Resolved: Help Exchange Online Blocked



  • Hello All.

    I recently setup pfsense as a SOHO firewall for my home office. Everything is working great except I can't get to my work email from home.

    Troubleshooting I did:

    • I attempted to connect without pfsense & that worked fine

    • I tried nslookup outlook.office365.com (from my PC & the router), both return appropriate results

    • I tried pinging outlook.office365.com (from my PC & the router), both time out

    • I ran the MS support tool that indicates my TCP traffic is being blocked on port 443 somewhere

    After running those I attempted to add an allow all rule to the Office365 published IPs but that did not work.

    I'm attaching the filter logs from the tests I ran, the firewall rules I configured, & the alias list of the exchange online IPs.

    As I'm a bit new to this / slightly confused I was hoping someone on the forum could give me some guidance.







  • I performed some additional troubleshooting & I'm starting to think there is a configuration error somewhere else that is blocking this.

    I reset the router to factory default & disabled all firewall rules for testing. After it rebooted & access was restored I was still seeing the same behavior. As the network was wide open at that point I'm not really sure what the issue is.

    If anyone has any ideas I'd welcome them


  • LAYER 8 Global Moderator

    Why are you using floating rules?  Why do you not just have the rules on your LAN interface?

    What are you lan rules?  Why would you not just use pfsense like it out of the box.. Then try and get fancy with your rules..



  • I did try to use pfsense out of the box prior to configuring this. For some unknown reason out of the box it is not allowing access to exchange online (web of client).

    My LAN rules are the 3 stock lan rules (anti-lockout & the default allow any lan rules for IPv4 / v6).

    I can move the exchange access rule from floating over to the lan, but I don't believe that is the cause of the problem.

    On the WAN side there are only 3 rules as well (block private networks, block bogon networks, & a nat rule for plex)



  • I ran a packet capture (see below) & I'm pretty sure this is not a firewall issue at this point. I'll open a new topic in the appropriate place to continue troubleshooting.

    When I try to access Exchange online or ping it I get the following in my packet capture:
    17:21:17.600215 [REDACTED] (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 40.97.153.82 tell [REDACTED], length 28
    17:21:19.601256 [REDACTED] (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 40.97.153.82 tell [REDACTED], length 28

    As I don't get any response to that & it just hangs I'm pretty sure its not a firewall issue


  • LAYER 8 Global Moderator

    why would you be doing arp for exhange IP??  Is 40.97.153.82 suppose to be your gateway??



  • Apologies for the lack of clarity. 40.97.153.82 is one of the MS Exchange servers that I am attempting to reach. All I see in the logs is the ARP request going out & nothing coming back. I hope this helps


  • LAYER 8 Global Moderator

    I get that that 40 address is the exchange server.. But unless your wan IP of pfsense thinks that network is local it would never ARP for the mac..  It would send traffic to its gateway, so while you should and get responses for ARP for your gateway IP.  You do not arp for IPs that are not local to your interfaces network.

    What is the IP address of your pfsense wan?  There should be no reason why it would be on the same overlapping network as some public 40.97.153.82



  • Thanks johnpoz. I have some troubleshooting to do when I get home

    –-
    Edit: posting resolution in this thread as well.

    I got home & you were correct it was a configuration issue. Embarrassingly I setup my static IP  incorrectly on the WAN side. I've corrected the configuration & everything is working now. Kicking myself for looking at that 4 times & missing that the subnet was incorrectly configured.

    Appreciate your help & patience


Log in to reply