How to use a routed subnet ip for outgoing traffic???

  • I'm not sure where to post this question but here it is anyway

    I have my configuration setup like this.

    Wan: DSL with fixed ip of 100.200.300.10 and gateway 100.200.300.9
    and 16 ip addresses routed to this ip of 200.300.400.10 …....... to 200.300.400.26 and gateway of 200.300.400.9

    My Lan is bridged with Wan and I have 16 webservers on the lan each with a public ip from the pool of 16 addresses.

    My problem is that outgoing traffic from each of the 16 webservers appears to originate from the fixed ip of the dsl connection 100.200.300.10
    Not so much of a problem usually but lately my 2 webservers are getting a lot of bounce backs to my customers because of SPF policies etc where the traffic coming from the mail servers appear to be coming from the wrong ip and therefore gets flagged as spam.

    How can I configure pfsense to use the actual ip of the mail servers for outgoing traffic instead of the first static ip of the dsl connection?

    I have tried setting the default gateway on the mail servers to the second gateway 200.300.400.9 but no traffic gets out even though the rules are there to allow it.

    This is becoming a huge problem lately with a lot of irate customers because they cant use my mail servers to send mail.

    Any help would be really really really appreciated.


  • Sounds like you need to disable NAT.

  • I dont use nat. Its a bridge No nat enabled as far as I know….

  • Hmm, your "bridged" config indeed doesn't make sense.  ???
    If you have multiple IPs on your WAN side, bind them as ALIASes to pfsense and use AON advanced outbound NAT to give every mailserver it's own IP. Of course all of these IPs names (reverse DNS) need to match the helo greeting from the corresponding server.

  • Why doesnt my "bridged" config make sense? I dont use any Nat. My Wan is bridged with my Lan, my webservers are on my Lan. Each webserver has 1 public ip from the pool of 16 assigned to their Nic. No private ips are in use anywhere…..

  • You can't bridge if you're using different IP ranges.

  • Sorry don't use aliases, use Virtual IPs I meant.
    And don't bind more than one subnet to a physical network.

  • @Cry:

    You can't bridge if you're using different IP ranges.

    Why not? I am bridged with 2 different ip ranges and have been working fine for about 6 months.

  • @tracer:

    Sorry don't use aliases, use Virtual IPs I meant.
    And don't bind more than one subnet to a physical network.

    Excellent advice. I have now managed to use AON to redirect outgoing traffic from my second subnet to go out from the gateway ip of my second subnet.

    I'm half way there. Next thing is to get the outgoing traffic to appear from the corresponding ip of the second subnet. The problem is that in the rules of the AON i can only choose the network range to apply the rule to and not the specific ip.

    eg. the rule lets me specify that traffic originating from the 200.300.400.x subnet goes out from whtever ip alias i choose from that subnet. there is no option in the rule wizard to specify a specific ip instead of a subnet.

Log in to reply