2.1-release: SMTPS firewall rules



  • Hi!

    I've set up notifications successfully when I'm directly connected to the internet.
    Now, unfortunately my VPN provider blocks outgoing SMTP ports (25, 465 etc.).
    For my Lan, i've created a rule to so that SMTP traffic always goes through the WAN IF,
    not the VPN IF. What do I need to do in order to have a similar rule for pfsense itself?
    Where do I set up the firewall rule so that port 465 always goes over WAN interface?

    Kind Regards,

    SnakeZZ



  • Are you hosting an email server?

    If so, what you need is a NAT rule to forward SMTP/ SMTPS ports to your email server's internal IP.

    If your VPN provider is actually blocking SMTP access to external servers (very odd though I suppose it's possible) then what you need is to create a rule on 'LAN' (or whichever interface your client is on) to 'PASS' 'TCP/ UDP' Source 'LAN Subnet' 'Any' Port to Destination 'Any' Network 'SMTP' (or SMTPS) Port.  Scroll down and under Gateway, select the WAN Gateway rather than the VPN gateway (Your default?).



  • Hi dreamslacker,

    yeah, privateinternetaccess is probably not the best VPN provider. I'll change them soon I guess:
    https://www.privateinternetaccess.com/forum/index.php?p=/discussion/1371/gmail-smtp-problems/p1

    "This is due to our requirement of blocking all outbound mail to non-whitelisted servers, please submit a ticket to our support team, and we can get you a valid IP for accessing Gmail. […] That decision is unfortunately out of my hands, I'm just the messenger and Tier II Support"

    Anyway… I've set up the system for my LAN clients as you describe it... (managed to do that by myself earlier).
    The question is though: For the pfsense notifications, what is the interface that is being used? I guess it's not LAN,
    because I have a firewall rule on the LAN adapter that routes outgoing port 465 through my DHCP gateway instead of the VPN gateway and that's working fine (tested with Thunderbird).

    Kind Regards,

    SnakeZZ



  • @SnakeZZ:

    Hi dreamslacker,

    yeah, privateinternetaccess is probably not the best VPN provider. I'll change them soon I guess:
    https://www.privateinternetaccess.com/forum/index.php?p=/discussion/1371/gmail-smtp-problems/p1

    "This is due to our requirement of blocking all outbound mail to non-whitelisted servers, please submit a ticket to our support team, and we can get you a valid IP for accessing Gmail. […] That decision is unfortunately out of my hands, I'm just the messenger and Tier II Support"

    Anyway… I've set up the system for my LAN clients as you describe it... (managed to do that by myself earlier).
    The question is though: For the pfsense notifications, what is the interface that is being used? I guess it's not LAN,
    because I have a firewall rule on the LAN adapter that routes outgoing port 465 through my DHCP gateway instead of the VPN gateway and that's working fine (tested with Thunderbird).

    Kind Regards,

    SnakeZZ

    Presumably, you have setup Advanced Outbound NAT to manual mode?

    If so, change the "Auto created rule for localhost to WAN" so that the interface is WAN rather than your VPN adapter.



  • Presumably, you have setup Advanced Outbound NAT to manual mode?

    If so, change the "Auto created rule for localhost to WAN" so that the interface is WAN rather than your VPN adapter.

    Yes, it's in manual mode, but in there are two rules from localhost:

    somewhere in the middle:
    WAN  127.0.0.0/8 * * * WAN address 1024:65535 NO Auto created rule for localhost to WAN

    and at the very end of the list:
    VPN  127.0.0.0/8 * * * VPN address 1024:65535 NO Auto created rule for localhost to VPN

    I'm a bit puzzled how this works…. In this setup shouldn't the WAN rule always apply first and everything is NAT'ed out of the WAN?
    Do the NAT settings actually work the same way as the firewall rules?
    In which of those two rules would I need to make your changes? Is it possible to only route port 465 out through the WAN adapter (and not the VPN adapter)?

    Kind Regards,

    SnakeZZ



  • Does anybody have a solution for this topic?
    I have the same problem. My VPN Tunnel is the default Gateway. The VPN Provider Blocks all SMTP/s traffic.
    So i need a rule to route the notification from the pfsense box itself via my wan gateway where i can use SMTP/s.

    I added a smtps rule on the wan interface with the correct Gateway(wan) but it doesnt work.

    Thanks for any help!



  • @BeNe:

    Does anybody have a solution for this topic?
    I have the same problem. My VPN Tunnel is the default Gateway. The VPN Provider Blocks all SMTP/s traffic.
    So i need a rule to route the notification from the pfsense box itself via my wan gateway where i can use SMTP/s.

    I added a smtps rule on the wan interface with the correct Gateway(wan) but it doesnt work.

    Thanks for any help!

    You have to put the rule on the interface where the traffic enters the firewall, in your case most probably the LAN interface. Policy routing with pfSense works only for traffic entering the firewall, trying to re-route it when it leaves the firewall doesn't work to my knowledge.



  • Thanks for your answer.

    The main problem is that i want to recieve the notification form the pfSense firewall itself (under System -> Advanced -> Noticfication) so there is no interface that the traffic enter.

    Of course i could change my VPN Tunnel that it is not the default Gateway, but i hope there is another way.

    //EDIT

    My VPN Priovider whitelisted my needed SMTP Servers…
    It works  - done!