Multi-wan email gateway
-
Hello All,
pfSense-1.2.3-RELEASE
2-WAN
1-LANpfSense has been working great for our schools needs.Thanks to ALL that make pfSense happen!
We run an internal mail server behind pfSense box. No problems in regards to the port25 traffic going out WAN1 which is were our MX record is pointed to.
This week we started getting blacklisted as our network was throwing out waledac spambot. OK, so I try chasing down pc/s and looking in the states for 1 source to many destinations. Can not really see any kind of pattern in the states at all to ID one pc in particular.Question: I am thinking I should be able to restrict port 25 outgoing traffic,more than the rules I have currently setup:
Proto Source Port Destination Port Gateway Schedule Description
tcp LAN net * * 25 WAN1gateway smtpI would like to change to the following to restrict ONLY the email server IP:172.28.8.55 to send out 25 traffic.
Proto Source Port Destination Port Gateway Schedule Description
tcp LAN net 25 172.28.8.55 25 WAN1gateway smtpWhen I switch to the second scenario sometimes 25 goes out WAN1 ,sometimes 25 traffic goes out WAN2 and thus gets rejected.
I will attach a screenshot of our LAN rules.
It seems the second scenario should be valid?Thank You,
Barry
-
In the second scenario you specify a source port. Don't do that. :-)
The traffic won't match it, as the source port is random, so it falls through to your load balance rule.
-
jimp,
Thanks for the response. I changed the SOURCE port to any. With this setting port 25 traffic still, randomly goes out either WAN1 or WAN2. For example it routes out fine the first email send (via webmail),,if I do a filter reload the email this time goes out WAN2. This seems not correct seeing the port 25 entry i have in the lan rules?
Does my IMAP entry in the lan rules need to be up above the default lan entries or is simply port 25 needed at the top?
For completeness,, we use Webmail for sending out email.
Ideas?Thank You,
Barry -
Is your webmail system on your LAN?
If not, then webmail is just http/https traffic, not smtp/imap.
-
jimp,
Yes, Our Webmail is on our LAN. Do I need to make an rule to force this IP address:http out the WAN1 gateway, along with my already existing port 25 rule.
Example: Webmail server ip address: 172.28.8.55
Ideas?Thanks,
Barry -
What you need then is some rules like this:
Pass TCP from <webmail server="">to *, port 25, gateway: wan1gw
Block TCP from * to * port 25
…(rest of your rules)...The webmail server should be the only one sending out e-mail directly on port 25, if your clients really do send all e-mail via that server.
Local traffic should just hit that webmail server via the switch, firewall rules won't touch it.
If you are specifying the wan1 gateway IP explicity in that rule, there is no way it should be balancing between both WANs, unless it's actually sending traffic out a port other than 25 and it's hitting a different rule that is load balancing.
You may want to instead make a port alias for "mail ports" and include ports 25 (smtp), 465 (smtp+ssl), and 587 (submission).</webmail>
-
jimp,
thanks for the above example. I will setup the two rules as you specified.
Yes all clients should be sending out through ONLY the webmail server,but I have read some recent scenarios were various virus embeds xmail on windows clients and all they need to do is have an 'out' port 25 to send out spambot stuff.
If you look at my vary topmost rule in my first post as i see it any client that has 'it's own mail server' could send out through the wan1 gateway on port 25?
This is were I'm wanting to make it possible for ONLY 172.28.8.55( webmail ip) , Not LANnet as I have the rule set now, ,to be able to go out the port 25.
The rules you lined out looks like this should do it.Thank You,
Barry -
jimp,
just wanted to let you know,the two rule example you provided for blocking all outbound port 25 traffic,other than the actual mail server did the trick.
we are no longer getting black listed on spamhaus. i am still running virus stuff on all the workstations,and as stated before,i do not see anything obvious in the states,as one source to many destinations connections.
i even tried doing tcpdumps and watching and can not track down A pc,in particular,
Thanks again for the help!Take Care,
Barry
