Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant access mails in DMZ

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 5 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jan.gestre
      last edited by

      Hi All,

      I have a mailserver in my DMZ, I can access mails from outside (i'm connected to the internet on a another network using an email client like outlook and thundirbird. However LAN connnected email clients can't access the same email, is there a workaround for this? My default config have NAT reflection disabled so I've enable it but to no avail.

      TIA,

      Jan

      1 Reply Last reply Reply Quote 0
      • J
        jan.gestre
        last edited by

        As additional information, the MAIL server is using 1:1 NAT and I'm not using port forwarding.

        1 Reply Last reply Reply Quote 0
        • J
          jan.gestre
          last edited by

          The only solution I have in mind is an ugly one i.e., manually editing windows /etc/hosts file. This would be fine if I only have a few clients but would be a nightmare because I have more than a hundred workstations, not to mention the mobile users which will have a problem once they connect to the internet outside of the office.  :(

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            You'll get a better response if you provide details.  At the very least a simple diagram.

            Things to check:

            1. How are the clients resolving the IP for the mail server - is it to an Internet IP or an internal IP
            2. Have you rules to allow traffic from the LAN to the DMZ
            1 Reply Last reply Reply Quote 0
            • J
              jan.gestre
              last edited by

              You'll get a better response if you provide details.  At the very least a simple diagram.

              Here is my network diagram snippet:

              124.xxx.xx.xx
                                            pfsense
                192.168.2.1/24 _____|  |____192.168.1.1/24
                                |                      |
                                |                      |
                              DMZ                  LAN
                              | |                    |
                            |      |                Clients
                          MAIL  FTP

              MAIL IP = 192.168.2.3

              1. How are the clients resolving the IP for the mail server - is it to an Internet IP or an internal IP:

              LAN clients get their ip and dns from pfsense dynamically i.e., using dhcp. I tried to manually assigned the DNS server but to no avail.

              1. Have you rules to allow traffic from the LAN to the DMZ

              I have rules that allows SMTP, POP3 and IMAP from LAN subnet to anywhere.

              Attached herewith are the LAN rules that permit smtp, pop3 and imap to anywhere. Also included is the WAN rules.

              ![pfsense wan rules.jpg](/public/imported_attachments/1/pfsense wan rules.jpg)
              ![pfsense wan rules.jpg_thumb](/public/imported_attachments/1/pfsense wan rules.jpg_thumb)
              ![pfsense lan rules.jpg](/public/imported_attachments/1/pfsense lan rules.jpg)
              ![pfsense lan rules.jpg_thumb](/public/imported_attachments/1/pfsense lan rules.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                (Images too reduced in size to be readable)

                I'll rephrase my first question - what IP address do the LAN clients for the mail server - the Internet IP (124.x.x.x) or the internal IP (192.168.1.x)?

                1 Reply Last reply Reply Quote 0
                • J
                  jan.gestre
                  last edited by

                  I'm sorry for the images, didn't know that it would become unreadable, I'll make a new one in the office, anyways to answer your question, they just use the fqdn mail.domainname.com  which resolves to 124.xxx.xx.44 outside of LAN. If understand it correctly LAN clients can't use the public IP of the mail server when behind pfSense/NAT, right? So how can I configure outlook/thunderbird to access the mail server from LAN, the dirty and ugly solution I can think of is fooling Windows /etc/hosts file and map the internal IP like this: 192.168.2.3 mail.domainame.com which is not a viable solution because of the number of workstations that has to be reconfigured plus the sales persons who brings home their laptops. I have no issues when accessing mail using outlook/thunderbird when outside the office but I'm having a huge headache making it work in the LAN.

                  We don't have a local DNS and just use pfSense DNS forwarder service. Is the DNS server provided by the ISP causing the problem? I've already tried to manually configure windows DNS settings but it didn't work, I'm running out of options.

                  Thanks for the help, I really appreciate it.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    i knew i read somewhere that 1:1 NAT does not work with NAT-Reflection :)
                    http://forum.pfsense.org/index.php?topic=7266.msg41244

                    sullrich provides the solution:

                    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

                    one more thing to put on the general knowledge list  ;D

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • J
                      jan.gestre
                      last edited by

                      I have no idea what split dns is on pfSense but here's what I've did; Services > DNS Forwarder > enter records that override the results from the forwarders below:

                      Host            Domain                  IP                                Description

                      ftp            mydomain.com      192.168.2.2                    FTP

                      mail            mydomain.com           192.168.2.3                  MAIL

                      It's now working, I guess this is what's called Split DNS  ;D

                      Thanks for the help guys. :)

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        Split DNS is where the same hostname returns different IPs depending on the source of the query (hint, Google).

                        1 Reply Last reply Reply Quote 0
                        • J
                          josempinto
                          last edited by

                          Hello Everybody,

                          I think I have the same problem.

                          Your diagram is GOOD!

                          I will use your diagram, and as I sad, I think I have the same problem as yours, but for me, instead of having a DMZ, I have anther LAN. Say I have two LAN’s, say LAN(1) and LAN2.

                          The problem is Thad I want some users (IP’s) from LAN(1) to be able to access some computers on LAN2.

                          Now, I have rules to Allow Traffic From LAN(1) to everywhere, and Allow Traffic From LAN2 to everywhere.

                          When I, from LAN(1) ping a computer (IP) on LAN2 e get no reply.

                          Any Idea?

                          I Think the basic problem is that the (internal) rules of PFSense, are all made do allow and/or block traffic to/from LAN and WAN, and the chance of two LAN’s communicate between them, is not contemplated…??? (Am I RIGHT?).

                          @jan:

                          You'll get a better response if you provide details.  At the very least a simple diagram.

                          Here is my network diagram snippet:     
                                                 
                                                     124.xxx.xx.xx
                                                        pfsense
                             192.168.2.1/24 _____|  |____192.168.1.1/24
                                             |                      |
                                             |                      |
                                           DMZ                  LAN
                                          | |                    |
                                         |       |                 Clients
                                       MAIL   FTP

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            could you post a screenshot of the rules you have on LAN1 and LAN2 ?

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              Have you tried enabling static port for these interfaces?

                              1 Reply Last reply Reply Quote 0
                              • J
                                josempinto
                                last edited by

                                @sullrich:

                                Have you tried enabling static port for these interfaces?

                                I am new to pfsense an to FreeBSD (but not to *nix).

                                I searched the forum for the “enabling static port” and no success…
                                I searched the goggle and found the answer outside you forum, somewhere, Can you please confirm if it is done this way?

                                1. Visit Firewall -> NAT -> Outbound.
                                2. Enable Advanced outbound NAT
                                3. Edit the default LAN rule that it created and enable static port.
                                4. Click save.

                                Regards.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  That is the correct method to enable it.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    josempinto
                                    last edited by

                                    @sullrich:

                                    Have you tried enabling static port for these interfaces?

                                    It took me some time to thank-you, because I had to arrange some time to set up a new test box (I am afraid to do the tests on a production box and to use not well documented features (disable Automatic outbound NAT rule generation … and so on).

                                    But I am sorry, but think it still does not work! Done this way.

                                    I wonder why a firewall with so rich and powerful features like: “CARP/VIPS”, “VPN”, “Bridging”, “Virtual IP’s”, “OLSR”, “RIP”, “UpnP”, and so on, fails doing a so simple thing that is, to know which network cards as plugged in(networks interfaces), Its (range of) Ip’s, and route accordingly the traffic between them…???

                                    Here is, how do I set-up and solved this (my) problem.

                                    I put another box, to let pass, back, the traffic, which I wanted to pass from one LAN to another, and on this new box I opened the ports/services needed – This way worked for me.

                                    Here is my NEW network diagram:

                                    Internet
                                                                    |
                                                                    |   
                                                              10.1.0.1            10.1.0.2
                                                              pfsense_box_1  pfsense_box_2
                                                                    |  |              /      | 
                                                                    |  |            /      |         
                                                                    |  |            /        |         
                                                                    |  |          /        |         
                                      192.168.2.1/24 |  |/192.168.1.1/24
                                              |  ___________________ /          |
                                              | |                                          |
                                              LAN2                                      LAN
                                          | |
                                    _____                      |
                                          |      |              |                    more_Clients
                                    Clients  service_1  service_2

                                    I will go now to repeat the tests again, NOW with RC4, so see if this issue is solved in RC4, I if I have some time I will post here the results later.

                                    But thank you for this great software –I was looking for a firewall, went through a couple of available ones smothwall, m0n0wall, ipcop, etc, but settled for this one. I’m running it on an Pentium III/450 Mhz box and have been very pleased with it!!, with some bugs and exceptions.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.