Android Clients unable to reach Internal Exchange Server


  • I have an internal (behind my pfsense fw) exchange server that has a static IPv4 address and a dynamic IPv6 address. Windows machines on my network can reach my exchange server without issue. But my Android phones are unable to reach my exchange server unless I disable WiFi and use mobile data. It is my understanding that Android uses IPv6 before falling back to IPv4, thus my android devices are resolving DNS externally and they are resolving my exchange server by its external ip address (IPv4 address) and not using the internal ip.

    Some notes about my setup:

    -separate class c subnets for both my wired and wireless devices that our on different ports on the pfSense.
    -machines in my wired subnet are able to ping each other via both their IPv4 and IPv6 addresses.
    -machines in my wireless subnet can ping machines in my wired subnet with their IPv4 addresses, but are unable to ping via their IPv6 addresses.
    -I am using SLAAC for both my Wired and Wireless networks.

    My question is what do I need to do to get my Android Clients to see my Exchange Server without having to disable my WiFi as I keep missing important emails until I either leave the house or I happen to disable WiFi?

    Thanks in advance!

    KL


  • @AmC_OldSarge

    Why do you use a dynamic IPv6 address? Every IPv6 capable device should have 1 consistent global address, often based on the MAC address. You should be using that to connect to. There may also be up to 7 privacy addresses, which change daily, and are used for outgoing connections.


  • Thanks for responding.

    So you are suggesting I use a Static IPv6 configuration over SLAAC? Is there a primer or example documentation on setting up IPv6 on the pfSense?

    In the past I have just used IPv4 and basically ignored IPv6, now that is no longer an option for me....

    Thanks again!


  • @AmC_OldSarge

    SLAAC is the that's normally used. However, when you said dynamic, I thought you were referring to the privacy addresses. Also, thanks to some idiot at Google, Android does not support DHCPv6, so you have to use SLAAC anyway.


  • No, I think I've confused you. My two internal networks Wired (192.168.10.1/24) and Wireless (192.168.11.1/24) are both private networks. My wireless android devices can't reach/communicate with devices in my wired network. I setup SLAAC on both of those networks, but more out of ignorance than purpose. Setting up IPv6 for both of my internal networks is where I'm lost.

  • LAYER 8 Global Moderator

    If you only have internal networks that are IPv4 - why do you think you need to setup IPv6 internally?

    Its more likely that your android device is not using your internal dns, so it can't resolve where ever your trying to go so that is why it can not go there.


  • From what I am reading, by default, android uses IPv6 for DNS. Since I don't have IPv6 setup properly in my network, it bypasses my internal DNS servers entirely and uses google's DNS server (8.8.8.8). Hence the reason I get my external ip address for my exchange server and not the internal one.

    https://community.spiceworks.com/topic/2218883-android-devices-wont-resolve-local-server-names


  • @AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

    My question is what do I need to do to get my Android Clients to see my Exchange Server without having to disable my WiFi as I keep missing important emails until I either leave the house or I happen to disable WiFi?

    Tell us :
    Your have Windows machines, probably on their own LAN.
    Your exchange server is on another LAN ? Same LAN ?
    Your Wifi connected devices are on the small LAN, yet another LAN ?

    If there is more then one LAN, pfSense firewall rules on these LAN's permit to pass mail traffic (SMTPS, POP IMAP) to the the other LAN, the one where the mail servers lives ?

    And most and for all : normally, when you hook up a PC to a LAN, it obtains :
    An IP
    A network mask
    A gateway
    And a DNS.

    For a PC, the last two will be the typically IP of the router == the gateway == the DHCP server.

    Now meet the Android device: check what the DNS IP is when you connect to the Wifi ...... you'll be in for a surprise.
    If it isn't the IP of pfSense - the IP it uses as it's LAN address, it (pfSense DNS) could never resolve your-mail-server.your-local-lan.tld because your Android wouldn't ask it pfSense for it.

    Easy to test : while connected to local Wifi, change the URL of your mail server from this URL to the internal LAN IP. Now the android can reach the mail server (still : if firewall rules permit this).

    Btw : all devices (except the very old, dumb, or to cheap) will use IPv6 these days. And fall back to IPv4 afterwards. That's normal, and transparent to you.

    @AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

    but are unable to ping via their IPv6 addresses.

    Just add the needed IPv6 pass rules there where needed.
    Remember : ICMP is not TCP is not UDP.

    So : check if the Adroid is using the 'local' pfSense DNS when connected to the Wifi.
    Also : make sure your your-mail-server.your-local-lan.tld has a static LAN IP, by setting up everything static on that server, or use Static MAC DHCP server setting.
    And of course : Add :

    0fce21b6-05d9-455c-98ad-83a31dcc1e3d-image.png

    where 192.168.10.10 is the LAN IP of your mail server.

    When this host override is set up, and all the needed LAN type firewall rules are set up, you will be able to 'ping' from any LAN the IP of the mail server.
    By IP - and by URL.

    Because the notion of "public, private and company networks" is not always understood : check if the mail server accepts connections from it's own LAN, another LAN, or the "Wifi LAN", and in our case : from somewhere on the Internet. Typically, this server should accepts connection from everywhere.

    @AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

    I am using SLAAC

    Take more control of your network and use the build in DHCPv6 server.
    SLAAC seems fine to me on network where you don't care / don't mind. It's a last resort protocol if no control is needed.

    edit : didn't saw this one before posting :

    @AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

    it bypasses my internal DNS servers entirely and uses google's DNS server (8.8.8.8).

    So you found already a big issue.
    Nice, these android devices, as long as you use them in the wild (Internet) and not want to use local resources. Everything will be fine.
    Now your hosting stuff at your place .... and things that worked great for decades start to break.

    So, you can set up "your-mail-server.your-local-lan.tld" as the URL of your mail server, and use it on the Internet : the domain name server will have it pointed to your WAN IP, and from there on some NAT rule with connect it to your mail server.
    When your phone is connected to a local Wifi, the local DNS override (shown above) will direct it directly to the local LAN IP, where the server lives.
    Tha's why the andoid phone should use the local DNS, not some other (8.8.8.8 or other) DNS when it's on Wifi.
    Because the local DNS (pfSEnse) knows where "your-mail-server.your-local-lan.tld" if you're connected locally.

    Technically, it is possible that the android, retrieving the WAN IP when it want t resolve "your-mail-server.your-local-lan.tld" and that IP could be used to, finally, connect to the internal IP. But that's at best, an strange situation.
    When you're in your house and want to go to the kitchen you don't go through the front door neither.


  • @AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

    From what I am reading, by default, android uses IPv6 for DNS.

    Most things prefer IPv6 by default, but if it's not available they'll go immediately for IPv4.