Multi WAN port forward for Exchange 2010 OWA and ActiveSync
-
Running 2.0.1 i386 on VMware ESXi (running great for 4 years)
WAN - Static IP using /29 subnet has gateway address associated with it
OPT1 - Same IP range as WAN /29 subnet with no gateway associated with it
OPT2 - Fast Dynamic internet connection for internet on site, 172.16.x.xDefault route - OPT2
Nat reflection is on for Iphones to connect to activesync
Currently the WAN interface is NAT port (443) forwarded to the Exchange 2003 server, the goal is to have OPT1 port forward to the new Exchange 2010 server on the same port.
Using outlook anywhere with the old Exchange 2003 server (on 443 WAN interface) the connection is solid, using the same firewall connecting to the Exchange 2010 server (on 443 OPT1) the connection is unstable. Every 10-60 seconds there is an event log that the connection to the server has been restored.
All exchange connectivity tests pass with the Exchange 2010 server. Exchange Outlook web access pages load without issues, iphones (while sometimes delayed) get their mail.
Tried adjusting the Firewall Optimization Options to conservative and modified the firewall advanced settings State Timeout in seconds to 30 mins, to see if it was dropping the connection due to inactivity.
As a test I tried setting up a new 2.2.2 firewall with a single port forward rule to the Exchange 2010 server (443). This did not have the same OPT1 and OPT2 connections, just a single rule and a static IP for WAN. It worked flawlessly for hours, so I came to the assumption that it was time to upgrade. Sat down last week and started to copy the setup of the firewall to the new version. As soon as it came online the exact same connection drop came back.
I am perplexed at this issue, and feel that I have done something wrong to cause it. I have a feeling it is to do with the routes and setup of my block of static IPs I can post whatever is required to help solve the issue!
-
WAN - Static IP using /29 subnet has gateway address associated with it
OPT1 - Same IP range as WAN /29 subnet with no gateway associated with itI'm perplexed how that works at all.
-
WAN and OPT1 use a common gateway on the /29 subnet. I have never had to put in a gateway address for these port forwards to work, but again not ruling out this being setup wrong.
Could you elaborate on the issue you think this could be causing?
-
Well, first of all 2.0.1 is ancient. You should probably upgrade before you try to fix it. It's going to be hard to find someone with a 2.0.1 to even look at look at to help you. When you upgraded and got the same problem did you leave it at 2.2.2 or did you go back? If you upgraded and had the same issue, you should leave it upgraded so people can help you instead of telling you to upgrade.
After that, I can't imagine why you would use another pfSense interface on your WAN net instead of just VIPs on WAN for port forwards.
-
I would have left 2.2.2 in place but the VPN tunnels were not all connecting, which is another issue. I will attempt to setup virtual IPs and see if it corrects the issue.
-
Thank you so much for the advice on the vIPs. The system seems to be working perfectly now.
