2.4.4-p1 and p2 prevents some clients from getting e-mail



  • Hi. I've searched through the forum and haven't found this issue.

    The closest thing I got is this: https://forum.netgate.com/topic/138832/do-not-upgrade-to-pfsense-2-4-4_1-firewall-rules-with-aliases-are-not-processed

    What happens? I have my pfSense box running fine for a couple of years and upgrades, actually with 2.4.4. When I upgraded to 2.4.4-p1 the people that don't have full NAT and have the SMTP and POP to googlemail.com open by a firewall rule from LAN to WAN has "intermittent" connection to those services but full web access through Squid.

    I have this firewall running with a Non-Persistent disk so just rebooted back into 2.4.4 and worked fine. Waited... 2.4.4-p2 came and I thought that might be fixed, but the same thing happens.

    Rebooted back to 2.4.4 and works again. No changes made to the config (after upgrade).

    Can you review or can you help me get info for you to fix it or let me know if I'm doing something wrong?

    Thanks!

    David.



  • @iampowerslave said in 2.4.4-p1 and p2 prevents some clients from getting e-mail:

    Hi. I've searched through the forum and haven't found this issue.
    The closest thing I got is this: https://forum.netgate.com/topic/138832/do-not-upgrade-to-pfsense-2-4-4_1-firewall-rules-with-aliases-are-not-processed

    Bad example. Probably a pfSense install with one interface. That's a tough one ....

    What happens? I have my pfSense box running fine for a couple of years and upgrades, actually with 2.4.4. When I upgraded to 2.4.4-p1 the people that don't have full NAT and have the SMTP and POP to googlemail.com open by a firewall rule from LAN to WAN has "intermittent" connection to those services but full web access through Squid.

    Squid ?
    And what happens if you disable/remove Squid ?

    I have this firewall running with a Non-Persistent disk so just rebooted back into 2.4.4 and worked fine. Waited... 2.4.4-p2 came and I thought that might be fixed, but the same thing happens.

    Disk ? Hardware troubles ?

    Can you review or can you help me get info for you to fix it or let me know if I'm doing something wrong?

    My advise :
    Save:backup your config.
    Re install pfSense (a 3 minute operation). Take the latest version.
    Enable LAN, hook up some devices, and activate your WAN.
    Do nothing more now, on pfSense. Internet access (web, mail, imap, ssh, vpn, ntp, whatever) should work on all devices.

    Now : setup by step : add your functionalities.
    Take your time to test and validate each step. Check for non expected behavior.
    As soon as somethings breaks, you found the point where you have to focus your attention.



  • Ok Gertjan, I follow where you are heading.

    Squid? It is working, no web issues.

    Haven't tried disabling/removing but it should not be messing with 495 and other e-mail related ports.

    Disk/Hardware troubles, well impossible, if 2.4.4. is running fine but updating to 2.4.4-p1 or p2 immediately starts failing.

    Either I had something misconfigured all these years and new version does not tolerate it anymore or things are right and the new version has a glitch

    I'm more inclined to thing of the first option but can't see where to start (without installing from scratch and leaving everyone without internet while I try and ask them to check).

    This is my rule and I believe that the IPv4+IPv6 may be the issue. Now that I go through it again I remember that it only allows aliases if it is IPv4+IPv6 but this was created before it complained.

    0_1547057592227_9e377296-ff79-47dd-9dea-d70cf36a52dd-image.png



  • Well the filterdns daemon was completely rewritten for 2.4.4p1 so if you are using FQDNs in an alias check the table to see if all of them got resolved.

    Additionally your current config is flawed because you can't use FQDNs aliases reliable when the target uses a CDN, and google does. You need to understand that a lookup on googlemail.com will not always resolve to the same IP, there is a whole pool of IPs used for it. So while pfSense may resolve it at one moment to 172.217.22.69 and then use this IP for the rules. A client may resolve it to 172.217.23.133 a few minutes later, which then is not covered by the rules (both IPs actually/currently belong to googlemail.com).



  • About your image :
    Why an abound NAT rule for accessing email ?
    And what mail ? web mail (their gmail web site ?) or some heavy mail clients as Outlook ?

    And your alias GoogleEmail is a no go for me. It's like people try to make an alias for Facebook .... that just won't work.

    Mixing IPv4 and IPv6, and only supplying "10.34.34.0" (what is this ?) as a source address which is an IPv4 only thing ... dono, but I would break up IPv4 and IPv6 here.

    Port 495 ? You're sure ?

    Edit : I guess I'm with @Grimson here.



  • Well the filterdns daemon was completely rewritten for 2.4.4p1 so if you are using FQDNs in an alias check the table to see if all of them got resolved.

    Well this might be the reason it starts failing from that version on and didn't before.

    Additionally your current config is flawed because you can't use FQDNs aliases reliable when the target uses a CDN, and google does. You need to understand that a lookup on googlemail.com will not always resolve to the same IP, there is a whole pool of IPs used for it. So while pfSense may resolve it at one moment to 172.217.22.69 and then use this IP for the rules.

    And your alias GoogleEmail is a no go for me. It's like people try to make an alias for Facebook .... that just won't work.

    And I can't type in all the possible IPs, so how do you create a rule to allow or block or forward to a specific FQDN? Since this box is also the DNS forwarder I was expecting they'll match.

    Mixing IPv4 and IPv6, and only supplying "10.34.34.0" (what is this ?) as a source address which is an IPv4 only thing ... dono, but I would break up IPv4 and IPv6 here.

    Yup that was my guess too, wrote it above, I had that config loaded time ago and learned I can't do it but never checked it again until now.

    Port 495 ? You're sure ?

    No, I wrote it wrong here, I meant 465 and 995

    Why an abound NAT rule for accessing email ?

    My goal is to have all the web traffic through Squid and allow Thunderbird to retrieve and send e-mail with POP and SMTP, so if a box hits the firewall it goes to googlemail.com



  • @iampowerslave said in 2.4.4-p1 and p2 prevents some clients from getting e-mail:

    And I can't type in all the possible IPs, so how do you create a rule to allow or block or forward to a specific FQDN?

    I would be a very rich guy if I found an answer to that question.
    Many try to have a grip on communication to/from Facebook/Microsoft/Google/Youtube/twitter/Linedin/Chatsnap/etc
    These companies own many, many AS's, thousands of IP's (and start to use IPv6 now), use CDN by now so a "give me an domain and I'll give you back all the IP's" option isn't viable anymore.

    @iampowerslave said in 2.4.4-p1 and p2 prevents some clients from getting e-mail:

    My goal is to have all the web traffic through Squid and allow Thunderbird to retrieve and send e-mail with POP and SMTP, so if a box hits the firewall it goes to googlemail.com

    Web traffic is one thing.
    But redirected all requests from thunderbird (a fat mail client) to Google, whatever the address of the mail server, seems very strange to me.



  • I don't get it, so what then? Just open the port in the firewall rule and allow any guest to connect to any host if they match the protocol or port?