Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to my Exchange Server from WAN with Pfsense

    Scheduled Pinned Locked Moved
    NAT
    2
    4
    276
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mahadir
      last edited by

      Hello,

      I've set up a virtualization server running Proxmox with 2 Active Directory domain controllers and an Exchange server accessible from outside with a public IP with a purchased domain name (mail.<domain>.fr) port forwarded through my router with ports 443, 587, 25, etc., open from the outside (not very secure, I know).

      My Proxmox server is directly connected to my SFR box (SFR being my French ISP).

      My local subnet is 192.168.1.0/24. and my Exchange Server is in 192.168.1.61

      When I created another subnet with Pfsense, I set it to 10.20.30.0/24 to put all my VMs (the two DCs + Exchange) in this subnet, but I lose the port forwarding from the router from the ISP, so I have to port forward from Pfsense.

      Now the Exchange Server in 10.20.30.61

      I tried to port forward port 80 and 443 from my Exchange IIS on Pfsense, but I can't access it from outside with my public IP...

      Do I need to do something on my router to access my Exchange server from the outside?

      Infrastructure right now :

      192.168.1.1
      +---------+ +-------------+
      | ROUTER | ------ | FW Pfsense | ------ Local Network 10.20.30.X
      +---------+ +-------------+

      G 1 Reply Last reply Reply Quote 0
      • G
        Gblenn @Mahadir
        last edited by Gblenn

        @Mahadir So when you added pfsense, you essentially added another NAT from the 192 subnet to 10.... And pfsense will block any attempts to access anything on the 10.... subnet, unless you open the right ports in pfsense.

        So open the ports in pfsense towards the exchange server 10.20.30.61, and do one of the following:

        The best way to do this, and make use of pfsense, is to replace the SFR router with pfsense completely. Then you will have full freedom to manage everything in pfsense instead.

        An alternative is, if that functionality exists, to set the SFR router to bridge mode, in which case it will bypass the internal firewall and NAT translation and pass on your public IP to pfsense.

        If none of these alternatives work, perhaps the SFR router allows you to place pfsense in a DMZ, where all ports are completely opened towards it.

        The last resort is to forward the ports in the SFR router, but having pfsense as the target.

        M 1 Reply Last reply Reply Quote 0
        • M
          Mahadir @Gblenn
          last edited by

          @Gblenn Thank you for your reply.

          In the first place, unfortunately, it's not possible for me to replace my router with Pfsense because it's a virtual machine hosted within a Computer, and many people use it with a direct wired connection plus television and telephony services. So, this option isn't ideal.

          Bridge mode on this type of router model is not supported by the operator, and this option isn't available in the modem directly.

          Furthermore, I still have the option to choose the DMZ IP address!
          So, by setting the WAN IP address of my Pfsense to 192.168.1.254 (which is my Pfsense WAN side), will it solve my problem? Will it allow my Pfsense to forward ports from my Exchange server at 10.20.30.61 to all the previously mentioned ports?

          Should I also configure the WAN as DHCP to obtain the public IP address directly on Pfsense?

          Thank you for your reply. :)

          G 1 Reply Last reply Reply Quote 0
          • G
            Gblenn @Mahadir
            last edited by

            @Mahadir Ok, well the fact that you use the machine for many other things does not exclude the possibility to replace the ISP router with pfsense. I am myself running pfsense on Proxmox and that same machine is running several other VM's.
            The reason you may not want that is either that it is located too far away to make the physical connection to the WAN. Or that you do a lot of restarting of the Proxmox machine which would interrupt your internet connection for all... But typically you do not have to restart Proxmox at all, except when changing HW for example.

            It's best if you can assign dedicated ports for pfsense WAN and LAN, and use any other ports on the Proxmox machine for the other VM's and the management interface. I'm guessing you have 3 or more ports in that machine?
            And preferably you pass those two two ports thru (IOMMU) to pfsense, which means that Proxmox cannot see them or use them for anything, and pfsense has full ownership of them. If not, just make sure you only assign for example vmbr3 and 4 to pfsense and vmbr0, 1 and 2 can be used for other VM's, or however many ports you have.

            When it comes to DMZ, that has to be done towards a specified target machine which means you want to give pfsense a fixed IP. In pfsense you keep the WAN interface config type as DHCP. And you decide for an IP and set that in the SFR router. If you disable and then enable the WAN interface, it will pick up the new address from the SFR router. But you can never get your public IP on the LAN side of their router unless it has Bridge Mode.
            So once you see the correct IP in pfsense interface, you can go to the DMZ settings in the SFR router and apply that to the IP that pfsense has. Now all ports are opened towards pfsense and you should be able to access your exchange server from the internet, as long as you have done the port forwarding (Firewall > NAT) in pfsense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post