Pass original SMTP source IP to mail filter inside LAN



  • My current setup is ISP fiber connection with static IP.  Pfsense WAN is setup with ISP static IP and gateway and the LAN interface is setup as 10.168.1.100.  LAN subnet is 10.168.1.0/24.  I have an VM running EFA mail filter with a static IP of 10.168.1.225 which then forwards mail to my mail server at 10.168.1.202.  There are NAT port forward rules in pfsense to forward port 25 on WAN to mail filter at 10.168.1.225.  Mail is working as it should, however, EFA sees all incoming emails as originating from 10.168.1.100 (pfsense LAN IP) which causes problems with mail filter rules (mail filter thinks all emails are coming from trusted network and deducts a full point score).  It also prevents me from being able to block by source IP.

    Is there a way with my current setup to have pfsense pass the original source IP to the mail filter instead of making it seem like its coming from pfsense LAN IP?


  • Netgate

    That would be the default configuration of a port forward. Only the destination address/port is translated there.

    What else did you do? Some kind of Outbound NAT on LAN or something?



  • Attached is my NAT-> outbound tab.  Maybe this isn't correct for my setup?

    ![nat outbound.jpg](/public/imported_attachments/1/nat outbound.jpg)
    ![nat outbound.jpg_thumb](/public/imported_attachments/1/nat outbound.jpg_thumb)



  • here is NAT-> port forward

    Nothing in 1:1 or NPt tabs.

    ![nat port forward.jpg](/public/imported_attachments/1/nat port forward.jpg)
    ![nat port forward.jpg_thumb](/public/imported_attachments/1/nat port forward.jpg_thumb)



  • here is firewall->rules->WAN and LAN

    WIFIONLY is a third interface for isolated wifi internet access only.  It has only one inverse rule allowing all but access to LAN subnet.  Any ideas where I may have something configured wrong?

    ![fw wan.jpg](/public/imported_attachments/1/fw wan.jpg)
    ![fw wan.jpg_thumb](/public/imported_attachments/1/fw wan.jpg_thumb)
    ![fw lan.jpg](/public/imported_attachments/1/fw lan.jpg)
    ![fw lan.jpg_thumb](/public/imported_attachments/1/fw lan.jpg_thumb)
    ![fw wifionly.jpg](/public/imported_attachments/1/fw wifionly.jpg)
    ![fw wifionly.jpg_thumb](/public/imported_attachments/1/fw wifionly.jpg_thumb)


  • Netgate

    It's that Outbound NAT entry on LAN.

    It is doing exactly what you told it to do.

    Translating the source address of all connections going out LAN to the LAN interface address.

    That is certainly not the default configuration. Someone must have thought that was a good idea at some point.



  • Thank you! I disabled that rule the the issue is resolved.  I wasn't quite understanding what the rule was doing but I makes sense now.  Thank you for your help!



  • Derelict,

    So after disabling the outbound NAT rule, user connected through openvpn cannot ping or access the internal LAN network 10.168.1.0/24.  They can connect to vpn, but can't ping or access anything on the LAN, including pfsense LAN IP of 10.168.1.100.  When I renable the outbound NAT rule, they can ping LAN resources as expected.  Does openvpn require an outbound NAT setting typically such as the one I have?

    here is pic of my openvpn interface rules

    ![openvpn ruls.jpg](/public/imported_attachments/1/openvpn ruls.jpg)
    ![openvpn ruls.jpg_thumb](/public/imported_attachments/1/openvpn ruls.jpg_thumb)



  • side observation: disabling of the outbound NAT rule does not affect the site to site openvpn tunnels, they can still ping and access LAN resources with the outbound NAT rule disabled.  The "road warrior" clients that connect through the openvpn windows app cannot pint local resources with outbound NAT rule disabled but can access them if that rule is enabled.



  • Ok it appears I have this resolved now.  Still figuring out how all of this works but I was able to deduce that an outbound NAT rule is required to allow the subnet assigned to openvpn clients (10.168.3.0/24) to access the internal LAN. Instead of the rule that I had previously for outbound NAT which was translating all traffic on the LAN interface to the pfsense LAN IP, I changed the rule to re-write only LAN traffic from 10.168.3.0/24 subnet to the pfsense LAN IP.  I'm not sure if this is how it's supposed to be done, but this change accomplishes the goal of allowing pfsense to pass the actual source IP of incoming mail traffic to my mail filter while also allowing VPN clients to access local resource on the internal LAN.

    Here is a pic of the updated rule that allows things to work correctly.  If I'm wrong about something, please let me know!  Thank you for all of the help and expertise.  It is greatly appreciated.

    ![nat out 2.jpg](/public/imported_attachments/1/nat out 2.jpg)
    ![nat out 2.jpg_thumb](/public/imported_attachments/1/nat out 2.jpg_thumb)


  • Netgate

    If outbound NAT on LAN is required for subnet 10.168.3.0/24 to reach that network it is either that the target hosts do not route reply traffic for 10.168.3.0/24 back to pfSense or those hosts have firewall rules or something preventing them from accepting connections from 10.168.3.0/24.

    When you use that outbound NAT you make the traffic appear to be coming from the LAN hosts' local subnet, not the remote 10.168.3.0/24 network.



  • How would I confirm or add the functionality of the target hosts reply traffic back to pfsense?  The target host (windows server) does not have firewall enabled and it's default gateway is the pfsense router on that side.


  • Netgate

    Packet capture the traffic on the LAN interface. (Diagnostics > Packet Capture)



  • It is working now.  The windows box at that IP had it's subnet mask set to 255.0.0.0 in stead of 255.255.255.0.  Not sure why.  I changed it to 255.255.255.0 and I can access that machine through the vpn with that outbound NAT rule disabled.  Thanks for your help on this.