Forcing email to go out selected gateway on load balance system



  • Dear all PFsense experts,

    I'm having load balance system with 2 connections from 2 ISPs

    Can I force all LAN email traffic to go out only one selected gateway?

    If yes, how to do so?

    Earliest reply would be appreciated

    Thanks in advance from newbie.


  • Rebel Alliance

    Yes, you can, use "Policy Routing" ;)

    https://doc.pfsense.org/index.php/Multi-WAN_2.0



  • @ptt:

    Yes, you can, use "Policy Routing" ;)

    https://doc.pfsense.org/index.php/Multi-WAN_2.0

    I think he needs more an easy example of it ^^

    1. setup multiple Gateways (should be done if you have different WANs)

    2a) nice to have: Firewall Alias type "Ports" with wanted ports listed
          (25, 465, 586, for SMTP/sSMTP / submission)
          (110 / 995 for POP3/POPs)
          (143 / 993 for IMAP/IMAPs)

    2b) nice to have: Gateway Groups
          System => Routing => Groups
          Setup main route as Tier1, fallback route as Tier2

    1. setup one firewall rule with DESTINATION PORT Alias or
          several firewall rules with needed services from list as DESTINATION PORT

    => Gateway => Advanced Button => select needed Gateway / Gateway Group.



  • Many thanks to both of you

    I've done with setting up all rules

    See attached file:

    but how can I check if all rules work as expected

    Best regards,




  • Pull the cable out of WANGW. All your various email things should stop working, and the LoadBalance group and other traffic should keep working.



  • @phil.davis:

    Pull the cable out of WANGW. All your various email things should stop working, and the LoadBalance group and other traffic should keep working.

    better solutions:

    1. you have an external mailserver available ?
          => connect to it and see on remote side if you came in with the right IP ;)

    2. Mail yourself to an normal external mailservice something and take a look into Received headers… your public IP should be shown up there.

    => Don't forget to setup DNS/reverse DNS for your IP.
    => Best is also add DKIM DNS and header signing
    => SPF could be ok, too, but has known forwarding problem behavior.

    => Or get a whitelist entry on your relay


Log in to reply