Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-wan email gateway

    Routing and Multi WAN
    2
    8
    5.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brcisna
      last edited by

      Hello All,

      pfSense-1.2.3-RELEASE
      2-WAN
      1-LAN

      pfSense has been working great for our schools needs.Thanks to ALL that make pfSense happen!
      We run an internal mail server behind pfSense box. No problems in regards to the port25 traffic going out WAN1 which is were our MX record is pointed to.
      This week we started getting blacklisted as our network was throwing out waledac spambot. OK, so I try chasing down pc/s and looking in the states for 1 source to many destinations. Can not really see any kind of pattern in the states at all to ID one pc in particular.

      Question: I am thinking I should be able to restrict port 25 outgoing traffic,more than the rules I have currently setup:
      Proto  Source  Port  Destination  Port  Gateway      Schedule  Description
      tcp              LAN net      *        *                    25    WAN1gateway                  smtp

      I would like to change to the following to restrict ONLY the email server IP:172.28.8.55 to send out 25 traffic.
      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description
      tcp          LAN net        25  172.28.8.55      25    WAN1gateway                  smtp

      When I switch to the second scenario sometimes 25 goes out WAN1 ,sometimes 25 traffic goes out WAN2 and thus gets rejected.
      I will attach a screenshot of our LAN rules.
      It seems the second scenario should be valid?

      Thank You,
      Barry

      LAN.png
      LAN.png_thumb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        In the second scenario you specify a source port. Don't do that. :-)

        The traffic won't match it, as the source port is random, so it falls through to your load balance rule.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          brcisna
          last edited by

          jimp,

          Thanks for the response. I changed the SOURCE port to any. With this setting port 25 traffic still, randomly goes out either WAN1 or WAN2. For example it routes out fine the first email send (via webmail),,if I do a filter reload the email this time goes out WAN2. This seems not correct seeing the port 25 entry i have in the lan rules?
          Does my IMAP entry in the lan rules need to be up above the default lan entries or is simply port 25 needed at the top?
          For completeness,, we use Webmail for sending out email.
          Ideas?

          Thank You,
          Barry

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Is your webmail system on your LAN?

            If not, then webmail is just http/https traffic, not smtp/imap.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • B
              brcisna
              last edited by

              jimp,

              Yes, Our Webmail is on our LAN. Do I need to make an rule to force this IP address:http out the WAN1 gateway, along with my already existing port 25 rule.
              Example: Webmail server ip address: 172.28.8.55
              Ideas?

              Thanks,
              Barry

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                What you need then is some rules like this:

                Pass TCP from <webmail server="">to *, port 25, gateway: wan1gw
                Block TCP from * to * port 25
                …(rest of your rules)...

                The webmail server should be the only one sending out e-mail directly on port 25, if your clients really do send all e-mail via that server.

                Local traffic should just hit that webmail server via the switch, firewall rules won't touch it.

                If you are specifying the wan1 gateway IP explicity in that rule, there is no way it should be balancing between both WANs, unless it's actually sending traffic out a port other than 25 and it's hitting a different rule that is load balancing.

                You may want to instead make a port alias for "mail ports" and include ports 25 (smtp), 465 (smtp+ssl), and 587 (submission).</webmail>

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • B
                  brcisna
                  last edited by

                  jimp,

                  thanks for the above example. I will setup the two rules as you specified.
                  Yes all clients should be sending out through ONLY the webmail server,but I have read some recent scenarios were various virus embeds xmail on windows clients and all they need to do is have an 'out' port 25 to send out spambot stuff.
                  If you look at my vary topmost rule in my first post as i see it any client that has  'it's own mail server' could send out through the wan1 gateway on port 25?
                  This is were I'm wanting to make it possible for ONLY 172.28.8.55( webmail ip) , Not LANnet as I have the rule set now, ,to be able to go out the port 25.
                  The rules you lined out looks like this should do it.

                  Thank You,
                  Barry

                  1 Reply Last reply Reply Quote 0
                  • B
                    brcisna
                    last edited by

                    jimp,

                    just wanted to let you know,the two rule example you provided for blocking all outbound port 25 traffic,other than the actual mail server did the trick.
                    we are no longer getting black listed on spamhaus. i am still running virus stuff on all the workstations,and as stated before,i do not see anything obvious in the states,as one source to many destinations connections.
                    i even tried doing tcpdumps and watching and can not track down A pc,in particular,
                    Thanks again for the help!

                    Take Care,
                    Barry

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.