Redirect SMTP and HTTP traffic with virtual IP from a specific source alone



  • Dear Pf sense Team,

    I have been facing a lot pressure from my fellow superior heads. In our company we often get VIP guests visting us and they bring their laptop and want the SMTP port 25 to be opened for them. And every time they come and go i get my static IP blacklisted, its been very annoying.
    I was thinking of using SMTP proxy in the firewall first level and second level of redirecting SMTP traffic from a particular source to any using a different static IP other than the default one.

    Can anyone suggest if this redirecting can be done in pfsense ?

    Thanks,
    Venkat



  • If you have multiple public IP addresses available on your WAN interface then just go to Firewalls-NAT-Outgoing and add NAT rule for specific local IP address (you give to guests) mapping it to one designated public IP. smtp proxy will not help here as it will be blacklisted as well (if I understand your question correctly).



  • You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.



  • Hello Eugene,

    I tried your steps, but it doesn't show the designated public IP when i verify it using myipaddress.com site.
    Or maybe i did it wrongly, below is the rule i have added, please correct me if i am wrong.

    Added outgoing NAT rule like –>
    ISP Name  172.17.0.0/16 * * * 58.x.x.x *

    Venkat



  • @cmb:

    You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.

    Yes exactly, but how do i go about it.



  • can we see your pfctl -sn ?
    this rule has to go before other rules with 172.17.0.0/16 as a source net.



  • @Eugene:

    can we see your pfctl -sn ?
    this rule has to go before other rules with 172.17.0.0/16 as a source net.

    Yes PFA




  • So 172.17.0.0/16 has to use 58.xxx public IP. Does it?



  • Is that IP starting with 58 a virtual IP on your WAN interface? Then you need to change the interface in your outbound NAT rule to WAN. Outbound NAT rules are matched with outgoing traffic on an interface, not incoming.



  • @Eugene:

    So 172.17.0.0/16 has to use 58.xxx public IP. Does it?

    Yes Eugene, thats what i exactly want to do.



  • kpa is right.



  • Actually we have two ISP. one is WAN [reliance] and the other one is Aircel. In this i am trying route a specific source to any using additional static IP from Aircel ISP which starts with 58.x.x.x series.



  • In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.



  • Okay i think i am making some other mistake. Internet doesn't even work when i just set the outbound NAT rule. It just starts staying looking up google.com when i hit it on the browser. If i just allow full access to the domain and DNS server in Rules–> LAN   isn't that enough ? or do i have to add any specific rules.

    But it didn't state connecting to google.com when i hit it in the browser, so i am assuming its only DNS resolution needs to be corrected.
    Any clue's where i would have gone wrong.



  • @Eugene:

    In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.

    Yes i  checked it, its all set correctly to corresponding GW



  • How many interfaces do you have?



  • 3 interfaces:
    1. LAN
    2. WAN - Reliance ISP
    3. Aircel - ISP



  • How come you have two networks 172.17.0.0/16 and 172.16.0.0/16 on LAN, what are setting (IP address/mask) on your LAN interface?



  • Actualy our Local LAN network is seperated into different VLAN using cisco catalyst switches.

    IP : 172.16.0.0 /16 and 172.17.0.0/16 and 10.5.0.0/16
    172.17.x.x for Wireless and 172.16.x.x for servers and 10.5.x.x for desktops like that.



  • Little diagram/explanation would definitely have here
    172.16.0.0/16 vlan x–--|catalyst|?.?.?.?/? vlan ?-----?.?.?.?/?pfSense
    172.17.0.0/16 vlan y----|          |



  • Thats gonna be little hard …..i will try to explain you the best.

    first -->server network[172.16.x.x/16] VLAN 10 –> connected to layer 3 switch ---> connected to pfsense [for internet]

    GW - 172.16.1.10 for server vlan –>  route o.o.o.o o.o.o.o. to pfsense 172.16.1.254 --> packets hits pfsense here.                
    why vlan coz we have few departments who system or files should not be accessed by others and the wifi we have about 5 profiles.
    like VIP, staff and guest and so each profile gets a different IP range and cannot access other network. And why cisco switch b'coz it has a concept stacking which gives master and slave switch and both is binded including the ports. each port 1 GBPS so when binded it will work on 2 GBPS and even when one switch is down, it will still start working on the other one.



  • Then I suspect you have to have on pfSense:
    1. Rules on LAN allowing net 172.16.0.0/16 to go to Internet using default gateway.
    2. Rules on LAN allowing net 172.17.0.0/16 to go to Internet using default 58.xx gateway.
    3. Rules on LAN allowing net xxx to go to Internet using ??? gateway.
    "allow to go to Internet" means TCP/UDP port 53, TCP ports 80 and 443 at least (and ICMP if you wish).

    On NAT->Outbound page you have to create NAT entries for all subnets on proper interfaces.



  • Yep Eugene at last got it to work.. thnx for all the help.

    After adding DNS servers in the rule, it all started to work.

    Thanks,
    Venkat


Log in to reply