External ip -> Router DMZ -> WAN interface -> Exchange 2013 server (OWA access)



  • Dear Community,

    I'm looking at a problem with my exchange setup through pfsense.

    I currently have a single external static ip assigned to me on a tp-link router with which i DMZ all traffic to my pfsense WAN interface ip.

    I have created NAT port forward rules for smtp, https and http to my exchange server and a dns rule to my dc server.

    *external dns records have been configured correctly (i believe) and the same for my internal dns server.
    *SSL has been configured and validated against the domain
    *OWA has been configured through exchange

    All hunky dory so far i can send and receive emails not a problem but i fall short at accessing my exchange server externally through OWA.

    I know the router is doing bidirectional DMZ communication to the pfsense WAN interface but i think i have to do some bidirectional rules on the pfsense to the exchange server.

    That's as far as i think it go's! So if any of you nice ladies and gentlemen out there could help me with my endeavour or point me in the right direction you'll be a hero.

    Thanks in advance,

    Ryan



  • Update

    I configured my exchange and dc nics directly through the TP-link router with port forwards for smtp, https and http to the new ip of the exchange server and changed all dns records to the new ip subnet and success i was able to access externally including autodiscover and OWA.

    So we know its definitely pfsense rules which i need to tweak, with help from anyone here :)

    Regards,

    Ryan


  • LAYER 8 Global Moderator

    "So we know its definitely pfsense rules which i need to tweak"

    No we don't!!  So you had all these rules in place on your tp-link sending to pfsense wan IP before?  Was the traffic getting to pfsense wan IP?  Did you do validate via a sniff?

    Why would you need to have changed DNS records.. How did you actual public IP change if your tplink router is connected to your ISP and you just put pfsense behind it?

    "external dns records have been configured correctly (i believe) and the same for my internal dns server. "

    You believe – how about you know?  You pointed what to where?  When you do a query for the FQDN what did you get back?  For your exchange what did you think you had to do for dns?  What did you do on your internal DNS???

    "i have to do some bidirectional rules on the pfsense to the exchange server."

    NO!

    My guess is your trying to test this with your public dns pointing to your public IP from inside?  So something odd with nat reflection, etc.  Did you go through the port forwarding troubleshooting guide?
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Cheers for getting back to me i'll explain my setup a bit more:

    TP-Link Router:

    External ip address: 212.159.107.105

    DHCP

    subnet - 192.168.1.0/24
    gateway - 192.168.1.1
    dns - 8.8.8.8 / 8.8.4.4

    DMZ
    192.168.1.2


    PFSense

    WAN Interface
    192.168.1.2

    LAN Interface

    DHCP - 10.0.11.0/24
    gateway - 10.0.11.11
    DNS - 10.0.11.103

    Rules

    WAN Interface

    NAT port forward HTTPS - source * nat ip 10.0.11.102 port 443

    NAT port forward HTTP - source * nat ip 10.0.11.102 port 80

    Nat port forward SMTP - source * nat ip 10.0.11.102 port 25

    NAT port forward DNS - source * nat ip 10.0.11.103 port 53


    Servers

    Exchange Server

    10.0.11.102

    DNS Server

    10.0.11.103

    
    **Public DNS**
    
    alivetech.co.uk
    
    Record = root | Type = A | TTL = 86400 | Content = 212.159.107.105
    
    Record = root | Type = MX | TTL = 86400 | Content = mail.alivetech.co.uk
    
    Record = autodiscover | Type = CNAME | TTL = 3600 | Content = mail.alivetech.co.uk
    
    Record = mail | Type = A | TTL = 86400 | Content = 212.159.107.105
    
    **Internal DNS**
    
    Forward Lookup Zones
    
    alivetech.co.uk
    
    Name = autoconfig | Type = A | Data = 10.0.11.102
    
    Name = autodiscover | Type = A | Data = 10.0.11.102
    
    Name = mail | Type = A | Data = 10.0.11.102
    
    

    So that's the current setup with which i'm having issues accessing OWA externally.

    What i did to see if it is the firewall which is the problem and not the dns records or exchange server is drop the pfsense firewall out of the equation and mount the router network interface to the servers.

    I did this by allocating the router DHCP subnet of 192.168.1.0/24 to the servers and proceeding to alter the internal DNS records to the new ip's, also on the router i forwarded https, http, smtp and dns to the ips of the of my dns and exchange server.

    This allowed me to access OWA externally via the address https://mail.alivetech.co.uk/owa

    I also was able to setup a mail account externally using auto discover.

    To follow with consistency i'll example this setup like i did above.

    
    **Without Pfsense Setup**
    
    **Router**
    
    External ip - 212.159.107.105
    
    DHCP
    
    subnet - 192.168.1.0/24
    
    gateway - 192.168.1.1
    
    dns - 192.168.1.9 / 8.8.8.8
    
    Rules
    
    Port Forwarding:
    
    HTTPS  - source = * | Dest IP = 192.168.1.6 | Port = 443
    
    HTTP    - source = * | Dest IP = 192.168.1.6 | Port = 80
    
    SMTP    -  source = * | Dest IP = 192.168.1.6 | Port = 25
    
    DNS      - source = * | Dest IP = 192.168.1.9 | Port = 53
    
    ||
    ||
    
    **Servers**
    
    Exchange Server
    
    192.168.1.6
    
    DNS Server
    
    192.168.1.9
    
    **Internal DNS**
    
    Forward lookup zone
    
    alivetech.co.uk
    
    alivetech.co.uk
    
    Name = autoconfig | Type = A | Data = 192.168.1.6
    
    Name = autodiscover | Type = A | Data = 192.168.1.6
    
    Name = mail | Type = A | Data = 192.168.1.6
    
    

    If you need more info let me know i'll pull screenshots from everything.

    Thanks again,

    Ryan


  • LAYER 8 Global Moderator

    "dns - 192.168.1.9 / 8.8.8.8"

    You can not do this!!  You are going to have nothing but problems point to dns that do not resolve the same stuff.. Your never going to know what dns is going to be used.  google sure not going to be able to resolve your internal IPs.

    When I go here from outside I am getting 403 error!!  That is from your server, that is not from pfsense!

    user@ubuntu:~$ curl -I http://alivetech.co.uk/
    HTTP/1.1 403 Forbidden
    Content-Length: 1233
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    X-Powered-By: ASP.NET
    Date: Fri, 12 May 2017 18:21:25 GMT

    So your pfsense is forwarding!  So pfsense has ZERO to do with your issue!

    What is the point of this???
    DNS      - source = * | Dest IP = 192.168.1.9 | Port = 53
    NAT port forward DNS - source * nat ip 10.0.11.103 port 53

    You sure do not need to forward dns (53)  its your 3 simple port forwards..  Clearly can get to your webserver and getting back a 403 from it.  443 is not giving anything back.

    If I can get to your 80, then pfsense is forwarding the traffic.. As to your other ports not working.. Go through the troubleshooting guide for port forwarding.  As to why its not working once its forwarded - that is on your server and not pfsense.



  • Thanks for getting back to me John.

    When you mention:

    What is the point of this???
    DNS      - source = * | Dest IP = 192.168.1.9 | Port = 53
    NAT port forward DNS - source * nat ip 10.0.11.103 port 53

    That's referencing two different network setups the one with pfsense and the one with out but i mistakenly entered "dns - 192.168.1.9 / 8.8.8.8" in my without config whilst typing my response to you from memory, it was 8.8.8.8 / 8.8.4.4.

    With regards to the 403 response you found this may because i have configure OWA access through the exchange server by https://mail.alivetech.co.uk using a validated SSL. So when i do a Curl mail.alivetech.co.uk i get this:

    user@dev:~$ curl -I https://mail.alivetech.co.uk
    curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

    Regards,

    Ryan


  • LAYER 8 Global Moderator

    Well I am getting answer back from your IP on 80, so pfsense is forwarding it.. So any issues you have is elsewhere!

    As to 443 I don't show it sending anything back at all.. No syn,ack to my syn…

    How are you clients going to resolve your internal IPs if your pointing them too googledns??  So you would have to use nat reflection to get to your stuff.

    But I can tell you right now your not even forwarding 443.. So again, for the 3rd time go over the troubleshooting doc!!  Sniff on pfsense wan, do you see 443?  Do you see it forwarded to your servers IP behind pfsense?  If so then pfsense is doing what it needs to do, any errors you are having are not with pfsense..  Pfsense just allows or not allow the packets..

    Either way in NO scenario would you forward 53..  Not unless you were wanting to host dns to the public??  Which that isn't working either good thing ;)
    DNS      - source = * | Dest IP = 192.168.1.9 | Port = 53
    NAT port forward DNS - source * nat ip 10.0.11.103 port 53



  • Don't worry about the clients, this is a home network for studying  :)

    I'll get on with doing some packet sniffing like you mentioned and see where this 443 issue goes, and get back to the post. Thanks for the advice on DNS, disabled 53 rule to dc server now.

    Regards,
    Ryan


  • LAYER 8 Global Moderator

    As to clients I mean the devices on your network.. Clearly this is not a work network ;)



  • Finally we're working!

    Like you mentioned we are able to receive a response from my iis on port 80 but nothing on 443, so after reviewing my ssl certificate i realised i forgot to add an A record to my forward lookup zone being the name of the exchange server! Soon as it was added a could see all my services externally.

    Thanks John for your responses it has helped me to get a better understanding of how to troubleshoot along with a few DNS pointers.

    Regards,
    Ryan


  • LAYER 8 Global Moderator

    Not sure what you think you got working??

    user@ubuntu:~$ curl -I http://alivetech.co.uk/
    HTTP/1.1 403 Forbidden
    Content-Length: 1233
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    X-Powered-By: ASP.NET
    Date: Mon, 15 May 2017 10:56:16 GMT

    Still getting 403 from 80, and showing nothing on 443 at all!!



  • I jumped the gun three, after i made some changes i tested external access from a vm on my esxi node which had my LAN dhcp nic connected meaning it was an internal device not external!!

    So back to the drawing board  :'(

    On the brighter side I've got an exchange friend who's going to take a look over my exchange setup to make sure its all good  :)

    Regards,
    Ryan



  • Okay then, after reviewing everything and deeming it all to be good i dropped pfsense out of the network and directly configure the servers to go through the routers dhcp.

    And presto we can access exchange externally via port 443, so this is where it's getting weird for me; when i have my pfsense included in the equation i am able to access my OWA externally only via port 80 as port 443 will not respond (either exchange server not responding or firewall config).

    Shall i post over my firewall config to see if there is anything glaring wrong i've done?

    Regards,
    Ryan


  • LAYER 8 Global Moderator

    dude this is simple port forwards.. nothing more to be honest..

    Again I am going to state if your having issues with port forwards go through the troubleshooting doc linked too.

    Clearly your port 80 is hitting something running
    Server: Microsoft-IIS/8.5

    But 443 nothing answers.. No syn,ack to syn…  So that says to me your not forwarding, or 443 is not even getting to your pfsense to forward.. Or where your sending is not listening on 443..



  • Why DMZ?

    Why not just put the TPLink into Modem only and have the WAN address on PFSense. All you need to do then is NAT the ports you want to your server… simples!



  • Well i thought it was simple forwarding as well! ;)  i'll go over the troubleshooting guide see if i can nail it down.

    For the marjohn's response:

    forgive me if i'm wrong but wouldn't i need more than one static ip to do that?

    I currently have 212.159.107.105/32

    I was under the impression i would need a block of ips so i can assign one to both router and wan interface?

    Regards,
    Ryan



  • You only need one WAN IP.

    On your modem you set it to bridge mode, pfSense then handles the login etc, whether it's PPPoE, DHCP or whatever. That WAN address is then set on the pfSense WAN port.

    That's it, finished.


  • LAYER 8 Global Moderator

    You can forward lots of ports.. You only need the 2 80 and 443.

    So on your isp device in front of pfsense vs doing DMZ host, just setup 80 and 443 as forwards to pfsense wan IP..



  • Marjohn you smashed the nail on the head!

    set bridged network from router, config WAN interface for ppp0e and boom we're live  8).

    Thanks both, much appreciated.

    Regards,
    Ryan


Log in to reply