Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN port forward for Exchange 2010 OWA and ActiveSync

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      themixer
      last edited by

      Running 2.0.1 i386 on VMware ESXi (running great for 4 years)

      WAN - Static IP using /29 subnet has gateway address associated with it
      OPT1 - Same IP range as WAN /29 subnet with no gateway associated with it
      OPT2 - Fast Dynamic internet connection for internet on site, 172.16.x.x

      Default route - OPT2

      Nat reflection is on for Iphones to connect to activesync

      Currently the WAN interface is NAT port (443) forwarded to the Exchange 2003 server, the goal is to have OPT1 port forward to the new Exchange 2010 server on the same port.

      Using outlook anywhere with the old Exchange 2003 server (on 443 WAN interface) the connection is solid, using the same firewall connecting to the Exchange 2010 server (on 443 OPT1) the connection is unstable. Every 10-60 seconds there is an event log that the connection to the server has been restored.

      All exchange connectivity tests pass with the Exchange 2010 server. Exchange Outlook web access pages load without issues, iphones (while sometimes delayed) get their mail.

      Tried adjusting the Firewall Optimization Options to conservative and modified the firewall advanced settings State Timeout in seconds to 30 mins, to see if it was dropping the connection due to inactivity.

      As a test I tried setting up a new 2.2.2 firewall with a single port forward rule to the Exchange 2010 server (443). This did not have the same OPT1 and OPT2 connections, just a single rule and a static IP for WAN. It worked flawlessly for hours, so I came to the assumption that it was time to upgrade. Sat down last week and started to copy the setup of the firewall to the new version. As soon as it came online the exact same connection drop came back.

      I am perplexed at this issue, and feel that I have done something wrong to cause it. I have a feeling it is to do with the routes and setup of my block of static IPs  I can post whatever is required to help solve the issue!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        WAN - Static IP using /29 subnet has gateway address associated with it
        OPT1 - Same IP range as WAN /29 subnet with no gateway associated with it

        I'm perplexed how that works at all.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          themixer
          last edited by

          WAN and OPT1 use a common gateway on the /29 subnet. I have never had to put in a gateway address for these port forwards to work, but again not ruling out this being setup wrong.

          Could you elaborate on the issue you think this could be causing?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Well, first of all 2.0.1 is ancient.  You should probably upgrade before you try to fix it.  It's going to be hard to find someone with a 2.0.1 to even look at look at to help you.  When you upgraded and got the same problem did you leave it at 2.2.2 or did you go back?  If you upgraded and had the same issue, you should leave it upgraded so people can help you instead of telling you to upgrade.

            After that, I can't imagine why you would use another pfSense interface on your WAN net instead of just VIPs on WAN for port forwards.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              themixer
              last edited by

              I would have left 2.2.2 in place but the VPN tunnels were not all connecting, which is another issue. I will attempt to setup virtual IPs and see if it corrects the issue.

              1 Reply Last reply Reply Quote 0
              • T
                themixer
                last edited by

                Thank you so much for the advice on the vIPs. The system seems to be working perfectly now.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.