DNAT only for specific IPs



  • I've been having major problems with my ISP's SMTP relays (both of the ISPs have started silently dropping mail that matches some random filter they won't tell me about…) at a couple of offices I manage. What I've done is obtain a VPS to act as a private mail relay for my client. What I'd like to do with pfSense is DNAT just the ISP's SMTP relay servers to my new relay on a different port.

    Currently I have a port forward rule redirecting all port 25 traffic to my relay, but I am concerned that an infected client machine with a spam bot would be able to relay any mail it wants since it can connect to any host on port 25 and reach a server that will relay mail for it. Instead, I would like to set up a DNAT rule that looks at both the destination port and IP before NATing it to my relay. Is this possible with pfSense?



  • You could, but maybe try this instead (I had the exact same issue as you.)  On my vps (linode), I installed a stripped-down postfix smtp server.  I set my real mail server behind pfsense to use the vps as a smart relay.  To prevent it being used as an open relay, it only accepts authenticated clients, which my real postfix server is.  I am not worried about infected bots like you, but if that is a concern, you could set an outbound rule that blocks smtp to anywhere but the vps.



  • My problem is similar,

    I need to do DNAT on port 80 to a squid proxy (thereby making it transparent to the end users). But only for a specific IP.
    Both the squid server and the 'end users' are on the LAN subnet.

    Is this possible? In Linux iptables you would just to DNAT…..


Log in to reply