Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing outbound email through a different virtualIP

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wmiwmi
      last edited by

      I have a mail server that's currently running internally (192.168.1.10).  I have a handful of static IP addresses.  All of my email currently appears that it comes from pfSense firewall's primary public IP (e.g. the gateway address).  However, I'd like all email to go out on one of the secondary static IP addresses from my IP that are assigned to pfSense as virtual IPs.  I was looking at the rules, and I couldn't find an obvious way of doing this.  Is this achievable?

      In otherwords… (192.168.1.10 - Mailserver) - outbound port 25 email ---> 192.168.1.1 - pfSense --->Virtual IP#2 ---->IP Gateway.

      The goal would be so that my outbound emails get stamped with the virtualIP instead of the primary IP.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Sure, you just need to either setup 1:1 NAT between the mail server and that public IP, or switch to Manual Outbound NAT and setup an outbound NAT rule that will match that traffic and apply NAT to the VIP you want.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • W
          wmiwmi
          last edited by

          I tried to test this by creating an outbound NAT rule for HTTPS (443) traffic, but did not get the expected result.

          For example:
          1. Firewall>NAT>Outbound
          2. I left it on Automatic outbound rule generation, and clicked + to add a rule
          3. Source: On the LAN Interface for all IPs in my network 192.168.0.1/16 port 443
          4. Destination: Any
          5. Set to external VirtualIP2
          6. Static Port
          7. Save, wait for reload.

          After that I tried browsing to https://whatismyip.com to verify that my outbound web-traffic is being changed to appear to come from VirutalIP2 (new IP)  instead of the old IP VirtualIP1.  However, VirtualIP1 still shows up.  What have I misunderstood?  Should I have changed it to "manual" outbound (AON)?  The reason that I'm trying this with 443 is so that I can quickly see the result by going to whatismyip.com.  Once I get it working, I'll modify it for only outbound 25 (don't want to disrupt the day-to-day).

          Thanks!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            To use the rules you make, you must be on manual outbound NAT.

            The rules on that page are ignored if you are on automatic outbound NAT.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • W
              wmiwmi
              last edited by

              I see.  If I set to manual, other than IPsec outbound VPN traffic - what else might break?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Nothing should break. When you switch to manual, it will generate a set of rules equivalent to the ones it had on automatic. It just doesn't update them automatically anymore if you add/remove interfaces.

                Just make sure your rule that you add for the other IP goes on top.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • B
                  billm
                  last edited by

                  Also, your source port will not be 443, that's your destination port.

                  pfSense core developer
                  blog - http://www.ucsecurity.com/
                  twitter - billmarquette

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.