SMTP port forwarding from internal server

lex.under.3182 · May 13, 2022, 1:32 PM

Hello guys,

I have an issue with NAT. Probably because not very familiar with the networks and may be missing something simple. I have read this doc but no luck
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
Anyway here is the case.
I have pfSense installed in the cloud for VPN access and haproxy stuff to other cloud servers without public IPs. The things seems to be working fine.

Due to hoster policy all the SMTP ports 25, 465, 587 are blocked and you need or buy public IP with mail option or use their mail gateway. Both options do not fit our needs thus it was decided to forward traffic for 587 port via pfSEnse since it has gateway public IP with mail ports allowed.

So we have server A - 192.168.0.139 for example. It has some shared NAT that is used to access wordlwide for downloading updates for example.
And we have pfSense with internal ip 172.28.28.28 ( WAN ip) which is not default gateway in our case. Public IP is handled by hoster via NAT I think but it is associated with that cloud machine.

As far as I understood 587 port is not blocked internaly and I can send requests through 587 to 172.28.28.28 pfsense.
So I want all such requests being redirected to external mail server 85.13.135.13:587

I made a port forwarding which looks like this
https://nimb.ws/5jmFkG

And when I run telnet it looks like working, as far as I understand
https://nimb.ws/wDcYjI
BUT telnet itself is not successful

root@192.168.0.139:~# telnet 172.28.28.28 587
Trying 172.28.28.28...
telnet: Unable to connect to remote host: Connection timed out

May be reply from 85.13.135.13 is not being passed back? Little bit lost here. Tried also routing through iptables all 587 traffic from 192.168.0.139 but in result the issue was the same. It appers to be traffic was routed fine to mail server 85.13.135.13 but connection timeout, probably because of lost reply.

Any help?

Anothe question is I also tried to use Outbound NAT since it offers option to use Host based Alias and it is better then putting mail server IP address in my case. But it was not redirecting traffic at all.
https://nimb.ws/E8uA2t

If someone can direct me to the right direction please. Little bit stuck with this.

Forgot to mention that in State filter I can see only these records for mail server IP

WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 (172.28.28.28:587) CLOSED:SYN_SENT 6 / 0
WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 SYN_SENT:CLOSED 6 / 0

https://nimb.ws/eZy8zw

And VPC connection from 192.168.0.139 to 172.28.28.28 (pfsense) is setup and works. means I am able to SSH for example to pfsense.

and telnet on 172.28.28.28 to mail server works fine as well

@Derelict @johnpoz guys I read a lot of your replies regarding similar issues in another threads on forum. May be you can advise? Will be very thankful for advices from anyone.

viragomann · May 13, 2022, 1:39 PM

@lex-under-3182 said in SMTP port forwarding from internal server:

Anothe question is I also tried to use Outbound NAT since it offers option to use Host based Alias and it is better then putting mail server IP address in my case. But it was not redirecting traffic at all.

Outbound NAT is not meant for redirecting traffic, but for replacing the source IP or port (masquerading).
Anyway, this is the right place to turn the screws.

However, you have to correct three options in your rule:
source: any
destination: 85.13.135.13:587
translation: interface address

Edit:
Should add, naturally you loose information about the origin source IP address on the mail server with this. But there is no other way to forward the packets, apart from joining the SMTP server to the pfSense's network using a VPN.

lex.under.3182 · May 13, 2022, 2:13 PM

@viragomann As far as I understood for this to work I need bellow rule to iptables on 192.168.0.139 ? this should route all traffic for 587 to 172.28.28.28:587

Something like this should work I guess but telnet still does not work ((

iptables -t nat -A OUTPUT -p tcp --dport 587 -j DNAT --to-destination 172.28.28.28:587

Anyway pfsense is not a default gateway for 192.168.0.139 . They are connected via VPC peering ...

Just to confirm 192.168.0.139 is SMTP client and 85.13.135.13 is external SMTP server not managed by me.

192.168.0.139 cannot send external requests to 587 port (only local to any IP in the private network)
172.28.28.28 can send external requests to 587 port

stephenw10 · May 13, 2022, 2:16 PM

No you don't need any rules on the client (192.168.0.139).

You need the correct outbound NAT rule in pfSense so that the traffic leaving towards the SMTP server has it's source address NAT's to the pfSense WAN IP. Then the SMTP server will reply back to pfSense instead of trying to reply to 192.168.0.139 dircetly. Or whatever the cloud provider is NATing that to. If it's not blocking it anyway.

This is a an ugly setup though!

Steve

viragomann · May 13, 2022, 2:24 PM

@lex-under-3182 said in SMTP port forwarding from internal server:

Just to confirm 192.168.0.139 is SMTP client and 85.13.135.13 is external SMTP server not managed by me.

And how is the client connected to pfSense? To its WAN?
To communicate both need to be within the same subnet. That doesn't seem to be the case.

lex.under.3182 · May 13, 2022, 2:30 PM

@viragomann

I can ping pfsense. Several virtual private cloud networks are connected between each other via so called VPC peering.

But for example if I run
root@192.168.0.139:~# curl ifconfig.co
80.158.48.35

I will get back public IP of so called sharedNAT for that network which is not a pfsense server. So default gateway is no pfsense.

Probably I will have to use VPN... I already have one in pfsense for internal that network and outside connections to it. No have to make some kind of outbound VPN... )

It would be cool if I could just route 587 traffic from 192.168.0.139 to mail server through pfsense server... but so far no success (
I feel myself dump)) sorry to bother

viragomann · May 13, 2022, 2:38 PM

@lex-under-3182 said in SMTP port forwarding from internal server:

I can ping pfsense. Several virtual private cloud networks are connected between each other via so called VPC peering.

I asked for the interface the client connect to pfSense.

But for example if I run
root@192.168.0.139:~# curl ifconfig.co
80.158.48.35

I will get back public IP of so called sharedNAT for that network which is not a pfsense server. So default gateway is no pfsense.

So 80.158.48.35 is the public IP when you go out and you try to forward SMTP mails to it??

What is the public IP of pfSense?

lex.under.3182 · May 13, 2022, 2:39 PM

@stephenw10 Thanks for the reply but probably this is not my case. or I have not understood the setup correctly. I did exactly what was advised but still my telnet sessions do not work on client. May be telnet on 587 port is not correct way to test it? I do see connections in logs.

May be this would work if pfsense was a gateway for that network where client server is BUT it is not(
PFsence and client can communicate between each other via private IP but pfsense has it`s own Public IP and client server has shared NAT for www access. So by default if I run bellow command it tries to route it through that sNAT, if I add iptdables then it will try to route it to 172.28.28.28 587 port .

root@192.168.0.139:~# tcptraceroute 85.13.135.13 587
Running:
traceroute -T -O info -p 587 85.13.135.13
traceroute to 85.13.135.13 (85.13.135.13), 30 hops max, 60 byte packets
1 100.78.0.1 (100.78.0.1) 13.399 ms 13.351 ms 13.345 ms
2 172.30.5.89 (172.30.5.89) 6.835 ms 6.875 ms 7.066 ms
3 * * *
4 * * *
5 * * *

stephenw10 · May 13, 2022, 2:48 PM

Right you have to use the pfSense WAN IP to access the SMTP server from the client instead of the actual public IP.

That will work as long as you have an outbound NAT rule in pfSense covering the client subnet.

When it's configured correctly the states in pfSense will look like:

WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 (172.28.28.28:587) 
WAN tcp 172.28.28.28:49761 (192.168.0.139:56378) -> 85.13.135.13:587

Steve

lex.under.3182 · May 13, 2022, 2:48 PM

@viragomann said in SMTP port forwarding from internal server:

So 80.158.48.35 is the public IP when you go out and you try to forward SMTP mails to it??
What is the public IP of pfSense?

I cannot disclose pfsense ip( . but lets say it is 80.158.10.10

80.158.48.35 is a public IP of several hundred servers without public IP. Lets call it Shared SNAT . and it does not allow SMTP ports including 587

I try to forward SMTP connections to pfsense private ip 172.28.28.28 then I though it will automatically send that request through 80.158.10.10 to mail server.

my ifconfig on pfsense

[2.6.0-RELEASE][root@172.28.28.28]/root: ifconfig
vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether fa:16:3e:a9:cb12
        inet6 fe80::f816:3eff:fea9:ba12%vtnet0 prefixlen 64 scopeid 0x1
        inet 172.28.28.28 netmask 0xffffff00 broadcast 172.28.28.255
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync

viragomann · May 13, 2022, 2:57 PM

@lex-under-3182
I think, I got it.

My assumption was, you want to forward mails from any public IP first.
So you can limit the source in the outbound NAT rule to the clients IP then.

lex.under.3182 · May 13, 2022, 3:04 PM

@viragomann @stephenw10

Ok guys I think the issue somewhere on other end of firewall.
When I am adding these settings I do see requests in logs but Firewall is blocking it, so the first though I have is to add Pass rule in firewall like this
https://nimb.ws/WkY0AZ

Then when I am doing telnet I do see that firewall stops blocking it
https://nimb.ws/8ClMy0

And connections times out which is probably means I cannot use 172.28.28.28 as my mail server host in application settings. (

root@vault-test:~# telnet 172.28.28.28 587
Trying 172.28.28.28...

telnet: Unable to connect to remote host: Connection timed out

viragomann · May 13, 2022, 3:12 PM

@lex-under-3182
Strange, the rule should allow the packets.

Switch to the nowmal log view, so you can see the rule which blocks the traffic.

lex.under.3182 · May 13, 2022, 3:14 PM

@viragomann Should I use 587 port under translation area?
https://nimb.ws/NWw75O

viragomann · May 13, 2022, 3:21 PM

@lex-under-3182
No, that's the source port. I should be dynamic (any).
Only the destination port is 587.

lex.under.3182 · May 13, 2022, 3:26 PM

@viragomann port for source is empty as you can see on last screenshot. For "Translation" should be empty as well? hmm
Does not that mean to route any traffic to any port at 172.28.28.28 from 192.168.0.136 to 85.13.135.13:587 ?

If I try to connect to 172.28.28.28:80 then it will masquerade it to 85.13.135.13:587 ?

viragomann · May 13, 2022, 3:29 PM

@lex-under-3182
The translation port has to be empty. This is the source port in outgoing packets and should be automatically selected by pfSense.

stephenw10 · May 13, 2022, 3:38 PM

Yup, or check the 'static port' box to use the same source port the client is using. Either should work here though.

Steve

lex.under.3182 · May 13, 2022, 3:55 PM

@stephenw10 @viragomann
Ok guys, thank you for help, but looks like I am stuck with this... It still does not work. May be it is because of some settings in hoster's NAT for pfsense public IP that I do not control.

Although from pfsense I can telnet mail server.

/root: telnet 85.13.135.13 587
Trying 85.13.135.13...
Connected to dd52114.kasserver.com.
Escape character is '^]'.
220 dd52114.kasserver.com ESMTP

From client's server I cannot

# telnet 172.28.28.28 587
Trying 172.28.28.28...
telnet: Unable to connect to remote host: Connection timed out

It is possible there are also some other settings in pfsense that I have not enabled and that prevent this from mapping correctly.

I cannot ask you for any further help. It is not ethical I think) You spent a lot of time helping me... I will try to remove everything and setup again on sunday but I think the issue will be there and I will have to add the second openVPN for this purpose. Connecting each server to VPN to be able to send emails looks not very stable solution for me but I am pretty sure this should work...

In any case if somebody still find an issue in my configs or have another solution then please share.
Just to repeat here is my outbound NAT config
https://nimb.ws/IRHqbn
THis is firewall rule for that NAT
https://nimb.ws/VPYBs3
System - Advanced - Firewall&NAT
https://nimb.ws/O8lYWH

By the way did an upgrade of pfsense to 2.6.0-RELEASE like few weeks ago. And also there is no Translation options in System - Advanced - Firewall&NAT menu. But I doubt it could be the cause.

viragomann · May 13, 2022, 4:07 PM

@lex-under-3182
Is the port forwarding rule still in place. It is necessary as well.

Are the packets still blocked? If so, what's the responsible rule?

For troubleshooting run a packets capture on pfSense WAN interface, filter for port 587. So you can clearly see what the packets do.