Is SMTP service blocked by default on pfSense 2.0?



  • Hi everyone,

    This is a stupid question but I have a client complaining they occasionally can't send mail outbound and we recently installed a pfSense router there. So, is there anything in firewall/nat that should be opened for SMTP to work? Outbound NAT is set to Automatic - does that make a difference? maybe use static port 25?

    Also there is a linksys router as well. So, this is the setup:

    Bell Canada Modem/Router –--> pfSense 2.0 ------> Linksys Router ------> PC

    Bell Canada Modem/Router is NOT in bridge mode and picks up it's own public IP address. pfSense is connected to it but Bell Canada allows two public IPs so pfSense has PPPoE on WAN interface and has it's own separate public IP address. Then the Linksys router obtain IP from pfSense DHCP but it has it's own separate DHCP subnet for the PC. Conclusion is that none of the equipment is in bridge mode. Could this cause an issue with SMTP?

    Thanks



  • Does this mean that pfsense has two WAN connections ?
    If yes, the create a rule on top of all other firewall rules on LAN interface to route SMTP traffic always using the same WAN.



  • What network you configured between router and pfsense?

    If it's not in bridge mode, don't router's valid ip and pfsense wan has ips on same subnet?

    This could be the problem.



  • First of all, thanks for the input guys. Below are some clarifications.

    Nachtfalke: There is only 1 WAN. Bell Modem/Router has it's own public IP but any of clients connected to it can also do PPPoE to ISP to obtain another IP. This is done on these modems without bridge mode. Anyhow, that is most likely not the issue at all.

    marcelloc: Which router are you referring to? There are 3 routers. 1- Bell Modem/Router, 2-pfSnse, 3-Linksys. None of those use the same subnet. There is no subnet conflict. Here is how they are set:

    Bell Modem/Router: 192.168.0.0/24
    pfSense Router: 192.168.90.0/24
    Linksys Router: 192.168.20.0/24
    So, none of those conflict.

    Also, from LAN, I have * * * * * * so all outbound are open. Everyone can surf the internet too.



  • Pretty much every residential ISP blocks port 25 outbound, that's most likely what it is unless you have a business class connection. The default config allows 25 outbound.



  • CMB, that is true. But I think this connection worked without SMTP authentication before. Plus, it seems it's occasional. So, I am gathering that I shouldn't have any problem with multiple routers using SMTP. I thought being stateless might make a difference or port 25 should be set static on OUTBOUND NAT settings but I guess not. So, I will blame GoDaddy server for the occasional problems and returned e-mails.

    Thanks



  • @torontob:

    Bell Modem/Router: 192.168.0.0/24
    pfSense Router: 192.168.90.0/24
    Linksys Router: 192.168.20.0/24

    can you draw your network setup?

    wan ip -> Bell Modem ->  192.168.0.0/24  <-??-> 192.168.90.0 pfsense <-??-> 192.168.20.0/24 <-??-> Linksys Router



  • There two public IPs. One is assigned through WAN of Bell Modem/Router. The second one is picked-up by WAN port of pfSense router which is connected to LAN of Bell but they are totally separate. No routing conflicts. I think the DSL Modem feature is used for pfSense and the router feature is not used. Like I said, you are allowed to pick two public IPs through the same DSL connection.

    RJ11 < >Bell Modem/Router (LAN port)<–--->(WAN port - 2nd public IP picked here) pfSense (LAN port)<--->(WAN port) Linksys Router (LAN port)<---->PC with Outlook.



  • RJ11 < >Bell Modem/Router (LAN port)<–--->(WAN port - 2nd public IP picked here) pfSense

    Who is the gateway of 2nd public ip? bell modem 192.168?  ???

    If bell Modem is in bridge mode I see no problems on pfsense wan gateway.

    But in routing mode how can a ppoe valid ip reach it's gateway if it is behind a 192.168 network?



  • Just noticed "occasionally", that most likely wouldn't be the ISP, rather the mail provider. Unless you're changing the firewall config (by blocking and unblocking port 25), it isn't going to cause occasional issues. Outside mail providers like Godaddy (ew, move away) will always require SMTP authentication, otherwise they'd be an open relay. If you're getting bounces, that's nothing network-related.



  • marcelloc: I think you are not familiar with DSL Modem/Routers (Bell ones). Like I said, the pfSense WAN probably uses only the modem feature of the DSL modem/router to obtain another public IP. It has absolutely nothing to do with the other WAN even though it connects to a port labelled LAN on the DSL Modem/router. In fact, gateway is picked up automatically from ISP. Sometimes the public IPs are very different like 174.55.x.x and 94.22.x.x. I could be wrong on my assumption above with usage of the modem but that type of bridge mode is the only thing that comes to my mind.

    CMB: I think you are right. Let's see if they complain again. And yes, I don't like GoDaddy either (They hiked my certificate price double after a year of subscription knowing it's freaking time taking to install that SSL certificate again….). No firewall changes been done. Bouncing is a problem of GoDaddy indeed.


Locked