How to setup mail server with pfsense dual wan connection



  • Hello All,

    I have two broadband connections with static ip addresses, and I want to use pfsense to setup a bond connection which can utilize both of those broadband connections at the same to  provide maximum bandwidth efficiency (not fail over). Behind the pfsense I will setup a mail server and I wonder how to setup the firewall rules to allow incoming and outgoing mail through pfsense, and how to setup a bond connection as I described above. Please help



  • I don't think that PFSense supports that type of connection yet.

    Here is what I would do.  I would setup my mail server (Exchange for this example and MS DNS)  I would have my mail server with 1 internal address and point both my external address back to the one mail server.  That should workyour external DNS would need to have mx records and a host record point back to the mail server.  the world would be able to send to either external address and the mail server should be able to recieve from either point of entry.

    RC



  • fastcon68,

    Really, pfsense doesn't support bond connection yet? If pfsense can do this, it can help nonprofit organization like us to save alot of money by dropping the T1 connection and get multiple comcast business account and bundling them into one big pipe to provide maximum bandwidth.



  • @jle2005:

    Really, pfsense doesn't support bond connection yet? If pfsense can do this, it can help nonprofit organization like us to save alot of money by dropping the T1 connection and get multiple comcast business account and bundling them into one big pipe to provide maximum bandwidth.

    True bonded connections are generally multiple lines from the same provider bonded at the router level- bonded T1s or DSLs. Most devices that claim to 'bond' lines actually just use queuing techniques to route traffic out of the fastest line at the time. Something along the lines of a fatpipe may actually allow you to pull 8 megs through your 4 2 meg pipes, but pfSense is free, and a well featured fatpipe runs around $15000



  • dotdash, thank you for replying.

    > Something along the lines of a fatpipe may actually allow you to pull 8 megs through your 4 2 meg pipes, but pfSense is free, and a well featured fatpipe runs around $15000

    Are you saying pfsense can do what fatpipe can?



  • Bonding at the link layer will be supported on 1.3 release.

    'Bonding' at up level, if it can be called like that, is handled by pfSense.



  • @jle2005:

    Are you saying pfsense can do what fatpipe can?

    No.
    I'm saying that most devices that say they 'bond' multiple WANs of different providers/types actually don't bond them. And devices that can actually take several small lines and make them act like a large line are very expensive.



  • Thanks eri and dotdash,

    So, can pfsense bond multiple comcast cable lines?



  • No, the answer is still no.
    First lets stop using the term "bonding", it's not very useful.
    Bonding usually refers to aggregated circuits- T1's bonded with multilink ppp, channel bonded DSLs, bonded modems, port aggregation with ethernet switches, etc.
    Bonding is generally done at the router/equipment level, so you could connect a router with bonded circuits to pfSense.
    pfSense will let you use two or more WAN links using round-robin or via policy-based routing.



  • @jle2005:

    Hello All,

    I have two broadband connections with static ip addresses, and I want to use pfsense to setup a bond connection which can utilize both of those broadband connections at the same to  provide maximum bandwidth efficiency (not fail over). Behind the pfsense I will setup a mail server and I wonder how to setup the firewall rules to allow incoming and outgoing mail through pfsense, and how to setup a bond connection as I described above. Please help

    Assuming you have the mailserver on a private IP address 10.1.1.2 , and the WAN interfaces have real IP addresses, you need to have NAT rules for each of the WAN interfaces

    If  Proto  Ext. port range  NAT IP  Int. port range
    WAN  TCP/UDP  25              10.1.1.2        25
                                                              (ext.: x.y.z.t)
    If  Proto  Ext. port range  NAT IP  Int. port range
    WAN2  TCP/UDP  25              10.1.1.2        25
                                                              (ext.: x2.y2.z2.t2)

    Then you need firewall rules to let the packets in on BOTH interfaces

    Proto  Source  Port  Destination  Port  Gateway  Schedule
    TCP/UDP  *  *  10.1.1.2  25  *

    Above is just for SMTP. you will probably need to the same for POP, Secure SMTP and Secure POP, web mail also,
    THis will allow you incoming on both interfaces. Outgoing loadbalancing needs more thought.



  • Thanks sai, I will give this a try when I setup my dual wan connections.

    I've learned so much about pfsense in this forum from great guru like you guys.



  • Sai, not sure if you are still around, but I have a similar scenario, I have 1 mail server serving 2 domains, which resides behind pfsense. As with the OP I also have 2 wan connections (ADSL).
    The problem I see with your solution is that if a smtp session is initiated by a remote host one wan1 and your smtp server responds, and the response is routed via wan2 the session will most likely timeout, because most ISP's dont allow traffic from originating on networks to traverse/be routed via their network (reversepathfiltering is usually the security measure they apply http://www.wlug.org.nz/ReversePathFiltering )

    Please correct me if I am wrong, but certainly in my current setup this appears to be what is impeding the chance of a successful SMTP communication.



  • the response should go out the WAN port the connection came in on. I am certain that pfsense handles this correctly by itself. I think that the state table plays a big part in this.

    reversepathfiltering does not apply in your case. if your connection comes in on ISP1 and the reply does (for sake of this example) go out of the ISP2 interface the packet would be valid for ISP2 and not spoofed.

    you are just confusing your self by looking at this wlug site. pfsense is freebsd, not linux. there are many differences. mostly bsd is better :-)



  • haha thanks sai :) I stand corrected by BSD.
    I use ubuntu for my desktop and have used slackware and gentoo in the past. Is BSD and good as a desktop environment?



  • @coloured:

    I use ubuntu for my desktop and have used slackware and gentoo in the past. Is BSD and good as a desktop environment?

    Totally off topic, but check out http://www.pcbsd.org/ or http://www.desktopbsd.net/ if you are interested in a more desktop-friendly BSD.


Log in to reply