Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing port 25 block workaround help request…

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tantamount
      last edited by

      I've got a number of systems on the LAN that can report various things via email, however all use smtp (and thus port 25) by default.  Of course, my ISP blocks outgoing port 25 (Home environment).

      What I'd like to do is use pfsense to redirect anything going out on port 25 to some other port – say 1025.

      At the destination, I would then redirect anything received at 1025 back to port 25.

      I know how to do this with linux and iptables (what I have at the destination), but am not sure how to accomplish this with pfsense.

      Any guru's out there that can help?  It can be a blanket rule affecting all outgoing port 25 traffic.

      This is what I tried, but it didn't work:
      Firewall, NAT, Outbound.  Changed to "Hybrid."

      Added the following rule:
      Interface WAN
      Protocol TCP
      Source: Network - (entered in my lan network here / 24)
      Destination: Any, Port 25

      Translation:
      Address: Interface Address
      Port: 1025

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So all of these systems are just trying to talk to your mail server, but only support smtp on port 25?

        Where is your mail server?  Outside your isp network I take it ;)  So couple of things you could run a local smtp server and have it forward this mail to your email server outside your isp network via some other port, typical would be 465 or 587 that are both open normally since not used to send unsolicited email to smtp on a global scale.

        You could create a vpn tunnel to where this smtp server sits on pfsense and route traffic that way.

        Personally if you have lots of systems locally that you want to be able to send email from and they only send to 25.. They prob need to be updated ;)  But running a smart host locally would be your best bet, and then have it forward on to your public email server.

        Why can you not just send to your isp email server, and have it forward to your other email server?

        I take it your talking about a server you control since you can not just change the port to 1025 if your sending to email to domains that are not yours, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Yeah, you want to do a port forward on the LAN interface. I think you want something like this:

          Interface: LAN
          Protocol: TCP
          Source: Source addresses you want affected
          Source port: any
          Destination: any (This could also be the mail server IP address to further limit scope)
          Destination Port: 25
          Redirect Target IP: leave blank (you don't want to translate this. It is the destination mail server)
          Redirect Port: 1025
          Filter rule association: None (unless LAN is locked down and you need it for the traffic to pass)

          Then on the other side just do a normal WAN port forward translating outside:1025 to inside:25

          Or use a VPN.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • T
            Tantamount
            last edited by

            @johnpoz:

            So all of these systems are just trying to talk to your mail server, but only support smtp on port 25?

            Where is your mail server?  Outside your isp network I take it ;)  So couple of things you could run a local smtp server and have it forward this mail to your email server outside your isp network via some other port, typical would be 465 or 587 that are both open normally since not used to send unsolicited email to smtp on a global scale.

            Yes.  For instance I'm running SecurityOnion.  That alone has about 4 different processes, each with their own smtp reporting mechanisms.  Pfsense also has email reporting abilities via that mailreport package addon.  Most of these are limited to "destination email" for a setting.  :(

            My first thought was to do what you suggest – get pfsense to receive and redirect, however there doesn't seem to be a mail server package, and when I searched for this ability, saw some fairly hostile "that's a no-no" responses here: (https://forum.pfsense.org/index.php?topic=34838.0)

            @johnpoz:

            You could create a vpn tunnel to where this smtp server sits on pfsense and route traffic that way.

            Personally if you have lots of systems locally that you want to be able to send email from and they only send to 25.. They prob need to be updated ;)  But running a smart host locally would be your best bet, and then have it forward on to your public email server.

            Why can you not just send to your isp email server, and have it forward to your other email server?

            I could do the vpn tunnel thing, but was hoping for a simpler solution.  The only email that would be outgoing on port 25 is stuff I want to go to my email server.

            Privacy reasons for not using the ISP's email server, that plus it's just something else that can break.

            @johnpoz:

            I take it your talking about a server you control since you can not just change the port to 1025 if your sending to email to domains that are not yours, etc.

            Correct.  I have a server that does normal internet stuff like web/email, etc, but is hosted elsewhere.  I have complete control over this  server and the traffic it receives.

            So I guess there is no simple port redirect solution for outgoing traffic from pfsense?

            1 Reply Last reply Reply Quote 0
            • T
              Tantamount
              last edited by

              @Derelict:

              Yeah, you want to do a port forward on the LAN interface. I think you want something like this:

              Interface: LAN
              Protocol: TCP
              Source: Source addresses you want affected
              Source port: any
              Destination: any (This could also be the mail server IP address to further limit scope)
              Destination Port: 25
              Redirect Target IP: leave blank (you don't want to translate this. It is the destination mail server)
              Redirect Port: 1025
              Filter rule association: None (unless LAN is locked down and you need it for the traffic to pass)

              Then on the other side just do a normal WAN port forward translating outside:1025 to inside:25

              Or use a VPN.

              To be clear, I should be in Firewall -> Nat -> Outgoing for this?

              The GUI has a "Translation" area instead of redirect.  There has to be something entered here – the default is "Interface Address", which I had thought in this case would be the pfsense's internal ip address. This seems counter intuitive, and was why I originally tried this on the Wan port instead.

              I'll give it a try and see what happens.  :)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                No Firewall > NAT, Port forward

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  Tantamount
                  last edited by

                  @Derelict:

                  No Firewall > NAT, Port forward

                  Perfect, that worked.  The only thing I had to change from your instructions was to put in a Redirect Target IP address. The web GUI wouldn't let me leave it blank.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Hmm. I didn't think one was required if you were only translating the port. Could swear I have done that before. Maybe I did the same address in the destination IP and redirect target IP. That must be it.

                    If it made you set one there I would set both so it only matches that specific address.

                    Glad it worked.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Who said anything about running it on pfsense?  Sounds like you have plenty of resources to run a simple mail relay..  While your method works, not how I would do it.

                      Glad you got it sorted.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        Tantamount
                        last edited by

                        @johnpoz:

                        Who said anything about running it on pfsense?  Sounds like you have plenty of resources to run a simple mail relay..  While your method works, not how I would do it.

                        Glad you got it sorted.

                        Setting up a completely different server (virtual or otherwise) just to get past a port 25 block for some very specific traffic would be hugely wasteful, time consuming to maintain, and far more complex than necessary.

                        That versus a one line rule in a firewall that already exists.

                        To each their own.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          And this SO box, can not run a simple email relay?  Now its just sending is email to localhost to have it forward on.

                          https://github.com/Security-Onion-Solutions/security-onion/wiki/Email

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • L
                            lex.under.3182
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • stephenw10S stephenw10 locked this topic on
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.