Rules for unusual SMTP setup



  • I need to Allow LAN to LAN SMTP while blocking LAN to WAN SMTP.  Im sure its been discussed before, but I cannot seem to locate the scenario I have.  Explanation below:

    |Zabbix
    |_  
    |   |                           #Mail Server(2) - Sends to Local WAN, AND over VPN to Mail Server1
    |PFSense(2)|–-----------LAN2  10.0.46.xxx---------- #Webserver - Can ONLY send to Anti Spam Appliance(1)-******
    |________ |                 #Anti Spam Appliance(2)  (Incoming SMTP - Outgoing ONLY to Mail Server2)
        | Internet
        |
        | VPN PFSense to PFSense Over Internet
        |
        |
        |
        | Internet


    |   |                         #Mail Server(1) - Sends to Local WAN and over VPN to Mail Server2.
    |PFSense(1)|-------------LAN1  10.0.49.xxx---------- #Zabbix - Needs to send to Mail Server(1) and Mail Server(2)
    |________ |                 #Local Appliances - Needs to send to Mail Server(1) and Mail Server(2)
                            #Anti Spam Appliance(2)  (Incoming SMTP - Outgoing ONLY to Mail Server1)
                            #Desktops - Block all SMTP to WAN
                          #Webserver - Can ONLY send to Anti Spam Appliance(1)-******

    The problem is blocking either LAN from sending to either WAN while allowing any device on either LAN to send to the other LAN.
    I dow't want to create a rule for each device on LAN1 to to communicate to LAN2 and vice versa.  These devices change frequently.
    Iv'e tried playing with the WAN Net WAN Address blocking, but anything besides "ANY" doesn't seem to block LAN SMTP to WAN.

    Outbound Rule(s) I want to do in each PF Sense

    Mailserver(x) ---->  ANY    Port 25 Allow
    LAN Net ---------->  WAN Net Port 25 Block

    **Unfortunately, this blocks nothing to WAN

    This set of rules causes SMTP traffic to be broken from Lan1 to Lan2
    Mailserver(x) ---->  ANY    Port 25 Allow
    LAN Net ---------->  ANY         Port 25 Block

    I want:
    LAN1----25--->LAN2         Allow
    L1Device--25->WAN1 Allow On PFSense1
    LAN1----25--->WAN1 Block

    LAN2----25--->LAN1         Allow
    L2Device--25->WAN2 Allow On PFSense2
    LAN2----25--->WAN2 Block

    Any help would be much appreciated. - Oh.. both PFSense are 2.3.3_1