Mail servers imap behind pfsense not reachable
-
@PhxAzCraig It is working now I had to setup NAT reflection, Thanks!
-
@johnpoz In my home setup, I can "test port" my own email server on my public IP. I also can connect my xmpp Client to my XMPP Server. I have not setup any NAT Reflection in my pfsense or rules.
-
@daan said in Mail servers imap behind pfsense not reachable:
@daan, when we say from "inside the LAN" we meant put in the actual internal RFC1918 address of your mail server. So maybe something like 192.168.1.xxx or whatever -- NOT your DNS entry IP (in other words, not the public IP). If using the actual internal non-NAT IP of the mail server didn't work, then a firewall rule must have been blocking. Is that mail server on a separate interface perhaps such as some kind of DMZ?
Glad you got it working with NAT reflection, but the preferred way of doing this is with a split-DNS arrangement such that clients on your LAN connect directly to the mail server using it's local non-NAT IP address. For users out on the Internet, they would get the WAN public IP when asking for the mail server. You can research split-DNS to see how this works and why it is the preferred solution over NAT reflection.
-
@bmeeks Ah okay, I'll take a look at that. Thanks for the tip!
-
@Bob-Dig, then its setup without your knowledge or understanding that you did it.
You can not hit your public IP from your lan side to be reflected back in without nat reflection being enabled.
-
@johnpoz My ISP is doing 1:1-NAT, maybe that is why this works? How to test for that easily, if of any interest?
One reason I don't use split-DNS on everything is to get easily notified of "hosting"-problems, like not have ports reachable, which sometimes is happening with my ISP after an IP change.
-
@Bob-Dig said in Mail servers imap behind pfsense not reachable:
My ISP is doing 1:1-NAT
Huh? You mean you have a rfc1918 address on pfsense wan, and they do a 1:1 nat with a public IP upstream?
-
@johnpoz It is a CG-NAT-address (100.65..), but yes.
-
Well nat reflection isn't done on your end then its done on their end..
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
When if you used split dns and just pointed to local IP, you just go through your local network to get to your server when your on the local network..
-
@johnpoz said in [Mail servers imap behind pfsense not
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 14ms, Maximum = 18ms, Average = 15ms PS C:\WINDOWS\system32>
It is ok for some messages I guess.
Suricata things I got attacked..
SERVER-OTHER MRLG fastping echo reply memory corruption attempt
Then this mystery is solved and I will not mention it anymore, because I am special.
-
Yeah for small amounts of traffic its not all that big of deal, but it sure isn't "optimal"
Be like walking to the front door in your house from your bedroom when you want to go kitchen.. vs just going to the kitchen.
But lets take for example your plex server sitting right next to your client.. Streaming some movie at XMbps..
Your plex server hands out 2 IPs with plex.tv - it lists your public IP, so that remote clients can talk to your plex server when they are out and about on the internet.
But when your client is local, it uses your local rfc1918 address. Which you have to make sure resolves by turning off rebind protection.. If not you would have to nat reflect to get to your own plex server
What is better when you say streaming a 20Mbps movie, or lets say multiple streams of that when your watching something, your kids watching something else, and the wife is watching her show on her ipad, etc..
In your scenario, not only would you be running traffic through pfsense that doesn't need to, you would also be limited by your internet connection speed.