Use Virtual IP for Outbound

kevpatt · Apr 20, 2012, 3:14 PM

Hi All,

We have a private network that is NAT routed thru pfSense. Our WAN interface has 5 usable ip addresses. I already have NAT working fine and a good ruleset for general use. But we also have a mail server for our domain, inside our network. I REALLY need to have this mail server sending mail from a different public IP address. I already have incoming mail traffic (port 25) on the mail server's address forwarding to our mail server, but when the mail server sends mail out, it always originates from the "main" public ip that we use for everything else. I need outgoing mail from our server to "originate" from a different public IP, one of the "virtual IPs" set up in pfSense and part of our public block.

Is there a way to do this? Any ideas?

dotdash · Apr 20, 2012, 5:50 PM

Advanced Outbound NAT. Create a rule with the servers IP/32 as the source and the VIP as the translation. Move this before the default outbound rule.

kevpatt · Apr 23, 2012, 9:54 PM

I did play around with that briefly. Whenever I had "Manual Outbound NAT rule generation / (AON - Advanced Outbound NAT)" selected, I could net get the web to work at all.

FWIW, we have multi-wan (3xT1, 1xT1, and 1xT1). Each one of these connects to the pfSense box thru its own dedicated NIC. The 3xT1 is primary and the other two T1s are used for load balancing and failover.

We are also using SQUID as a transparent proxy on pfsense.

Maybe the combination of these would make the automatic outbound rules not work? Are there any special considerations I need to keep in mind when switching from automatic outbound NAT rule generation to manual, in light of the above setup?

In the worst case, I might be able to dispense with either SQUID, or the load-balancing…

Thanks for the help! :)

tlum · Apr 24, 2012, 2:01 AM

Are there any special considerations I need to keep in mind when switching from automatic outbound NAT rule generation to manual

Yea. You have to keep all the automatically generated rules else most of your traffic goes nowhere.

kevpatt · Apr 24, 2012, 2:51 PM

Well… I did keep the automatically generated rules... and my traffic seemed to go nowhere!

dotdash · Apr 24, 2012, 3:07 PM

The Multi-WAN doesn't make a difference, there are rules for each of your WANs. You just have to make sure the more specific rule comes before the default rule on each WAN. The SQUID may be a problem, I don't run it. If you can, try getting everything running without the SQUID. If it works as expected you can put SQUID back into the mix and see what happens.