"Disable NAT Reflection" versus "smtp 550 5.7.1 Unable to relay" - SOLVED



  • Hey guys, I am a new user to pfsense and I must say I am really impressed so far.  I have just deployed version "1.2.3-RELEASE" as a virtual machine on our ESXi server and for the most part it works great. I am running into one bug though and need to seek your wisdom.  ;D

    My environment:
    pfsense VM (Virtual Machine) working as our border router.
    It has two virtual NICs:  One connecting to the WAN (97.89.x.x), the other connecting to our LAN (192.168.21.0/24).
    We have a web server sitting behind NAT that is accessible from the WAN.
    We have an exchange server (Windows 2003 Small Biz Server) sitting behind NAT that handles all email for the business.

    My problem:
    When I first deployed PFsense and set up my initial NAT and firewall rules, I noticed that the only way I could hit our company website was from outside our network. If I tried to access our company website from inside the LAN, then the request would timeout.  I started searching the PFSense forums and read where all that needs to be done is to UNCHECK "Disable NAT Reflection" from the Advanced tab in pfsense. Sure enough, as soon as I unchecked this feature, I could then access our company's website from the LAN and WAN.  Problem solved! But then I created a new one…   :-[

    I have found that if I leave "Disable NAT Reflection" unchecked, I can then no longer send emails OUTBOUND.  We can receive emails all day long (courtesy of my port 25 port forwarding rule I have set up).  But if "Disable NAT Reflection" remains unchecked, 100% of our outbound mails are blocked by pfsense and the error message we get from our exchange server is:

    "You do not have permission to send to this recipient.  For assistance, contact your system administrator.
    <[domain name] #5.7.1 smtp;550 5.7.1 Unable to relay for [user@gmail.com]>"

    Of course, I can recheck "Disable NAT Reflection" and mail starts sending outbound with no problems - but then I loose my ability to see our company website from the LAN.

    What I am doing wrong pfsense heroes!?!   ;D



  • this is odd.  nat reflection should not be affecting anyone who is not trying to send smtp via the WAN IP of the pfsense.  and disabling reflection would not then make things magically work - rather you would not be able to send at all.  there are details missing here of what your setup is.



  • I had the exact same issue with outbound smtp when using Nat reflection.
    I ended up disabling reflection and using split dns by adding the webserver host to the dns forwarder on Pfsense pointing to the private ip instead of the public ip.



  • this makes no sense - as i said, reflection only intercepts outbound packets aimed at the WAN IP.



  • Unless you have your port forward set to match traffic to any address rather than just the interface address.



  • not sure i understand.  you are referring to an explicitly added outbound NAT rule, but reflection is set based on an inbound port forward.  i'm not sure what will happen if the two collide, but clearly something non-standard/weird has to have been done, no?



  • What I meant is that if you have "external address" on your port forward set to "any" then it will redirect all local traffic bound for any destination on that port to your local server.

    By the way, there is a workaround for that on 2.0 to prevent it from happening by accident, besides that it has more options there for external address anyway (now labeled destination address in 2.0).



  • Here are the details of my pfSense which also experienced the same issue.

    PfSense 1.2.3-RC1

    Interfaces:
    LAN
    WAN
    DMZ
    WAN2
    BRIDGE (to WAN2)

    It is pretty much a standard setup with LAN, WAN and DMZ. We have a second WAN (WAN2) for voip traffic only. The PBX is on the Bridged interface and is the only thing routed to WAN2.
    Using Automatic Outbound NAT.
    There is a web server in the DMZ.
    We have a default deny all rule on the LAN interface, so all outbound traffic on the LAN has specific allow rules.
    There is a port (80) forwarding rule on the WAN interface with a destination of a Proxy Arp Virtual IP pointing to the web server in the DMZ.
    The Outbound SMTP rule on the LAN interface has the following setting:
    Protocol      TCP
    Source          *
    Src Port        *
    Destination  *
    Dst Port        25
    Gateway        *

    When NAT reflection is enabled to allow us to access the web server through the Virtual IP, our outbound SMTP is blocked.

    Hope this helps.
    Gordon



  • @Gob:

    I had the exact same issue with outbound smtp when using Nat reflection.
    I ended up disabling reflection and using split dns by adding the webserver host to the dns forwarder on Pfsense pointing to the private ip instead of the public ip.

    Gob, I looked into what you recommended above (split-dns) but when I read the following article:

    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    It states:

    "In order for this to work using the DNS forwarder in pfSense, your clients will need to have the IP Address of the pfSense router as their primary DNS server. "

    I would not be able to change the primary DNS on our clients to point to pfsense because our primary DNS is our Active Directory controller.  Your thoughts?



  • @Efonne:

    By the way, there is a workaround for that on 2.0 to prevent it from happening by accident, besides that it has more options there for external address anyway (now labeled destination address in 2.0).

    Efonne, base on what you said above, do you think Version 2.0 would benefit me and remedy my situation?

    To all,  I really appreciate your thoughts and assistance.  The various posts speak a testament to how popular PFSense is becoming.  Thanks for supporting the new guy!  ;D



  • You're right, you do need to point to your Active Directory DNS for your clients. That is how my clients are set up. However you can then put a DNS forwarder on your AD DNS server so that when it needs to look up an address not on your active directory it will use the pfSense DNS service.

    You can then use the pfSense dns service to spoof external website addresses, so you put in an entry for your website on your web server but point it to the internal IP instead of the public IP.

    Another way is to use your AD DNS server and create a DNS zone for the website with a www (A) record pointing to the internal IP.

    Hope that makes sense?



  • I don't know about you guys, but I am a visual person so I thought this may help (see attached).  Here are my current NAT and firewall rules.  Using the screens you see attached, I am experiencing the problem initially described by my first post.






  • I wasn't aware of efonne's point that if you say 'any' instead of the WAN IP, it will redirect any outbound for that port. Based on your posted port forward, that is your problem.  You are doing http to the ext ip, so why not smtp?



  • SOLVED!

    Dans,

    As soon as I changed my SMTP NAT rule from "any" to "interface address" it started working fine with "Disable NAT Reflection" UNCHECKED.

    Now I can send email outbound AND we can hit our company website from both the LAN and WAN.

    THANKS A TON GUYS!  It is really appreciated!

    I must confess, I thought NAT only dealt with traffic coming in and not dealing with anything leaving our network - but hey it's fixed so I'm happy!  ;D



  • Cool!



  • I added the workaround in 2.0 for exactly this reason.  It is something that many users do not expect to happen. (but you can prevent it if you know about it)  The same thing can also happen if it somehow ends up using 0.0.0.0 for the address.  I added a check for that one a few hours ago to disable reflection on such port forwards.



  • Thanks Efonne!  That's the great thing about open source projects, the product can get continuously improved based off of community feedback.


Log in to reply