VIP & NAT

Alek

Hello there,

I have a pfsense box set up like that :

• default gateway 10.x.x.13/29
• VIP 10.x.x.14/29
• VIP 10.x.x.15/29

I'm trying to set up a mail server on my 10.x.x.14 IP. I setup NAT on all necessary port (25/993/143/995/587) between my host and my VIP 10.x.x.14.
My mail server webpage is working when I access the domain name.

But when I send a mail to test my score with mail-tester.com , I get an error saying my SPF only allow 10.x.x.14 and I'm using 10.0.0.13.

Also, I can send emails but I'm not receiving anything...

Did I did my networking correctly ? Do I have to do 1:1 NAT instead of port forward ?
Why I'm seeing my default GW instead of my VIP ?

viragomann

@alek
Yes, best practice for this is to configure NAT 1:1 for the server instead.

Add an 1:1 rule to WAN, enter the VIP at external address and the servers IP with a /32 mask at internal.

You have to add separate firewall rules to WAN with the server IP as destination to allow incoming access on the desired ports.

Instead of this you can also add an outbound NAT rule for the source of the server and set the VIP as translation address, if you want to keep the port forwardings.
Remember that you have to switch the outbound NAT to hybrid mode.

Alek

@viragomann
Thanks !
Went with the port forward + outbound option, NAT is working finally.