Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking Internet Access but allow Outlook for Mail

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tejas LAYER 8
      last edited by

      I setup Pfsense 2.3.5 in my company. Our requirement is that for some Clients machine I have to block the Internet access aka port 80 and 443 but allow outlook aka 995 and 465.

      Now I made 4 alias

      1. blocked_IP
      2. pop_port
      3. smtp_port
      4. gmail_hosts

      I made the rule for LAN starting from the top

      1. Allow blocked_ip with port pop_port to any destination
      2. Allow blocked_ip with port smtp_port to any destination
        3 Block blocked_IP with any port to any destination

      Problem is when all three rules are enable the internet access blocked for the blocked_IP, but outlook could not connect. I think the problem is related to the DNS for the pop.gmail.com and smtp.gmail.com.

      Pls guide me where I am making the mistake.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yeah you probably have to pass DNS (TCP/UDP dest port 53) from blocked_ip or they won't be able to resolve names.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        T 1 Reply Last reply Reply Quote 0
        • T
          tejas LAYER 8 @Derelict
          last edited by

          @derelict
          Tried to make the rule to allow the tcp/udp connection for the dns, but it is not working.

          Read some articles, which hinted to set the ip for the pop.gmail.com and smtp.gmail.com manually, but again the sites like gmail keeps on changing. Going to give it a try for the present ip derieved from the ping.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I would use FQDN Host Aliases for that. They should work reasonably well.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            T 1 Reply Last reply Reply Quote 0
            • T
              tejas LAYER 8 @Derelict
              last edited by

              @derelict
              I tried it by creating an alias name mail_hosts with FQDN Host of pop.gmail.com, smtp.gmail.com, imap.gmail.com, pop3.gmail.com.

              But still the setup is not working, and the log still shows the DNS error.

              1. Should I have to create the alias one at a time like one alias for pop.gmail.com and another for the smtp.gmail.com insteat of one alias for all the gmail hosts.
              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Use Diagnostics > Tables to view the contents of the table and the IP addresses they resolved to. Do they match with what you get when you look up the names yourself? Look at the firewall log to see what's being blocked. Be able to understand what is failing (DNS, the connection itself, etc) instead of just saying "it doesn't work."

                Use Diagnostics > Test Port as I have recommended at least a couple of times with no results from you communicated.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                T 1 Reply Last reply Reply Quote 0
                • T
                  tejas LAYER 8 @Derelict
                  last edited by

                  @derelict
                  dignostic->test port results ok for host pop.gmail.com and smtp.gmail.com

                  problem is with the client computer running outlook 2007, when trying to communicate the pop.gmail.com and smtp.gmail.com at port 995 and 465 respectively could not resolve the ip of hostname

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Then fix your DNS.

                    What are the DNS servers the client is configured to use to resolve names?

                    Pass the TCP/UDP 53 traffic to those servers.

                    Look at the firewall logs. Look at packet captures. Who knows what other ports Microsoft decided to make outlook use besides the main ports.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      tejas LAYER 8
                      last edited by

                      Ok after few more tests, the outlook was able to send the mail, but fails in receiving. The error for the outlook is receiving reported error (0x800CCCIA):' Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider for additional assistance.

                      It means the DNS part of PFsense is resolving the IP, the error is for the pop3.gmail.com

                      1. failed to resolve host pop3.gmail.com will retry later
                        again.

                      2. Jul 11 11:13:40 filterdns IP address 74.125.24.109 already present on table mail_hosts as address of hostname pop.gmail.com ---> IS it normal ????

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by Derelict

                        That is something you will have to fix between outlook and the mail server.

                        Looks like pfSense is facilitating the connection but the client and server disagree about how to talk to each other.

                        pop3.gmail.com is not a valid hostname for gmail's pop service. Try pop.gmail.com.

                        https://support.google.com/mail/answer/7104828

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.