Fort Forwarding SMTP - One wan works the other does not



  • Hello!

    I have a pfSense Cluster in front of a Sophos UTM Cluster. The Sophos UTM works as mail gateway. There are 3 wans connected to the pfSense.

    My goal is forwarding port 25 from pfSense to Sophos UTM on all 3 wans - a simple task (at least that's what I thought).
    The pfSense is not (yet) the default gateway of the Sophos UTM, so I use NAT from pfSense to UTM for masking the external ips to the internal subnet.

    Wan1 (ADSL) is working correct:
    1.2.3.4 --> pfSense --> 192.168.240.10 --> Sophos UTM, SMTP is working perfectly fine.

    Wan2 (SDSL) is acting strange. I can see that the nat is working (tcpdump on destination shows correct source 192.168.240.10. But for some reason, the pfSense is not getting the syn ack or is not able to process it.

    I cannot find the reason that is messing up this nat.

    This is the states table (ADSL is the working connection, SDSL the not working one):
    0_1552558565500_states.PNG

    This is the tcp dump of the not working connection (192.168.240.10 is the source address of the pfSense, 192.168.240.251 is the Sophos UTM).
    0_1552557955874_wireshark.PNG

    Edit: This are the nat rules
    0_1552558359884_fort_forwarding.PNG
    0_1552558449880_outbound_nat.PNG

    Any help is appreciated :-)

    Greetings
    Sebastian



  • Ok, I did discover the problem here. The reply of the initial request gets out on a wrong wan (the default wan).
    So I have to change my question to : How do I use port forwarding on a non default wan connection?



  • Sorry for reposting. If I set the corresponding gateway in the wan interface configuration, everything works as expected. I am confused, as the guides for CARP clearly state NOT to do this.


  • Rebel Alliance Developer Netgate

    @wurstsemmel said in Fort Forwarding SMTP - One wan works the other does not:

    Sorry for reposting. If I set the corresponding gateway in the wan interface configuration, everything works as expected. I am confused, as the guides for CARP clearly state NOT to do this.

    I'm not sure where you read that, but the HA guides don't say not to use gateways on WAN interfaces. Perhaps you misunderstood some other HA point.

    All WAN-type interfaces should have a gateway selected on their interface configuration.


Log in to reply