SMTP notification uses default gateway instead of IPSEC
-
From my experience:
- install postifix on pfsense and setup as relay to your private email server ( for pfsense email notification listen only on localhost )
The reason I am using this way is that if connection to mail server can't be established I am losing emails with notifications ( pfsense don't keep this if can't deliver and you have to dig in logs ), and some time also it is possible to have some errors because of failure to deliver notifications that will lead to some package crash.
read here how to install in 2.3.x:
https://forum.pfsense.org/index.php?topic=40622.msg662826#msg662826
-
Hi,
thanks for the suggestion but I'm not going to install a package manually which is unsupported on a production environment.
Is there really no other way telling the notification system where to find the mail server other than a local network?Regards
-
have a look at: System/Advanced/Notifications/E-mail and see what you can do there with settings, if your email server is located in LAN you can point directly to his internal IP and set the server to accept emails from pfsense internal IP.
p.s.
I am using manual installed & configured postfix in "two production" pfsense 2.3.x both connected by OVPN Site to Site and both use local postfix to forward local notification email to email server in LAN without any problems for months ( one of them also use postfix as a backup email for mx domain server so it accept external emails also ). -
I realize this is an old thread, but I'm replying since it's one of the first results that appears when Googling this question. Here's all you should need.
Let's assume you have the following configuration:
- LAN: 10.0.10.0/24
- WAN: <whatever>
- IPSec: 172.16.30.0/24
- Mail Server: 172.16.30.25
Assuming your tunnel is functional and no firewall rules are explicitly blocking traffic between the LAN and IPSec, do the following:
- Create a Gateway (System/Routing/Gateways)
- Interface: LAN
- Address Family: IPv4 (obviously, change this to IPv6 if you're doing this for an IPv6 network)
- Name: LAN_GW
- Gateway: 10.0.10.1 (... assuming this is the IP address of the LAN interface)
- Description: LAN Gateway
- Create a Static Route (System/Routing/Static Routes)
- Destination Network: 172.16.30.25 (IP address of mail server)
- Gateway: Select the previously created gateway from the dropdown list (LAN_GW - 10.0.10.1)
- Description: Route to mail server via IPSec
Proceed with configuring your notifications, using your internal mail server's IP address.
-
Yup.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
Steve
-
Or use VTI IPsec and a regular route. Easy peasy.
-
Hi,
I have the same problem, I tried your solution but it doesn't work.
has anyone solved the problem?
Thanks
fabio
-
these are our GW
SMTP is 172.16.43.254
this is the static route
disabled because is not working.
fabio
-
That route should be a subnet not an address. Use /32 there if you want a single IP.
Can we see the IPSec Phase 2 config? Is it actually carrying that?
Steve
-
Hi Steve,
thanks a lot for your help.
I try to explain better:
The problem is on our PFsense Firewall installed on our China Plant; We don’t have a ipsec VPN tunnel, but we have a dedicated line for our Italy plant.
So the PFsense has a default gateway for the local traffic, and an Interface for the traffic to the IT LAN with a static route.
This is the logical schema:
These are the interfaces:
gatewas
static route to IT LAN
everything is working well, but the SMTP notification NOT.
We have a SMTP gateway server on the IT LAN and we have to use it.
SMTP server: 172.16.43.254
If I try to ping from firewall it fails:
but if I choose the interface the ping is OK:
the solution should be can choose from which interface to start the SMTP connection, but I don't know if it is possible.
If I activated the gateway as suggested:
it don't works, this is the ping response:
also don't work ping from other hosts from LAN, but first yes.
thanks againg for your support.
fabio
-
Ok, then you don't need the LAN gateway or the statis route. That only applies to policy based IPSec connections. Remove them.
With a direct routed connection as you have both smtp and ping traffic should use the system routing table to decide which gateway to use. The route you have to 172.16.40.0/22 should be sufficient, if it is in there correctly. Can we see the routing table from pfSense?
Steve
-
@stephenw10 said in SMTP notification uses default gateway instead of IPSEC:
ufficient, if it is in there correctly. Can we see the routing table from
fabio
-
Ok, that should work.
Maybe you have something that was already trying to connect and opened a state via the default gateway and it's still open.
Check the state table for any states to 172.16.43.254. Delete any ICMP or SMTP that are present.Steve
-
Hi Steve,
I understood: it was a NAT problem!
For BT interface the NAT from China LAN is disabled, but other network are not trasported to Italy!
Now I have defined this new NAT rule:
details:
now the ping is working:
and also the SMTP test is OK:
many thanks for your time and help!
I'm sorry I didn't understand earlier that the problem was somewhere else and it was a NAT problem.
bye
fabio
-
Ah, cool.
-
@Fabio-Giacobbe The scenario I posted was specific to IPSec. But don't feel bad, we've all been in similar NAT-induced (read: confusing) situations. Glad you got it figured out!