMPLE:
    gateway 96.97.98.113 - Assigned Static IPs: 96.97.98.114, 96.97.98.117, 96.97.98.124, 96.87.98.125
    static IP 96.97.98.114 to LAN: 192.168.1.1/24
    static IP 96.97.98.117 to Email server 1: ports 25,80,110,143,443 - 192.168.20.2 - Assigned VIP
    static IP 96.97.98.124 to WLAN; 192.168.2.1/24
    static IP 96.97.98.125 to Email server 2: ports 25,110,143 - 192.168.30.2 - Assigned VIP

    I have 5 external ports connecting to: WAN, LAN, WLAN, Email 1, Email 2
    WLAN, LAN, and Email server 1 has been working fine for quite a while.  (Email server 1 using Port Forwarding)
    Just want to add Email server 2

    So why do I need port forwarding when I have all dedicated ports? What I really want to do is the following:
    Direct all traffic from IP:
    96.97.98.114 to/from LAN traffic on External port 1
    96.97.98.117 to/from EMAIL 1 Server traffic on External port 2
    96.97.98.124 to/from WLAN traffic on External port 3
    96.97.98.125 to/from EMAIL 2 Server traffic on External port 4
    External port 5 is on the WAN 96.97.98.113/28 and is assigned as the gateway

    117 and 125 IP's are assigned as VIP's and using 1:1 NAT. All can access the internet via the gateway. And have rules for LAN access.
    Maybe all I need is some WAN firewall rules to pass all the traffic from the VIP's to the actual server IP without any Port Forwarding?
    Maybe even specific WAN rules to just pass the ports I need to those EMAIL servers.
    Question is, do I need to setup any other things to just use WAN rules without using Port Forwarding?
    Can I use a VIP to go to the specific IP via WAN rules only? Or are VIP's used only for NAT rules?

    I hope I provided enough info to ask the question. IP's have been changed, in my examples, to protect the innocent.


  • Banned

    Bump….Anyone?



  • @dcol:

    Bump….Anyone?

    Did you set up any VIPs for your other static IP addresses?

    Your probably going to want to look up "VIP"  for any other IP addresses you want to add to the WAN side.


  • LAYER 8 Netgate

    Post screenshots of what you have done.


Log in to reply