• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SMTP port forwarding from internal server

Scheduled Pinned Locked Moved NAT
22 Posts 3 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lex.under.3182
    last edited by May 13, 2022, 10:22 AM

    Hello guys,

    I have an issue with NAT. Probably because not very familiar with the networks and may be missing something simple. I have read this doc but no luck
    https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
    Anyway here is the case.
    I have pfSense installed in the cloud for VPN access and haproxy stuff to other cloud servers without public IPs. The things seems to be working fine.

    Due to hoster policy all the SMTP ports 25, 465, 587 are blocked and you need or buy public IP with mail option or use their mail gateway. Both options do not fit our needs thus it was decided to forward traffic for 587 port via pfSEnse since it has gateway public IP with mail ports allowed.

    So we have server A - 192.168.0.139 for example. It has some shared NAT that is used to access wordlwide for downloading updates for example.
    And we have pfSense with internal ip 172.28.28.28 ( WAN ip) which is not default gateway in our case. Public IP is handled by hoster via NAT I think but it is associated with that cloud machine.

    As far as I understood 587 port is not blocked internaly and I can send requests through 587 to 172.28.28.28 pfsense.
    So I want all such requests being redirected to external mail server 85.13.135.13:587

    I made a port forwarding which looks like this
    https://nimb.ws/5jmFkG

    And when I run telnet it looks like working, as far as I understand
    https://nimb.ws/wDcYjI
    BUT telnet itself is not successful

    root@192.168.0.139:~# telnet 172.28.28.28 587
    Trying 172.28.28.28...
    telnet: Unable to connect to remote host: Connection timed out
    

    May be reply from 85.13.135.13 is not being passed back? Little bit lost here. Tried also routing through iptables all 587 traffic from 192.168.0.139 but in result the issue was the same. It appers to be traffic was routed fine to mail server 85.13.135.13 but connection timeout, probably because of lost reply.

    Any help?

    Anothe question is I also tried to use Outbound NAT since it offers option to use Host based Alias and it is better then putting mail server IP address in my case. But it was not redirecting traffic at all.
    https://nimb.ws/E8uA2t

    If someone can direct me to the right direction please. Little bit stuck with this.

    Forgot to mention that in State filter I can see only these records for mail server IP

    WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 (172.28.28.28:587) CLOSED:SYN_SENT 6 / 0
    WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 SYN_SENT:CLOSED 6 / 0
    

    https://nimb.ws/eZy8zw

    And VPC connection from 192.168.0.139 to 172.28.28.28 (pfsense) is setup and works. means I am able to SSH for example to pfsense.

    and telnet on 172.28.28.28 to mail server works fine as well

    @Derelict @johnpoz guys I read a lot of your replies regarding similar issues in another threads on forum. May be you can advise? Will be very thankful for advices from anyone.

    V 1 Reply Last reply May 13, 2022, 1:32 PM Reply Quote 0
    • V
      viragomann @lex.under.3182
      last edited by viragomann May 13, 2022, 1:39 PM May 13, 2022, 1:32 PM

      @lex-under-3182 said in SMTP port forwarding from internal server:

      Anothe question is I also tried to use Outbound NAT since it offers option to use Host based Alias and it is better then putting mail server IP address in my case. But it was not redirecting traffic at all.

      Outbound NAT is not meant for redirecting traffic, but for replacing the source IP or port (masquerading).
      Anyway, this is the right place to turn the screws.

      However, you have to correct three options in your rule:
      source: any
      destination: 85.13.135.13:587
      translation: interface address

      Edit:
      Should add, naturally you loose information about the origin source IP address on the mail server with this. But there is no other way to forward the packets, apart from joining the SMTP server to the pfSense's network using a VPN.

      L 1 Reply Last reply May 13, 2022, 2:08 PM Reply Quote 0
      • L
        lex.under.3182 @viragomann
        last edited by lex.under.3182 May 13, 2022, 2:13 PM May 13, 2022, 2:08 PM

        @viragomann As far as I understood for this to work I need bellow rule to iptables on 192.168.0.139 ? this should route all traffic for 587 to 172.28.28.28:587

        Something like this should work I guess but telnet still does not work ((

        iptables -t nat -A OUTPUT -p tcp --dport 587 -j DNAT --to-destination 172.28.28.28:587

        Anyway pfsense is not a default gateway for 192.168.0.139 . They are connected via VPC peering ...

        Just to confirm 192.168.0.139 is SMTP client and 85.13.135.13 is external SMTP server not managed by me.

        192.168.0.139 cannot send external requests to 587 port (only local to any IP in the private network)
        172.28.28.28 can send external requests to 587 port

        V 1 Reply Last reply May 13, 2022, 2:24 PM Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by May 13, 2022, 2:16 PM

          No you don't need any rules on the client (192.168.0.139).

          You need the correct outbound NAT rule in pfSense so that the traffic leaving towards the SMTP server has it's source address NAT's to the pfSense WAN IP. Then the SMTP server will reply back to pfSense instead of trying to reply to 192.168.0.139 dircetly. Or whatever the cloud provider is NATing that to. If it's not blocking it anyway.

          This is a an ugly setup though!

          Steve

          L 1 Reply Last reply May 13, 2022, 2:39 PM Reply Quote 0
          • V
            viragomann @lex.under.3182
            last edited by May 13, 2022, 2:24 PM

            @lex-under-3182 said in SMTP port forwarding from internal server:

            Just to confirm 192.168.0.139 is SMTP client and 85.13.135.13 is external SMTP server not managed by me.

            And how is the client connected to pfSense? To its WAN?
            To communicate both need to be within the same subnet. That doesn't seem to be the case.

            L 1 Reply Last reply May 13, 2022, 2:30 PM Reply Quote 0
            • L
              lex.under.3182 @viragomann
              last edited by May 13, 2022, 2:30 PM

              @viragomann

              I can ping pfsense. Several virtual private cloud networks are connected between each other via so called VPC peering.

              But for example if I run
              root@192.168.0.139:~# curl ifconfig.co
              80.158.48.35

              I will get back public IP of so called sharedNAT for that network which is not a pfsense server. So default gateway is no pfsense.

              Probably I will have to use VPN... I already have one in pfsense for internal that network and outside connections to it. No have to make some kind of outbound VPN... )

              It would be cool if I could just route 587 traffic from 192.168.0.139 to mail server through pfsense server... but so far no success (
              I feel myself dump)) sorry to bother

              V 1 Reply Last reply May 13, 2022, 2:38 PM Reply Quote 0
              • V
                viragomann @lex.under.3182
                last edited by May 13, 2022, 2:38 PM

                @lex-under-3182 said in SMTP port forwarding from internal server:

                I can ping pfsense. Several virtual private cloud networks are connected between each other via so called VPC peering.

                I asked for the interface the client connect to pfSense.

                But for example if I run
                root@192.168.0.139:~# curl ifconfig.co
                80.158.48.35

                I will get back public IP of so called sharedNAT for that network which is not a pfsense server. So default gateway is no pfsense.

                So 80.158.48.35 is the public IP when you go out and you try to forward SMTP mails to it??

                What is the public IP of pfSense?

                L 1 Reply Last reply May 13, 2022, 2:48 PM Reply Quote 0
                • L
                  lex.under.3182 @stephenw10
                  last edited by May 13, 2022, 2:39 PM

                  @stephenw10 Thanks for the reply but probably this is not my case. or I have not understood the setup correctly. I did exactly what was advised but still my telnet sessions do not work on client. May be telnet on 587 port is not correct way to test it? I do see connections in logs.

                  May be this would work if pfsense was a gateway for that network where client server is BUT it is not(
                  PFsence and client can communicate between each other via private IP but pfsense has it`s own Public IP and client server has shared NAT for www access. So by default if I run bellow command it tries to route it through that sNAT, if I add iptdables then it will try to route it to 172.28.28.28 587 port .

                  root@192.168.0.139:~# tcptraceroute 85.13.135.13 587
                  Running:
                  traceroute -T -O info -p 587 85.13.135.13
                  traceroute to 85.13.135.13 (85.13.135.13), 30 hops max, 60 byte packets
                  1 100.78.0.1 (100.78.0.1) 13.399 ms 13.351 ms 13.345 ms
                  2 172.30.5.89 (172.30.5.89) 6.835 ms 6.875 ms 7.066 ms
                  3 * * *
                  4 * * *
                  5 * * *

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by stephenw10 May 13, 2022, 2:48 PM May 13, 2022, 2:45 PM

                    Right you have to use the pfSense WAN IP to access the SMTP server from the client instead of the actual public IP.

                    That will work as long as you have an outbound NAT rule in pfSense covering the client subnet.

                    When it's configured correctly the states in pfSense will look like:

                    WAN tcp 192.168.0.139:56378 -> 85.13.135.13:587 (172.28.28.28:587) 
                    WAN tcp 172.28.28.28:49761 (192.168.0.139:56378) -> 85.13.135.13:587
                    

                    Steve

                    1 Reply Last reply Reply Quote 1
                    • L
                      lex.under.3182 @viragomann
                      last edited by May 13, 2022, 2:48 PM

                      @viragomann said in SMTP port forwarding from internal server:

                      So 80.158.48.35 is the public IP when you go out and you try to forward SMTP mails to it??
                      What is the public IP of pfSense?

                      I cannot disclose pfsense ip( . but lets say it is 80.158.10.10

                      80.158.48.35 is a public IP of several hundred servers without public IP. Lets call it Shared SNAT . and it does not allow SMTP ports including 587

                      I try to forward SMTP connections to pfsense private ip 172.28.28.28 then I though it will automatically send that request through 80.158.10.10 to mail server.

                      my ifconfig on pfsense

                      [2.6.0-RELEASE][root@172.28.28.28]/root: ifconfig
                      vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
                              description: WAN
                              options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
                              ether fa:16:3e:a9:cb12
                              inet6 fe80::f816:3eff:fea9:ba12%vtnet0 prefixlen 64 scopeid 0x1
                              inet 172.28.28.28 netmask 0xffffff00 broadcast 172.28.28.255
                              media: Ethernet 10Gbase-T <full-duplex>
                              status: active
                              nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
                      enc0: flags=0<> metric 0 mtu 1536
                              groups: enc
                              nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
                      lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
                              options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
                              inet6 ::1 prefixlen 128
                              inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
                              inet 127.0.0.1 netmask 0xff000000
                              groups: lo
                              nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
                      pflog0: flags=100<PROMISC> metric 0 mtu 33160
                              groups: pflog
                      pfsync0: flags=0<> metric 0 mtu 1500
                              groups: pfsync
                      
                      V 1 Reply Last reply May 13, 2022, 2:57 PM Reply Quote 0
                      • V
                        viragomann @lex.under.3182
                        last edited by May 13, 2022, 2:57 PM

                        @lex-under-3182
                        I think, I got it.

                        My assumption was, you want to forward mails from any public IP first.
                        So you can limit the source in the outbound NAT rule to the clients IP then.

                        1 Reply Last reply Reply Quote 1
                        • L
                          lex.under.3182
                          last edited by May 13, 2022, 3:04 PM

                          @viragomann @stephenw10

                          Ok guys I think the issue somewhere on other end of firewall.
                          When I am adding these settings I do see requests in logs but Firewall is blocking it, so the first though I have is to add Pass rule in firewall like this
                          https://nimb.ws/WkY0AZ

                          Then when I am doing telnet I do see that firewall stops blocking it
                          https://nimb.ws/8ClMy0

                          And connections times out which is probably means I cannot use 172.28.28.28 as my mail server host in application settings. (

                          root@vault-test:~# telnet 172.28.28.28 587
                          Trying 172.28.28.28...
                          
                          telnet: Unable to connect to remote host: Connection timed out
                          
                          V 1 Reply Last reply May 13, 2022, 3:12 PM Reply Quote 0
                          • V
                            viragomann @lex.under.3182
                            last edited by May 13, 2022, 3:12 PM

                            @lex-under-3182
                            Strange, the rule should allow the packets.

                            Switch to the nowmal log view, so you can see the rule which blocks the traffic.

                            L 1 Reply Last reply May 13, 2022, 3:14 PM Reply Quote 0
                            • L
                              lex.under.3182 @viragomann
                              last edited by May 13, 2022, 3:14 PM

                              @viragomann Should I use 587 port under translation area?
                              https://nimb.ws/NWw75O

                              V 1 Reply Last reply May 13, 2022, 3:21 PM Reply Quote 0
                              • V
                                viragomann @lex.under.3182
                                last edited by May 13, 2022, 3:21 PM

                                @lex-under-3182
                                No, that's the source port. I should be dynamic (any).
                                Only the destination port is 587.

                                L 1 Reply Last reply May 13, 2022, 3:26 PM Reply Quote 0
                                • L
                                  lex.under.3182 @viragomann
                                  last edited by May 13, 2022, 3:26 PM

                                  @viragomann port for source is empty as you can see on last screenshot. For "Translation" should be empty as well? hmm
                                  Does not that mean to route any traffic to any port at 172.28.28.28 from 192.168.0.136 to 85.13.135.13:587 ?

                                  If I try to connect to 172.28.28.28:80 then it will masquerade it to 85.13.135.13:587 ?

                                  V 1 Reply Last reply May 13, 2022, 3:29 PM Reply Quote 0
                                  • V
                                    viragomann @lex.under.3182
                                    last edited by May 13, 2022, 3:29 PM

                                    @lex-under-3182
                                    The translation port has to be empty. This is the source port in outgoing packets and should be automatically selected by pfSense.

                                    1 Reply Last reply Reply Quote 1
                                    • S
                                      stephenw10 Netgate Administrator
                                      last edited by May 13, 2022, 3:38 PM

                                      Yup, or check the 'static port' box to use the same source port the client is using. Either should work here though.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        lex.under.3182
                                        last edited by May 13, 2022, 3:55 PM

                                        @stephenw10 @viragomann
                                        Ok guys, thank you for help, but looks like I am stuck with this... It still does not work. May be it is because of some settings in hoster's NAT for pfsense public IP that I do not control.

                                        Although from pfsense I can telnet mail server.

                                        /root: telnet 85.13.135.13 587
                                        Trying 85.13.135.13...
                                        Connected to dd52114.kasserver.com.
                                        Escape character is '^]'.
                                        220 dd52114.kasserver.com ESMTP
                                        

                                        From client's server I cannot

                                        # telnet 172.28.28.28 587
                                        Trying 172.28.28.28...
                                        telnet: Unable to connect to remote host: Connection timed out
                                        

                                        It is possible there are also some other settings in pfsense that I have not enabled and that prevent this from mapping correctly.

                                        I cannot ask you for any further help. It is not ethical I think) You spent a lot of time helping me... I will try to remove everything and setup again on sunday but I think the issue will be there and I will have to add the second openVPN for this purpose. Connecting each server to VPN to be able to send emails looks not very stable solution for me but I am pretty sure this should work...

                                        In any case if somebody still find an issue in my configs or have another solution then please share.
                                        Just to repeat here is my outbound NAT config
                                        https://nimb.ws/IRHqbn
                                        THis is firewall rule for that NAT
                                        https://nimb.ws/VPYBs3
                                        System - Advanced - Firewall&NAT
                                        https://nimb.ws/O8lYWH

                                        By the way did an upgrade of pfsense to 2.6.0-RELEASE like few weeks ago. And also there is no Translation options in System - Advanced - Firewall&NAT menu. But I doubt it could be the cause.

                                        V 1 Reply Last reply May 13, 2022, 4:07 PM Reply Quote 0
                                        • V
                                          viragomann @lex.under.3182
                                          last edited by May 13, 2022, 4:07 PM

                                          @lex-under-3182
                                          Is the port forwarding rule still in place. It is necessary as well.

                                          Are the packets still blocked? If so, what's the responsible rule?

                                          For troubleshooting run a packets capture on pfSense WAN interface, filter for port 587. So you can clearly see what the packets do.

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 22
                                          • First post
                                            20/22
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received