Redirect SMTP and HTTP traffic with virtual IP from a specific source alone
-
Dear Pf sense Team,
I have been facing a lot pressure from my fellow superior heads. In our company we often get VIP guests visting us and they bring their laptop and want the SMTP port 25 to be opened for them. And every time they come and go i get my static IP blacklisted, its been very annoying.
I was thinking of using SMTP proxy in the firewall first level and second level of redirecting SMTP traffic from a particular source to any using a different static IP other than the default one.Can anyone suggest if this redirecting can be done in pfsense ?
Thanks,
Venkat -
If you have multiple public IP addresses available on your WAN interface then just go to Firewalls-NAT-Outgoing and add NAT rule for specific local IP address (you give to guests) mapping it to one designated public IP. smtp proxy will not help here as it will be blacklisted as well (if I understand your question correctly).
-
You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.
-
Hello Eugene,
I tried your steps, but it doesn't show the designated public IP when i verify it using myipaddress.com site.
Or maybe i did it wrongly, below is the rule i have added, please correct me if i am wrong.Added outgoing NAT rule like –>
ISP Name 172.17.0.0/16 * * * 58.x.x.x *Venkat
-
@cmb:
You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.
Yes exactly, but how do i go about it.
-
can we see your pfctl -sn ?
this rule has to go before other rules with 172.17.0.0/16 as a source net. -
can we see your pfctl -sn ?
this rule has to go before other rules with 172.17.0.0/16 as a source net.Yes PFA
-
So 172.17.0.0/16 has to use 58.xxx public IP. Does it?
-
Is that IP starting with 58 a virtual IP on your WAN interface? Then you need to change the interface in your outbound NAT rule to WAN. Outbound NAT rules are matched with outgoing traffic on an interface, not incoming.
-
So 172.17.0.0/16 has to use 58.xxx public IP. Does it?
Yes Eugene, thats what i exactly want to do.
-
kpa is right.
-
Actually we have two ISP. one is WAN [reliance] and the other one is Aircel. In this i am trying route a specific source to any using additional static IP from Aircel ISP which starts with 58.x.x.x series.
-
In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.
-
Okay i think i am making some other mistake. Internet doesn't even work when i just set the outbound NAT rule. It just starts staying looking up google.com when i hit it on the browser. If i just allow full access to the domain and DNS server in Rules–> LAN isn't that enough ? or do i have to add any specific rules.
But it didn't state connecting to google.com when i hit it in the browser, so i am assuming its only DNS resolution needs to be corrected.
Any clue's where i would have gone wrong. -
In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.
Yes i checked it, its all set correctly to corresponding GW
-
How many interfaces do you have?
-
3 interfaces:
1. LAN
2. WAN - Reliance ISP
3. Aircel - ISP -
How come you have two networks 172.17.0.0/16 and 172.16.0.0/16 on LAN, what are setting (IP address/mask) on your LAN interface?
-
Actualy our Local LAN network is seperated into different VLAN using cisco catalyst switches.
IP : 172.16.0.0 /16 and 172.17.0.0/16 and 10.5.0.0/16
172.17.x.x for Wireless and 172.16.x.x for servers and 10.5.x.x for desktops like that. -
Little diagram/explanation would definitely have here
172.16.0.0/16 vlan x–--|catalyst|?.?.?.?/? vlan ?-----?.?.?.?/?pfSense
172.17.0.0/16 vlan y----| |