Routing outbound email through a different virtualIP

  • I have a mail server that's currently running internally (  I have a handful of static IP addresses.  All of my email currently appears that it comes from pfSense firewall's primary public IP (e.g. the gateway address).  However, I'd like all email to go out on one of the secondary static IP addresses from my IP that are assigned to pfSense as virtual IPs.  I was looking at the rules, and I couldn't find an obvious way of doing this.  Is this achievable?

    In otherwords… ( - Mailserver) - outbound port 25 email ---> - pfSense --->Virtual IP#2 ---->IP Gateway.

    The goal would be so that my outbound emails get stamped with the virtualIP instead of the primary IP.

  • Rebel Alliance Developer Netgate

    Sure, you just need to either setup 1:1 NAT between the mail server and that public IP, or switch to Manual Outbound NAT and setup an outbound NAT rule that will match that traffic and apply NAT to the VIP you want.

  • I tried to test this by creating an outbound NAT rule for HTTPS (443) traffic, but did not get the expected result.

    For example:
    1. Firewall>NAT>Outbound
    2. I left it on Automatic outbound rule generation, and clicked + to add a rule
    3. Source: On the LAN Interface for all IPs in my network port 443
    4. Destination: Any
    5. Set to external VirtualIP2
    6. Static Port
    7. Save, wait for reload.

    After that I tried browsing to to verify that my outbound web-traffic is being changed to appear to come from VirutalIP2 (new IP)  instead of the old IP VirtualIP1.  However, VirtualIP1 still shows up.  What have I misunderstood?  Should I have changed it to "manual" outbound (AON)?  The reason that I'm trying this with 443 is so that I can quickly see the result by going to  Once I get it working, I'll modify it for only outbound 25 (don't want to disrupt the day-to-day).


  • Rebel Alliance Developer Netgate

    To use the rules you make, you must be on manual outbound NAT.

    The rules on that page are ignored if you are on automatic outbound NAT.

  • I see.  If I set to manual, other than IPsec outbound VPN traffic - what else might break?

  • Rebel Alliance Developer Netgate

    Nothing should break. When you switch to manual, it will generate a set of rules equivalent to the ones it had on automatic. It just doesn't update them automatically anymore if you add/remove interfaces.

    Just make sure your rule that you add for the other IP goes on top.

  • Also, your source port will not be 443, that's your destination port.

Log in to reply