Help needed to setup firewall rules



  • Hi everybody!
    I have a following setup but it works only for external clients:

    |–--[mail server 192.168.3.94/27]
    [internet]–--[pfsense]–|----[other 192.168.3.30/27]
                                      |–--[web server  192.168.3.62/27]

    everything works with external clients when they accessing web server or using email server but when I telnet (telnet my_email_server_dns_name 25)from web server which is 192.168.3.35 to my mail server 192.168.3.65 it fails. It also fails if I use public ip assigned to the email server.
    I've attached the nat and wan rules. mail and web interfaces set to allow everything.
    Any help would be appreciated





  • Does it work it you use the internal IP directly?

    Did you consider this: http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F



  • @GruensFroeschli:

    Does it work it you use the internal IP directly?

    Did you consider this: http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    it works with local ip

    method 2 from the wiki didn't work. should I uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"? It is checked right now

    disabling NAT reflection worked but what kind of consequences can I expect if it is not recommended way of doing things?



  • What do you mean with "method 2 from the wiki didn't work"?
    This definitely does work (unless you have somewhere a missconfiguration…)
    No the "allow override" option has nothing to do with this.
    Do your clients use the pfSense as DNS server?

    Disabling NAT reflection is not "not recommended" per default.
    It's just not so clean because you have to start an additional deamon on the firewall which bounces connections around.
    Keep in mind that you can not reflect ranges of ports bigger 500 (like ports 25000 - 25999 --> Range of 1000 ports)
    and not more than 1000 ports overall.
    If you have a lot of interfaces, reflections are put in place for every interface.
    Meaning if you have 10 interfaces, you effectively can only reflect 100 ports because it has to reflect on all interfaces.

    Split DNS is just the proper way to do it!

    (And you avoid a lot of headaches if you have to debug a problem just to find out that the reflections where not put in place because you have too many ports ;) )



  • Method 2 (split dns) from the link you've provided, it din't do anything.
    Clients set to use external DNS server, should I change it to pfSense for split DNS to work?


  • Rebel Alliance Developer Netgate

    @covex:

    Method 2 (split dns) from the link you've provided, it din't do anything.
    Clients set to use external DNS server, should I change it to pfSense for split DNS to work?

    Yes, for that kind of split DNS to work, clients should be using your pfSense box as their DNS Server.


Log in to reply