Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue firewalling and/or portforwarding DMZ in failover environment

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 471 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sjouken
      last edited by

      I have made a failover as discribed in failover
      I used only the failoverpart for I have a fast cable connection and a slow adsl connection
      here a picture of this failover:
      ((GatewayGroups.jp))

      For I have made a DMZ for mail and webserver, i must forward those ports to the slow adsl
      So as seen below I made NAT forwarding:
      ((NAT Port Forward))
      because the mailserver is receiving it's mail from the WAN_IAE, i used it also as gateway.
      I used the by PFSense created firewall rule, but with only one modification, un Advanced I use the gateway of the WAN_IAE_DHCP:
      ((Firewall Rule NATForward SMTP_1.png))

      You can also see it in the Firewall Rules:
      ((Firewall Rules))
      Because I see incomming messages from my upstream mailserver, I added a rule for DMZ…
      ((Firewall Rules DMZ))

      But.....
      now I see only the start of the connection of my upstream mailserver:
      ((System logs Firewall port 25))
      So the upstream server start the connection to my DMZ-mailserver... however, the reply don't get back and I see nothing in my mailserver which shows the rest of the connection.

      So incomming as outgoing mail doesn't work.
      I must use my upstream mailserver as relay.
      I DO can communicate from my internal network to my DMZ-mailserver as well as my webserver.

      This is exactly the same for my webserver... so there is a fundamentle flaw in my design:(
      Any help would be appreciated.

      Regards,
      Sjouken

      Sorry, I realy don't know how to insert the pictures at the proper position. Reason why i added them as attachment.

      GatewayGroups.PNG
      GatewayGroups.PNG_thumb
      ![NAT Port Forward.PNG](/public/imported_attachments/1/NAT Port Forward.PNG)
      ![NAT Port Forward.PNG_thumb](/public/imported_attachments/1/NAT Port Forward.PNG_thumb)
      ![Firewall Rule NATForward SMTP_1.png](/public/imported_attachments/1/Firewall Rule NATForward SMTP_1.png)
      ![Firewall Rule NATForward SMTP_1.png_thumb](/public/imported_attachments/1/Firewall Rule NATForward SMTP_1.png_thumb)
      ![Firewall Rules.PNG](/public/imported_attachments/1/Firewall Rules.PNG)
      ![Firewall Rules.PNG_thumb](/public/imported_attachments/1/Firewall Rules.PNG_thumb)
      ![Firewall Rules DMZ.PNG](/public/imported_attachments/1/Firewall Rules DMZ.PNG)
      ![Firewall Rules DMZ.PNG_thumb](/public/imported_attachments/1/Firewall Rules DMZ.PNG_thumb)
      ![System logs Firewall port 25.PNG](/public/imported_attachments/1/System logs Firewall port 25.PNG)
      ![System logs Firewall port 25.PNG_thumb](/public/imported_attachments/1/System logs Firewall port 25.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        For starters, your firewall rules for the port forwards on WAN_IAE should not have a gateway set.  You are telling pfSense to send those port forwards back out WAN_IAE_DHCP.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          sjouken
          last edited by

          bow to Derelict…. that was indeed the solution.
          I removed the gateway, set it to default, and now it's working like a charm.
          Also i see requests at my webserver:)

          Thanks again for your help. I was getting desperate.
          Sjouken

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.