Howto - second gateway - rules
-
Hi,
we are using pfsense 2.2.2 a whole time and all is working well.
1 LAN= 192.168.10.X / 2VLANs on LAN for voice and guest telephone ( 192.168.11.X and 192.168.12.X ) / 1 DMZ=10.10.13.X / 1 WAN= DHCP
we use a mailgateaway in the DMZ zone and an Exchange server in the LAN zone.
a second exchange server 50km further with also a pfsense 2.2.2 connects to the first with two tunnels in ipsec.
this is working good with no pb's
the company has ordered a second provider, not for loadbalancing or failover, but only for the mail.so i added a new interface and configured a second gateway.
have configured nat to use the second gateway for port 25 ( mail) and 443 to access mailgateway web interface.
this is working well, we have just one pb: the mailgateway is receiving mail from the new provider ( we adjust MX to use the new ip ), but when sending mail, the mailgateway is using the default gateway.
i configured the DMZ rules to answer only to LAN via default gateway and all other via the second gateway.ipv4* * * 192.168.10.0/24 * * none
ipv4* * * 192.168.50.0/24 * * none
ipv4* mailgateway * * * WAN2GW noneproblem is the mailgateway is still using the default gateway when sending mail.
a simple telnet test with HELO still answer with the telenet provider ( default gateway ) and not belgacom ( WAN2GW - second gateway).have rest the states, but no avail…..
can somebody help ????
-
Is WAN2GW up?
if pfSense thinks the gateway is down it will, by default, remove the GW from the rule and route according to the routing table.
Status > Gateways
Is the alias mailgateway set to the IP address of the local, Real IP of the mail server on DMZ? Are you positive that's the address being used as the source address for the mail connections?
-
Hi,
state of WAN2GW is up.
alias of mailgateway is 10.10.13.25 which is in the DMZ zone. ( Fortimail 100 ).
public ip 1 = default gw
public ip 2 = WAN2GW which is mailgw.flexus.be.when i do a telnet test to mailgw.flexus.be the mailgw answer.
doing HELO and responds with the defaultgw.best regards
-
what interface-tab did you put this?
ipv4* mailgateway * * * WAN2GW none -
Guess it's time to look at states and do packet captures to be sure everything is as you think it is.
If everything was configured as as you say it is it would be working.
What's in Firewall > NAT, Outbound tab for the DMZ interface?
-
Hi,
the interface-tab i put is in DMZ. ( heper )
I use hybrid nat outbound
WAN any udp/5060 * udp/5060 WAN address * YES
edit
delete duplicateadd
Automatic rules:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
icon WAN 127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24 * * 500 WAN address * YES Auto created rule for ISAKMP
icon WAN 127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24 * * * WAN address * NO Auto created rule
icon WAN2 127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24 * * 500 WAN2 address * YES Auto created rule for ISAKMP
icon WAN2 127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24 * * * WAN2 address * NO Auto created rulethanks for helping…
-
I can't make any sense out of that. Please post screen shots.
ETA - actually I see what that is saying now. It looks like everything that needs to be there is there.
You meed to find out what is not matching what you have put in place.
Open a telnet from the mail server out to port 25 then:
Diagnostics > States and filter by the destination IP address. What does it show?
If that doesn't show you what's wrong, it's down to packet captures on DMZ, WAN, and WAN2 to see what's really happening.
Does the mail server have a web browser? What does www.wimi.com say?
-
Hi,
after packet capture, WAN2GW was not used for out.
removed an old nat setting for port 25 ( had removed route but not nat.)
reconfigured nat port 25 and 443 for WAN2GW and reconfigured the DMZ zone.
all is working perfectly now.thanks for helping !!!
