Policy routing smtp traffic over IPsec vpn



  • Hello guys,

    I've started using pFsense only since last week, and it is love at first sight! The reason i'm making this post is because i've got a problem. My ISP (Telfort) has put all of their ip's on a mailing blacklist. This prevents me from running my own mailserver. The mailserver is running on vmware at my home.

    I made a IPsec vpn from my home (10.90.1.0/24) to a cisco asa 5505 at a second location (10.90.2.0/24 at my mom). That location is using a ISP that allows all traffic and isn't blacklisted. All is working just fine, but i am not able to place a (second) mailserver at the other location.

    Now i'm trying to route all smtp traffic from the mailserver at my home over the IPsec tunnel so it enters the internet from the other ISP's address. I have tried to create a firewall rule using a fake loadbalancer as gateway and editing the config replacing the gateway with 10.90.2.1 but that din't work.

    Does anyone have an idea how to accomplish this? Maybe with v2.0beta?


  • Rebel Alliance Developer Netgate

    You can't policy route that way with IPsec. You can sort of fake it with OpenVPN a bit, but it still isn't really supported in the GUI.



  • Hi jimp,

    thnx for your reply. You're saying it is possible without the gui? Is that something i could try or do i have to use openvpn at the asa also? I don't think that wil work, will it?


  • Rebel Alliance Developer Netgate

    Correct: ASA won't do OpenVPN.

    As for being supported in the GUI, the time I did it on 2.0 I had to use a roundabout way of getting a gateway configured to use in rules because you can't configure it directly on an assigned OpenVPN interface or it will cause other issues.



  • I've tried configuring a gateway also, but was unsuccessfull. I've tried to configure it using a fake load balancer an changed gateway in the config file. But offcourse it was still pointing to the WAN interface, and pfsense send the packets on to the wan.

    How dit you manage to configure a gateway pointing to the IPsec tunnel?


  • Rebel Alliance Developer Netgate

    I did not. You cannot do that with IPsec.

    I did it with OpenVPN.



  • damn  :'(,

    Well i guess there is no other option then to place a second server over there in the mean time. Just until i've switched to another ISP.

    Thnx for the help!


  • Rebel Alliance Developer Netgate

    If you were using pfSense 2.0 beta you might be able to do something with IPsec in transport mode + a GRE tunnel riding across that, but I haven't set that up before. IIRC, the ASA should support that (but you'd have to check on that first)


Log in to reply