Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNAT only for specific IPs

    NAT
    3
    3
    1623
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      ktims last edited by

      I've been having major problems with my ISP's SMTP relays (both of the ISPs have started silently dropping mail that matches some random filter they won't tell me about…) at a couple of offices I manage. What I've done is obtain a VPS to act as a private mail relay for my client. What I'd like to do with pfSense is DNAT just the ISP's SMTP relay servers to my new relay on a different port.

      Currently I have a port forward rule redirecting all port 25 traffic to my relay, but I am concerned that an infected client machine with a spam bot would be able to relay any mail it wants since it can connect to any host on port 25 and reach a server that will relay mail for it. Instead, I would like to set up a DNAT rule that looks at both the destination port and IP before NATing it to my relay. Is this possible with pfSense?

      1 Reply Last reply Reply Quote 0
      • D
        danswartz last edited by

        You could, but maybe try this instead (I had the exact same issue as you.)  On my vps (linode), I installed a stripped-down postfix smtp server.  I set my real mail server behind pfsense to use the vps as a smart relay.  To prevent it being used as an open relay, it only accepts authenticated clients, which my real postfix server is.  I am not worried about infected bots like you, but if that is a concern, you could set an outbound rule that blocks smtp to anywhere but the vps.

        1 Reply Last reply Reply Quote 0
        • A
          axonxorz last edited by

          My problem is similar,

          I need to do DNAT on port 80 to a squid proxy (thereby making it transparent to the end users). But only for a specific IP.
          Both the squid server and the 'end users' are on the LAN subnet.

          Is this possible? In Linux iptables you would just to DNAT…..

          1 Reply Last reply Reply Quote 0
          • First post
            Last post