Route only dport=25 traffic via site-to-site IPSEC tunnel?



  • I have a home office set up connected to a rack in our datacenter, with pfSense at both ends.  My ISP blocks connections to dport=tcp/25. Problem is, I maintain a bunch of mail servers and often need to telnet to port 25 of these for testing purposes. To get around this I ssh into the datacenter (which isn't blocked) and make my connections from there.  But that's an extra step I'd like to cut out.

    Anyone know of a way to tunnel & NAT my outbound connections through the site-to-site so that they appear to originate from the datacenter network? Basically, similar to the setup described at: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

    But instead of tunneling all traffic via the tunnel, just match dport=tcp/25

    Has anyone done this? I mashed at my keyboard for awhile but couldn't make it work.



  • You cannot policy route ipsec. You can with OpenVPN however.



  • Good to know, thank you.  That was my hunch but I thought I'd ask just in case.  I will create an OpenVPN tunnel for this.



  • Set it all up using OpenVPN.  Working great!  I had to fiddle with my outbound NAT rules a bit, but got it working.  Can telnet to port 25 all day long now.


Log in to reply