Cant access mails in DMZ

jan.gestre

Hi All,

I have a mailserver in my DMZ, I can access mails from outside (i'm connected to the internet on a another network using an email client like outlook and thundirbird. However LAN connnected email clients can't access the same email, is there a workaround for this? My default config have NAT reflection disabled so I've enable it but to no avail.

TIA,

Jan

jan.gestre

As additional information, the MAIL server is using 1:1 NAT and I'm not using port forwarding.

jan.gestre

The only solution I have in mind is an ugly one i.e., manually editing windows /etc/hosts file. This would be fine if I only have a few clients but would be a nightmare because I have more than a hundred workstations, not to mention the mobile users which will have a problem once they connect to the internet outside of the office. :(

Cry Havok

You'll get a better response if you provide details. At the very least a simple diagram.

Things to check:

How are the clients resolving the IP for the mail server - is it to an Internet IP or an internal IP
Have you rules to allow traffic from the LAN to the DMZ

jan.gestre

You'll get a better response if you provide details. At the very least a simple diagram.

Here is my network diagram snippet:

MAIL IP = 192.168.2.3

How are the clients resolving the IP for the mail server - is it to an Internet IP or an internal IP:

LAN clients get their ip and dns from pfsense dynamically i.e., using dhcp. I tried to manually assigned the DNS server but to no avail.

Have you rules to allow traffic from the LAN to the DMZ

I have rules that allows SMTP, POP3 and IMAP from LAN subnet to anywhere.

Attached herewith are the LAN rules that permit smtp, pop3 and imap to anywhere. Also included is the WAN rules.

![pfsense wan rules.jpg](/public/imported_attachments/1/pfsense wan rules.jpg)
![pfsense wan rules.jpg_thumb](/public/imported_attachments/1/pfsense wan rules.jpg_thumb)
![pfsense lan rules.jpg](/public/imported_attachments/1/pfsense lan rules.jpg)
![pfsense lan rules.jpg_thumb](/public/imported_attachments/1/pfsense lan rules.jpg_thumb)

Cry Havok

(Images too reduced in size to be readable)

I'll rephrase my first question - what IP address do the LAN clients for the mail server - the Internet IP (124.x.x.x) or the internal IP (192.168.1.x)?

jan.gestre

I'm sorry for the images, didn't know that it would become unreadable, I'll make a new one in the office, anyways to answer your question, they just use the fqdn mail.domainname.com which resolves to 124.xxx.xx.44 outside of LAN. If understand it correctly LAN clients can't use the public IP of the mail server when behind pfSense/NAT, right? So how can I configure outlook/thunderbird to access the mail server from LAN, the dirty and ugly solution I can think of is fooling Windows /etc/hosts file and map the internal IP like this: 192.168.2.3 mail.domainame.com which is not a viable solution because of the number of workstations that has to be reconfigured plus the sales persons who brings home their laptops. I have no issues when accessing mail using outlook/thunderbird when outside the office but I'm having a huge headache making it work in the LAN.

We don't have a local DNS and just use pfSense DNS forwarder service. Is the DNS server provided by the ISP causing the problem? I've already tried to manually configure windows DNS settings but it didn't work, I'm running out of options.

Thanks for the help, I really appreciate it.

GruensFroeschli

i knew i read somewhere that 1:1 NAT does not work with NAT-Reflection :)
http://forum.pfsense.org/index.php?topic=7266.msg41244

sullrich provides the solution:

You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection. Reflection by default does not work with 1:1 nat's. So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

one more thing to put on the general knowledge list ;D

jan.gestre

I have no idea what split dns is on pfSense but here's what I've did; Services > DNS Forwarder > enter records that override the results from the forwarders below:

Host Domain IP Description

ftp mydomain.com 192.168.2.2 FTP

mail mydomain.com 192.168.2.3 MAIL

It's now working, I guess this is what's called Split DNS ;D

Thanks for the help guys. :)

Cry Havok

Split DNS is where the same hostname returns different IPs depending on the source of the query (hint, Google).

josempinto

Hello Everybody,

I think I have the same problem.

Your diagram is GOOD!

I will use your diagram, and as I sad, I think I have the same problem as yours, but for me, instead of having a DMZ, I have anther LAN. Say I have two LAN’s, say LAN(1) and LAN2.

The problem is Thad I want some users (IP’s) from LAN(1) to be able to access some computers on LAN2.

Now, I have rules to Allow Traffic From LAN(1) to everywhere, and Allow Traffic From LAN2 to everywhere.

When I, from LAN(1) ping a computer (IP) on LAN2 e get no reply.

Any Idea?

I Think the basic problem is that the (internal) rules of PFSense, are all made do allow and/or block traffic to/from LAN and WAN, and the chance of two LAN’s communicate between them, is not contemplated…??? (Am I RIGHT?).

@jan:

You'll get a better response if you provide details. At the very least a simple diagram.

Here is my network diagram snippet:

124.xxx.xx.xx
pfsense
192.168.2.1/24 _____| |____192.168.1.1/24
| |
| |
DMZ LAN
| | |
| | Clients
MAIL FTP

GruensFroeschli

could you post a screenshot of the rules you have on LAN1 and LAN2 ?

sullrich

Have you tried enabling static port for these interfaces?

josempinto

@sullrich:

Have you tried enabling static port for these interfaces?

I am new to pfsense an to FreeBSD (but not to *nix).

I searched the forum for the “enabling static port” and no success…
I searched the goggle and found the answer outside you forum, somewhere, Can you please confirm if it is done this way?

1. Visit Firewall -> NAT -> Outbound.
2. Enable Advanced outbound NAT
3. Edit the default LAN rule that it created and enable static port.
4. Click save.

Regards.

sullrich

That is the correct method to enable it.

josempinto

@sullrich:

Have you tried enabling static port for these interfaces?

It took me some time to thank-you, because I had to arrange some time to set up a new test box (I am afraid to do the tests on a production box and to use not well documented features (disable Automatic outbound NAT rule generation … and so on).

But I am sorry, but think it still does not work! Done this way.

I wonder why a firewall with so rich and powerful features like: “CARP/VIPS”, “VPN”, “Bridging”, “Virtual IP’s”, “OLSR”, “RIP”, “UpnP”, and so on, fails doing a so simple thing that is, to know which network cards as plugged in(networks interfaces), Its (range of) Ip’s, and route accordingly the traffic between them…???

Here is, how do I set-up and solved this (my) problem.

I put another box, to let pass, back, the traffic, which I wanted to pass from one LAN to another, and on this new box I opened the ports/services needed – This way worked for me.

Here is my NEW network diagram:

Internet
|
|
10.1.0.1 10.1.0.2
pfsense_box_1 pfsense_box_2
| | / |
| | / |
| | / |
| | / |
192.168.2.1/24 | |/192.168.1.1/24
| ___________________ / |
| | |
LAN2 LAN
| |_____ |
| | | more_Clients
Clients service_1 service_2

I will go now to repeat the tests again, NOW with RC4, so see if this issue is solved in RC4, I if I have some time I will post here the results later.

But thank you for this great software –I was looking for a firewall, went through a couple of available ones smothwall, m0n0wall, ipcop, etc, but settled for this one. I’m running it on an Pentium III/450 Mhz box and have been very pleased with it!!, with some bugs and exceptions.