routing LAN servers via specific IP on /29 allocated WAN
Just to get this straight in my head (I am migrating from a sonicwall to pfsense).
I have two WANs and this is set up as a multiwan. WAN_1 is a /29 block and WAN_2 a single IP. WAN_2 is nominally a lower priority and set to failover. WAN_1_IP1 will be used by pfsense as default for clients internet (assuming no failover at the moment). I have created a set of alias for service ports (port 25, 465, 567 etc) and an alias group for these called SERV_EMAIL
I wish to route our email server so that all SMTP related services OUT will be via WAN_1_IP2.
currently I have allocated a /32 virtual IP for WAN_1_IP1/2/3 etc, I have then gone to the FIREWALL->RULE->[rule for the LAN with email server] and added a rule (high priority) that has the source as IP email server (* port * destination) with a destination gateway of WAN_1 gateway with a service alias of SERV_EMAIL
however, this will only point the email server to use the gateway of WAN_1 not the actual IP of WAN_1_IP2
how can I get all the traffic from my email server to go via WAN_1_IP2? I suspect I need to set an outbound NAT (thinking about it) but would like someone to confirm (the sonicwall calls this a route)
I have already set a NAT for WAN_1_IP2 IN with SERV_EMAIL to forward to emailserverIP lanside.
how can I get all the traffic from my email server to go via WAN_1_IP2? I suspect I need to set an outbound NAT
Yeah. Ensure your outbound NAT is working in hybrid or manual mode. Then add a rule:
source: your mail server
dest. port: any (or SERV_EMAIL if you only want to apply that rule for the specific services)
translation: WAN_1_IP2 address.
If the translation should be applied on all services from that server, you can also do that with a NAT 1:1 rule instead of the port forwarding and outbound NAT rules.
Thank you. I will add the outbound NAT for those service ports (alias group for easy of use). Does the creation of a virtual IP /32 seem appropriate (for the NAT outbound) and does the rule look correct? I'm still getting my head around how pfsense does things. i.e:
For services INBOUND (from a WAN_IP -> LAN side server) I simply add a NAT port forward (the rule appears to be created automatically for my WAN rules section).
For services OUTBOUND (from a specific LAN server -> WAN via a specific IP I would create a firewall rule for the source server IP with destination ports for my service via a specific gateway. Then create an outbound NAT rule for the specific gateway with a translated virtual IP as appropriate.
Other LAN side servers use that WAN_1_IP2 for other services so a 1:1 wouldn't be appropriate (I need more IPs really but we have what we have allocated to play with unfortunately). Whilst mail services would egress and ingress via that IP, we also have an FTP(S) service on that IP.
obviously on failover, WAN_1 is not available so the email services would effectively fail (this I understand). We do not have port 25 on our failover WAN so I dont need to worry about rule-active-when-up-only.
Email server done, web servers, VPN, FTP, etc to go....
I've all my virtual IPs defined with their real mask, but as far as I know /32 is fine as well as long as the real mask of a subnet is defined is defined once.
When creating a NAT port forwarding rule, the option "Filter rule association" is responsible for how filter rules are created.
You may select "Add unassociated filter rule" so a filter rule will be created and you can modify it after. Or select "None" and create your filter rules manually.
pfSense generates outbound NAT rules automatically, where the translation address is the primary interface address, defined in Interfaces > Assign.
If you prefer another IP than that one you must create a rule manually to override that behavior (in hybrid mode).
Yes if you have multiple services on a unique public IP but different internal hosts, 1:1 is not practical.
Consider that the outbound NAT is only applied on outbound connections. Response packets of inbound connections which are forwarded from a specific public IP to an internal server always get that specific public IP as source automatically when they are going out.
For policy routing (filter rule with gateway) if the gateway set in the rule goes down, pfSense creats an equivalent rule with omitting the gateway. If you don't like that behavior you must check "Skip rules when gateway is down" in System > Advanced > Miscellaneous.
@viragomann Good to know. I will need to enable "skip rules" and put a "block" rule after. I do not want email services egressing anywhere except WAN_1_IP2