Allow only some wan IP's access through port 25



  • Hi i hope someone can help me here.

    I need to redirect smtp from my spam provider to my mail server.
    Rigth now its working by allowing any from outside port 25 to server IP port 25. This is not secure enough !
    i would like to alow only WAN IP X.X.X.X and WAN IP X.X.X.X port 25 to access LAN IP X.X.X.X port 25 how do i do that ?

    Also i wants to deny all but one IP on the lan to send smtp and only to WAN IP X.X.X.X and WAN IP X.X.X.X

    Best regards /Gorm


  • Banned

    Have you considered using the source/destination field of firewall rules for that?



  • yes but the wan address field is grayed out  :-\



  • single host or alias and network are the only source fields where i can type an IP

    so are you telling me to use single host for the wan ip an make multiple rules ?
    i have tried that in the past and it didn't seam to work.



  • Edit your NAT rule so that the Source is changed from any to the IP address that you wish to allow.



  • i seams that i can only do that by chancing any to single host or alias

    so would the right way to do this be: make a alias with the wan IP's and then redirect the alias ?

    I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !



  • i seams that i can only do that by chancing any to single host or alias

    So use that then.  Is it a problem somehow???

    make a alias with the wan IP's and then redirect the alias ?

    Since you have more than one single host, an alias that holds the hosts is what you need.

    I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !

    You might want to consider upgrading to something a little more current.  NAT is a basic function of pfSense.  I very much doubt there is a bug.



  • thanks
    @KOM:

    i seams that i can only do that by chancing any to single host or alias

    So use that then.  Is it a problem somehow???

    It is not a problem as long as it is working.

    The reason asking is becourse i in another case tryed to pass an external ip through this way and it was not working. I dont know if there where some sort of ip masking in play or something else making it not working.

    and i dont want any unnecessary downtime.

    make a alias with the wan IP's and then redirect the alias ?

    Since you have more than one single host, an alias that holds the hosts is what you need.

    so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ? can i then find it under source or do i manualy have the enter the name of the rule under single host or alias

    I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !

    You might want to consider upgrading to something a little more current.  NAT is a basic function of pfSense.  I very much doubt there is a bug.

    there is probably a bug in my brain then.. be-course i think a wan address should mean a address on the internet and not just the outside ip of pfsense or what it means ?
    maybe it means any address on the outside of the firewall ? and lan means any address on the inside ?

    your right i should upgrade, will it course any downtime like reboot


  • LAYER 8 Global Moderator

    "be-course i think a wan address should mean a address on the internet"

    That is a flaw in your thinking.. WAN net is the Wan network pfsense is attached too, just like LAN network is the lan network pfsense is attached tool.

    So Wan Address is pfsense address in the WAN net, and LAN address is the address pfsense has in the Lan net..



  • so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ?

    Just create an IP alias.  Stuff it with two IP addresses you require.  Create your firewall rule and when asked for Source or Destination (depending on what the rule is supposed to do), select Single host or alias and then specify your alias.



  • @johnpoz:

    "be-course i think a wan address should mean a address on the internet"

    That is a flaw in your thinking.. WAN net is the Wan network pfsense is attached too, just like LAN network is the lan network pfsense is attached tool.

    So Wan Address is pfsense address in the WAN net, and LAN address is the address pfsense has in the Lan net..

    you are right i just think of it as outside and inside.

    sometimes the wan side is really a lan or is that a flaw to  ::) never mind



  • @KOM:

    so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ?

    Just create an IP alias.  Stuff it with two IP addresses you require.  Create your firewall rule and when asked for Source or Destination (depending on what the rule is supposed to do), select Single host or alias and then specify your alias.

    ok thanks so that is the one that i can make in firewall/aliases/ rigth

    sorry for the stupid questions but iam more used to cisco / iptabels terminal based firewalls


  • LAYER 8 Global Moderator

    yes wan does not mean internet, it just means network on the outside of pfsense compared to your LAN..  Wan Net does not mean internet it means the network that your connected to on the WAN side.. for example I am connected to a /21 yes this is public but if I create a rule that says you can go to WAN net, just means you can connect to IPs in that /21 nothing more..

    Here is example rule I have where I only let my vps boxes talk to my wan address (publicIP) that is forwarded to my box running landscape




  • so you did make thoes vps as aliases in firewall/aliases/ ?

    then i guess that the single host alias rule can be both outside and inside IP's depending on how you use it. that make sense.

    I still think that its a little bit confusing why a wan address cant be a ip on the www but guess i just have to accept that.



  • WAN Address is the IP address of your WAN.  WAN Network is the network your WAN is on, based on subnet mask.


  • LAYER 8 Global Moderator

    The internet is HUGE!!!!!! sure not just one network..  You can not be connected to the WHOLE internet, you connected to a network that is connected to another network that is connected to another, and others and others, etc..

    So when you look at pfsense its wan is only 1 network, be it /24 /29 /21, etc..  And on that network you have a gateway to get OFF that network and the stuff past that network (other networks or anything else for example on the internet)

    If you want something to describe the "internet" it would be ANY..



  • OK i get that but what i was not sure about is that my friends wan ip is a host and not another wan ip to me.
    :-[

    i did try this in another case where i had to redirect a outside host to a inside ip but that did only work when i used any as source.


  • LAYER 8 Netgate

    The traffic will hit your WAN with a source address of the server that sent the request.  That is the address you need to pass.

    Yes, you make an alias in Firewall > Aliases, IP Tab Give it a name, leave the type set at hosts.  Add the IP addresses FROM WHICH you want to allow SMTP connections.  Change the SOURCE on your port forward pass rule to type single host or alias and enter the alias you have just created.

    If you have gotten clicky clicky and set the SOURCE PORT to 25 under the advanced button (as was implied by one of your prior posts), go back in there and set the source port to any.



  • thanks Derelict

    yes your right i did get clicky on the advanced button but i also did that when i used the any rule

    so does that explain way my rule didn't work.


  • LAYER 8 Netgate

    Certainly doesn't help.  Leaving the source port set to any is also in the list of port forward troubleshooting steps.

    It shouldn't work with source addresses limited by the alias or with source addresses set to any unless your spam filter provider guarantees that their source port will always be 25, which seems like it would complicate things for them unnecessarily.



  • spam filter provider gave me 2 ips both on port 25 those also came with login informations so i guess its always on that port.

    the case i was talking about where it didn't work, was a application on a remote host, that needed access on port xxxx for a license on a licens server on the lan. I haven't tried to use host address with my mail server yet, as i would ask here before risking downtime.


  • LAYER 8 Netgate

    Source port is pretty much never specified.  I think you're misreading whatever it is they sent you.



  • iam pretty sure but i better read it again then.

    and when looking in to it i can se that i added the rule i was talking about in the nat tap where i did put the remote host in the destination field not under source then pfsense did ad the filter rules for me sorry about that. but i did still have to use any for it to work. did i ad the rule wrong or do you think that it was because i also added the port number under destination


  • LAYER 8 Netgate

    I can't understand what you're saying.  Sorry.

    The destination address for a port forward is almost always your WAN address.  If you put the source addresses in there, yes, that's wrong and would keep it from working.

    If it didn't work you did it wrong. ;)



  • i did it like in the picture in the attachment and that did work but if i change any to the ip of the remote host it docent work



  • LAYER 8 Netgate

    Destination should be WAN address


  • LAYER 8 Global Moderator

    Where did you get that picture?  dest is almost NEVER any in a port forward.. It would be your WAN address..

    I am would be like 99.9999% sure they are not using 25 as their source port either..  Your rule should look just like my rule posted other than your source IPs in your alias and dest of 25..



  • The picture is a screenshot from another pfsense firewall that i have taken over from my boss he said the rules should be that way
    so that is what i have been doing since. :-[

    i guess the reason it is working is becourse that the wan address is a address in the any range and source defaults to any.

    i can se that i on yet another firewall did put destination to wan address.. :-X
    i have updated the firewall and downtime was about 5 minutes.

    i will off course update the firewall rules to be:

    source = any if host ip is unknown (https/ftp client…), host or alias if host ip is known (spam filter) and if i know the ip and port i will try host and alias and the port number first and if it is not working i will change ports to any (remote app)

    destination = always wan ip and port of service (https 443 i will call it something like 88444)

    redirect = lan host ip and port of the service


Log in to reply