Unable to forward SMTP to Exchange

  • Hi everyone,

    I seem to be having a problem with my PFSense installation and it probably doesn't have anything to do with the firewall, but rather me. I would like to forward all SMTP traffic through my WAN interface to my Exchange server on my LAN. However if I try to ping the Exchange box from my WAN interface it fails. If I ping my own PC it succeeds. I think this is because my machine is setup to use the firewall as my default gateway but the Exchange box isn't. At the moment I cannot change this as all my mail is coming from the other gateway.

    Is there something that I can do to allow traffic to pass from my WAN to the Exchange box on my LAN?



  • if you have setup forward on pfsense then the pfsense part is good

    but you need on youre Exchange server  a route for all the wan trafic that is been forward by pfsense to that pc to return true pfsense

  • It doesn't work because Exchange's gateway is something else. You need to change this on Exchange or on its default gateway. There's no easy way to do this on Exchange, and depending on what its default gateway is it may not be possible or easy to do it there either.

  • I don't see any solution other than setting the default gw on the Exchange server to the pfSense box. My suggestion would be to consolidate both lines into pfSense. If you bring the other line into your pfSense box as a second WAN and create the port forwards, you will be able to get mail sent via either line.

  • Thanks for all the input.

    I changed the default gateway on the Exchange server, however I still could not recieve mail. I have checked the firewall logs and I can see the mail being forwarded to port 25 to the Exchange server IP however it does not seem to come through.

    I checked in the routes section of my PFSense box and I see that any traffic routed to the Exchange server will go through my LAN interface. Does this mean that even if I have a NAT rule setup to forward all incomping SMTP on the WAN interface to the Exchange box that it will still go through the LAN interface?

    I have tried to ping the Exchange box from the LAN interface and this works, from the WAN it does not even with the PFSense box as the default gateway.


  • Daniel Petri has a lot of info on his site on how to setup things and test it.

    –--- ;D  ;D  ;D -------- Extra info ------ you don't have to pay for it -------- :D :D :D -------------

    If you ISP blocks port 25 or you just want to control which ip's that can connect, you can use http://www.rollernet.us/

    mail from somebody ---> freedns port 25 ---> rollernet ---> freedns port 4444 ---->  pfsense 4444 to 25 ----> exchange

  • from wan to a server on the lan you need a rule on the wan port to allow ping
    and you need a 1:1 nat for the server
    a portforward will not forward ping i beleve

  • Thanks for all the replies.

    I have tried the suggestions that everyone has put forward, however I seem to be doing something wrong. Before setting up the PFSense firewall I had a system setup by the previous IT guy that I inherited. There were to Debian boxes, one using Smoothwall as a firewall and another hosting a Postfix mail system. My SBS 2003 setup has two Nics. One for the local network and one for the internet. The second Nic that connects to the internet had the Debian firewall as its gateway. Incoming mail was passed to the Firewall which then passed it to the Postfix box. This then sent the mail back to the Firewall and into Exchange. I can recieve mail without problem on the old setup.

    I think that I am getting the PFSense firewall rules wrong.

    I have setup load balancing on the PFSense box using two ADSL lines. The WAN interface is using PPPoE and the ADSL modem is acting as a bridge with no NAT setup. The OPT1 interface is using a Static IP witht the ADSL router acting as a router.

    I am using Dynamic DNS on the PPPoE interface and it updates correctly.

    NAT Setup on PFSense:

    IF      Proto    Ext. Port Range    NAT IP            Int. Port Range
    WAN  TCP      25                25
                                                  (ext. any)

    LAN Rules on PFSense:

    Proto          Source          Port          Destination          Port          Gateway
    *                LAN Net          *              *                        *              *

    WAN Rules on PFSense:

    Proto          Source          Port            Destination          Port            Gateway
    TCP            *                  *              25              *

    Is this sufficient or am I missing something?



  • You never want two active NIC's on a Windows Server, especially one that's a domain controller as your SBS is, unless you're actually connecting directly to the Internet using ISA on SBS and connecting your LAN to the Internet through ISA. This sounds like your entire internal network is private IP space, hence you don't need nor want a second active NIC.

    Your rules look fine, and it sounds like your setup is correct with the changed default gateway. If you PM me the dyndns name of your firewall I can try to connect and probably tell you what's wrong. If you want to try yourself, telnet to port 25 on your dyndns name from another Internet connection and try to send an email manually (google telnet SMTP email and you can find specific instructions if you don't know how).

  • Hi cmb,

    Thanks for the reply. The second NIC was being used to connect directly to the net using a shorewall firewall. However when I have setup my PFSense box then I will go back to one NIC.

    The one thing that I am confused about though is that if I try to connect from another line my PFSense box doesnt seem to get through to the Exchange server. I have changed the default gateway on my servers network connection to the PFSense box but it times out whenever I try to telnet in.

    When you are online will you PM me so that you can perhaps have a look for me.



  • Thanks for all the input.

    I have got it working now. I did as you suggested cmb and disabled the second NIC in the SBS 2003 box. All seems to be going well now.

    Thanks again.


Log in to reply