Outlook Problem



  • Hello everyone, my name is George and I work as an IT consultant.

    We recently switched ISPs and had to go through changing the settings of our current pfSense box so that we could access the internet again. It was quite troublesome, to be frank, but last Friday we figured out the correct configuration of our WAN interface as well as our router's configuration and pfSense finally worked and we were online (from PPPoE that was our last configuration, we switched it to DHCP after having it get the static IP 10.10.0.1 so that the new router would allow it to connect to the internet). Our LAN is on a different network, with pfSense's IP being 10.10.1.1.

    Now, as we tried expirementing with our LAN rules and started getting excited since everything seemed to work fine, we came upon a crashing halt. pfSense was now blocking outlook from sending and receiving e-mails. We could send e-mails from the web platforms (such as gmail.com or hotmail.com) but when we needed to send an e-mail from our domain it would block us. The rules of our old setup are the same, we have a POP3 port open as well as an SMTP port open (we also have an POP3/S port open). We use pop3 accounts and smtp and set them up in outlook that way. I tried setting up thunderbird, but to no avail. The weird thing is, when I set up an @hotmail.com account on outlook and let it get the default settings, it worked! This is really boggling me and I could really use your help on this one. What could be wrong?

    Thank you in advance,
    George


  • Moderator

    Looks like the new modem is not in bridged mode which is required so that the pfsense box gets the Real WAN IP directly so that your NAT rules can work correctly.



  • @BBcan177:

    Looks like the new modem is not in bridged mode which is required so that the pfsense box gets the Real WAN IP directly so that your NAT rules can work correctly.

    Indeed it isn't, but that is because our modem does not support bridge mode (according to our ISP who gave it to us) since it's an ISDN modem, used both for internet as well as telephony. We've managed to get as far as having internet access, so I suppose there must be a way to get e-mails as well…


  • Moderator

    Some ISPs also block outbound smtp/smtps traffic. Can you receive emails? Webmail also doesn't use smtp/s so that might confirm that the ISP is blocking those ports?



  • First of all, I would like to thank you for your help. Even answering means a great deal.

    I can neither receive not send emails from our email. I did however try connecting a laptop directly to the modem and I could send emails that way. What's really bothering me is that when I set up the @hotmail.com email on outlook I could both send and receive emails so I'm pretty sure there's something wrong with the rules we have, concerning the POP3 and SMTP ports. However, I cannot, for the life of me, fathom what could be the problem, since there hasn't been any change in the LAN rules. Would some screenshots help?


  • Moderator

    I don't use Outlook but post some screenshots.

    Also here is a thread to review:
    https://forum.pfsense.org/index.php?topic=60678.msg326881#msg326881



  • The screenshots, as promised. I did check out the other thread as you suggested but there was not much information there… The outlook screenshot has information in greek but it's not something out of the ordinary. If you need translation on something though, I'd be happy to oblige






  • Have you also tested adding a rule that allows all traffic on LAN, just to see if it works then? Though, from my perspective, your firewall rules looks okay.

    If that doesn't work, how about capturing some traffic on your LAN-interface and WAN-interface when you attempt to fetch mail? Use packet capture under Diagnostic. You can filter it on port 110. You can also check the same with port 25, when you attempt to send mail. Maybe that can tell us something.

    Edit: And maybe also port 465.


  • Moderator

    The last LAN Rule is a proxy rule. Do you use a proxy for Outlook? Are you running any other services like Squid or Snort? Do the Firewall logs show any other useful info?

    https://forum.pfsense.org/index.php?topic=71041.0



  • @BBcan177:

    The last LAN Rule is a proxy rule. Do you use a proxy for Outlook? Are you running any other services like Squid or Snort? Do the Firewall logs show any other useful info?

    https://forum.pfsense.org/index.php?topic=71041.0

    I'm sorry for the late response. I read the other thread you suggested so I tried a few experiments (mainly restoring my old system with the exact configuration and then playing around with the Rules). I couldn't find a solution however. I did try to set up outlook with our proxy, according to a guide I found online, but that didn't work either. In any case, I think outlook gets its settings from the Internet explorer settings

    @vindenesen:

    Have you also tested adding a rule that allows all traffic on LAN, just to see if it works then? Though, from my perspective, your firewall rules looks okay.

    If that doesn't work, how about capturing some traffic on your LAN-interface and WAN-interface when you attempt to fetch mail? Use packet capture under Diagnostic. You can filter it on port 110. You can also check the same with port 25, when you attempt to send mail. Maybe that can tell us something.

    Edit: And maybe also port 465.

    Here are some screenshots of me trying to capture packets on those particular ports. I can't really make out if this means it's working properly or not but I think it does? I also tried the rule that allows all traffic, but no change… I'm at my wit's end here





    ![packetcapturesmtp .png](/public/imported_attachments/1/packetcapturesmtp .png)
    ![packetcapturesmtp .png_thumb](/public/imported_attachments/1/packetcapturesmtp .png_thumb)



  • From your packet capture, I think I can see the problem. Can you take a screenshot of your Outbound Nat rules?

    Edit: Is 192.168.2.63 your workstation or the computer you used to test POP3/SMTP with?



  • @vindenesen:

    From your packet capture, I think I can see the problem. Can you take a screenshot of your Outbound Nat rules?

    Edit: Is 192.168.2.63 your workstation or the computer you used to test POP3/SMTP with?

    192.168.2.63 is the computer I'm using to test the POP3/SMTP settings. I also have another computer doing the same tests occasionally, just to make sure it's not some fluke.

    The screenshot as requested is this: As you can see we have no special rules here…




  • That's weird. Because according to your packet captures, NAT is not applying to traffic going out the WAN interface (at least not for 192.168.2.63). We shouldn't have seen the IP address 192.168.2.63 there, but instead your WAN IP address. tcpdump is capturing traffic after NAT rules has been processed.

    Can you take a screenshot of your LAN and WAN settings?



  • So, here are the screens you requested. I think I'm starting to get your point but I'm a bit fuzzy still. At some point, while we were having trouble connecting to the internet, since we could not put the modem in bridge mode, we contacted our ISP and asked him to have our ISDN modem "see" the ip address 192.168.1.1 which we then gave to the pfsense  box.








  • I think I know why regular http browsing at least is working. If your pfsense is running squid, then http traffic will have a source address of 192.168.1.1.

    You should at least disable "Block private networks" on WAN, since your WAN actually is in RFC 1918. But I doubt it will fix your issue. At the moment I don't have any more ideas.



  • +1 to disabling the "block private networks" on your WAN.

    Also, can you try to switch to manual outbound NAT and post the auto-generated rules?



  • Good day to all!

    I disabled the "block private networks" on my WAN and for a few seconds and tried playing with the "Allow any" rule on my LAN rules. And it worked! So, fiddling around some more yesterday and today, I finally managed to make it work. Apparently it was the DNS rule that caused the problem all along (since we used to have a DNS server but on our test machine we were not using it). As soon as we fixed that, everything started working again.

    I just want to say that you are all gentlemen of the internet, extremely helpful and I thank you from the bottom of my heart! Consider yourselves gods amongst men!

    Thank you,
    George