Email on DMZ, What Rules Needed For VPN?



  • Hi all,
    I have the following setup:

    WAN1
    WAN2
    WAN3
    LAN
    DMZ

    WAN1 is dedicated to the Email server, on the DMZ
    WAN2 is used for VPN connections

    I've just recently added the Email server, and it turns out that when users are trying to connect from their laptops at remote locations, they have no problems normally.  However, if they connect to the VPN (either OpenVPN or PPTP), they're unable to connect to the Email server at all.  It looks like on the remote machines, when they ping mx.mydomain.com, they get the external address, which would be fine - but it seems to be trying to tunnel it through the VPN connection, and that I think is redirecting them to the firewall login page instead of the internal address (192.168.11.x) as it should be.  Is this an obvious thing I'm missing?



  • @http://forum.pfsense.org/index.php/topic:

    If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
    you need to have a rule above your default rule (which has as gateway the loadbalancer)
    with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

    Or in your case where it's not the LAN but the DMZ and you're not using a balancing pool but a gateway directly: this still applies.



  • I think I've actually done that already.  I've essentially just opened up the DMZ to allow everything (since I want to just get it all to work right now, and then I can lock it down later)




  • I think I should give some more details.

    The email server is sitting on the DMZ with an internal IP of 192.168.11.17, the LAN network is 192.168.10.0/24.

    I've set up two methods for accessing the main network, OpenVPN, and PPTP for those who can't use OVPN.

    With PPTP, if I ping mx.mydomain.com, I get sent to the external IP associated with it, but with only 1 hop.  I get the pfSense login page instead of the internal IP of the email server like I would when I'm not connected to the VPN.  If I go directly to the internal ip of 192.168.11.17, it works without issue, but I can't have my users changing their pop/smtp servers depending on whether they are in the office or not, or connected to the VPN or not.

    With OpenVPN, it works without issue, pinging mx.mydomain.com gives my external IP, and directs properly to the internal IP.. Unfortunately there is a small subset of my users who I have to force to use PPTP instead of OpenVPN.  What sort of options do I have?



  • tbh i dont know anything about pptp…
    What DNS entry are your users using?

    If they use the pfSense DNS-forwarder over the vpn, you might be able to set up split-DNS like this:
    http://forum.pfsense.org/index.php/topic,9440.0.html
    so the address of the server resolves to the internal ip directly.



  • Internally, users are using the DNS from pfSense, but I don't believe that I can specify to users connecting through on pfSense to use the pfSense DNS.  There is an option to set WINS, which I have done - but this doesn't actually seem to be any help


Log in to reply