NAT issues to HAProxy (not running on PfSense)



  • I am having problems when I use NAT to send port 25 traffic to a HAProxy server on my internal network. It works correctly from within the LAN and there are no firewall rules on the host itself.

    If I NAT directly to one of the SMTP servers it works just fine, but I would like to send traffic to the HAProxy so it can load balance across and provide HA.

    Configuration that works

    Internet -> pFsense (NAT direct to SMTP)

    Configuration that does not work

    Internet -> pFsense (NAT to HAProxy internal server) -> 2x SMTP servers

    Can anyone think why sending to the proxy would not work while going direct would?

    Thanks in advance,
    Dinesh



  • Imo that 'should' work as it is..
    You are testing from 'the internet' right? If testing the wan-ip from the lan-network you could be running into reflection issues..

    Other than that, check with```
    tcpdump -ni <nic> "port 25"</nic>



  • How did you set-up your NAT?



  • Attached is how I have my NAT configured




  • I am actually testing from the outside world to the WAN IP on port 25

    telnet <wan ip="">25 from a system on the internet</wan>



  • @dineshmistry:

    I am actually testing from the outside world to the WAN IP on port 25

    telnet <wan ip="">25 from a system on the internet</wan>

    Can you telnet on another port from the outside world? Port 25 is often blocked OUTBOUND by ISP's in order to prevent spam emails being able to be sent out from virus/malware infected computers. It could be the "outside" internet connection you are testing from has port 25 OUTBOUND blocked by it's ISP.

    You did say it worked in the previous configuration and the problem only occurred when you added the proxy.

    1.) Any chance it was working using port 465 or 587 (instead of 25)  before?

    2.) If it was definitely using port 25, I would run a packet capture on both the WAN and proxy server interface to see if the port 25 traffic is 1.) hitting your firewall and 2.) passing through your firewall. Please share the results.


Log in to reply