Access Mailserver through VPN from Firewall itself

mOrbo

Hi,

forget about the topic , it try to explain my problem.

Two pfsense connected with ipsec. Everything works great.
Behind pfsense-01 (10.10.0.0/16) is a Mailserver, Clients behind pfsense-02 (10.11.0.0/16) can connect without a problem.
I now want pfsense-02 itself to send notifications (System -> Advanced -> Notifications) to this Mailserver

If I do a test, the Error is:

Error: Failed to connect to MAILSERVER:587 [SMTP: Failed to connect socket: Permission denied (code: -1, response: )]

I think the problem is, pfsense-02 i trying to send the Mail as localhost 127.0.0.1 and gets a "Permission denied" Error.

Same error occurs with a ping test in the ssh console:

[2.4.5-RELEASE][PFSENSE-02]/: ping 10.10.0.200
PING 10.10.0.200 (10.10.0.200): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied

[2.4.5-RELEASE][PFSENSE-02]/: ping -S 127.0.0.1 10.10.0.200
PING 10.10.0.200 (10.10.0.200) from 127.0.0.1: 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied

Pinging directly from the interface IP-Address works without a problem:

[2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200
PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes
64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms
64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms
64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms

Is it possible to set an outgoing interface for the mailer-deamon?
Thanks for any help :-)

jimp

If that is tunneled IPsec (not routed) then it's the same concept as this:

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

mOrbo

Thanks, I already found that link, but the ping test in that article is working as expected:

ping -S <pfsense LAN ip> <remote IP address>

[2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200
PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes
64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms
64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms
64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms

I was looking for the alternative mentioned at the end of the article:
"Another alternative, depending on the version, would be to change the interface binding of the target service so that it only listens on the LAN IP address. [...] The interface binding for SNMP, NTP, the DNS Forwarder, and several other services can be set in this way."

I need to do this for sendmail or whatever mailer is used for the webgui.

jimp

There is no sendmail, it's just a PHP mailing script. No way to bind to an interface, you must use the routing trick. (Or switch to routed IPsec...)

NSuttner

@morbo Hi, i've the same problem as you in 2020! Do you have solved it and if yes, how? Thanks for a short response! Regards, Norbert

mOrbo

@nsuttner Kind of, but not satisfying.. I'm using an external smarthost relay-server to send the mails over the internet an not the tunnel. A bit dirty, but it works..

NSuttner

@morbo Haha, smile, i had the same idea a few minutes ago and it works with our Office365 mailer! Thanks for your answer and have a nice day! Regards, Norbert