Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual internet but want mail to only go out thru one connection, how?

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elementalwindx
      last edited by

      I have dual internet setup on a pfsense router. I have a exchange server behind it. When it sends out email I sometimes get #550 responses as the other ip address is dynamic (cable). I want all outgoing email to go out on the static ip (dsl) connection. How can I arrange this?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Add an Alias for your mail server IP (not essential, but makes rules more readable) - e.g. name MyMailServer.
        Add a Firewall rule on your LAN, with source MyMailServer, destination any (or limit destination to SMTP etc known ports if you don't want all traffic from the Exchange Server to go out the static IP), in Advanced, Gateway, select the gateway that is through your static IP.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • E
          elementalwindx
          last edited by

          @phil.davis:

          Add an Alias for your mail server IP (not essential, but makes rules more readable) - e.g. name MyMailServer.
          Add a Firewall rule on your LAN, with source MyMailServer, destination any (or limit destination to SMTP etc known ports if you don't want all traffic from the Exchange Server to go out the static IP), in Advanced, Gateway, select the gateway that is through your static IP.

          Would doing a 1:1 nat also work?

          What would be the difference between the two?

          Thanks for telling me. I completely forgot about advanced gateway, even though I set that rule up for my dual internet lol.

          1 Reply Last reply Reply Quote 0
          • E
            elementalwindx
            last edited by

            Actually neither the option you described above, nore the 1:1 have solved my problems :( It's still sending out email over the dhcp cable connection instead of the static ip dsl connection.

            Please help.

            1 Reply Last reply Reply Quote 0
            • P
              podilarius
              last edited by

              Do you have advanced outbound NAT setup? Rule order matters, so you will need to make sure that special rules like this are above any other rules.

              1 Reply Last reply Reply Quote 0
              • E
                elementalwindx
                last edited by

                @podilarius:

                Do you have advanced outbound NAT setup? Rule order matters, so you will need to make sure that special rules like this are above any other rules.

                It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.

                1 Reply Last reply Reply Quote 0
                • P
                  podilarius
                  last edited by

                  Diagonistics -> States -> Reset States.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kelsen
                    last edited by

                    It is set for AON by default. I have the rule set to the highest point possible. It looks like I had to reboot the firewall (most likely to reset the firewall states). I don't know how to reset the firewall states without rebooting the pfsense itself.

                    Diagnostics -> States -> Reset States

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius
                      last edited by

                      ^–- Haha ... beat you to it.

                      1 Reply Last reply Reply Quote 0
                      • E
                        elementalwindx
                        last edited by

                        It is still trying to deliver email on the cable internet interface :( I have attached a screenshot showing my LAN rules. 192.168.16.2 is the server.

                        The outbound nat is set for "Automatic outbound NAT rule generation"

                        blahhh.jpg
                        blahhh.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • P
                          podilarius
                          last edited by

                          Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.

                          1 Reply Last reply Reply Quote 0
                          • E
                            elementalwindx
                            last edited by

                            @podilarius:

                            Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.

                            I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?

                            1 Reply Last reply Reply Quote 0
                            • W
                              wallabybob
                              last edited by

                              @elementalwindx:

                              @podilarius:

                              Well your rule is very wrong isn't it. For email going out, source is 192.168.16.2 port is any and destination is any on port 25. The reverse is true for inbound traffic, but on the WAN.

                              I don't understand, can you explain a little better? I need to add a rule into the DSL section of the firewall too?

                              At the very least you should change the source port in your rule to "*" since it is unlikely the mail server will use 25 as its source port.

                              1 Reply Last reply Reply Quote 0
                              • E
                                elementalwindx
                                last edited by

                                ah. Thank you! :)

                                1 Reply Last reply Reply Quote 0
                                • P
                                  phil.davis
                                  last edited by

                                  For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).
                                  When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like:
                                  Source address: IP/s of the clients
                                  Source port: any
                                  Destination address: IP/s of the server
                                  Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI)

                                  and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.

                                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.