Dual internet but want mail to only go out thru one connection, how?



  • I have dual internet setup on a pfsense router. I have a exchange server behind it. When it sends out email I sometimes get #550 responses as the other ip address is dynamic (cable). I want all outgoing email to go out on the static ip (dsl) connection. How can I arrange this?



  • Add an Alias for your mail server IP (not essential, but makes rules more readable) - e.g. name MyMailServer.
    Add a Firewall rule on your LAN, with source MyMailServer, destination any (or limit destination to SMTP etc known ports if you don't want all traffic from the Exchange Server to go out the static IP), in Advanced, Gateway, select the gateway that is through your static IP.



  • @phil.davis:

    Add an Alias for your mail server IP (not essential, but makes rules more readable) - e.g. name MyMailServer.
    Add a Firewall rule on your LAN, with source MyMailServer, destination any (or limit destination to SMTP etc known ports if you don't want all traffic from the Exchange Server to go out the static IP), in Advanced, Gateway, select the gateway that is through your static IP.

    Would doing a 1:1 nat also work?

    What would be the difference between the two?

    Thanks for telling me. I completely forgot about advanced gateway, even though I set that rule up for my dual internet lol.



  • Actually neither the option you described above, nore the 1:1 have solved my problems :( It's still sending out email over the dhcp cable connection instead of the static ip dsl connection.

    Please help.



  • Do you have advanced outbound NAT setup? Rule order matters, so you will need to make sure that special rules like this are above any other rules.



  • @podilarius:

    Do you have advanced outbound NAT setup? Rule order matters, so you will need to make sure that special rules like this are above any other rules.

    It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.



  • Diagonistics -> States -> Reset States.



  • It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.

    Diagnostics -> States -> Reset States



  • ^–- Haha ... beat you to it.



  • It is still trying to deliver email on the cable internet interface :( I have attached a screenshot showing my LAN rules. 192.168.16.2 is the server.

    The outbound nat is set for "Automatic outbound NAT rule generation"




  • Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.



  • @podilarius:

    Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.

    I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?



  • @elementalwindx:

    @podilarius:

    Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.

    I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?

    At the very least you should change the source port in your rule to "*" since it is unlikely the mail server will use 25 as its source port.



  • ah. Thank you! :)



  • For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).
    When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like:
    Source address: IP/s of the clients
    Source port: any
    Destination address: IP/s of the server
    Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI)

    and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.


Log in to reply