Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto - second gateway - rules

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wilwin
      last edited by

      Hi,

      we are using pfsense 2.2.2 a whole time and all is working well.
      1 LAN= 192.168.10.X / 2VLANs on LAN for voice and guest telephone ( 192.168.11.X and 192.168.12.X ) / 1 DMZ=10.10.13.X / 1 WAN= DHCP
      we use a mailgateaway in the DMZ zone and an Exchange server in the LAN zone.
      a second exchange server 50km further with also a pfsense 2.2.2 connects to the first with two tunnels in ipsec.
      this is working good with no pb's
      the company has ordered a second provider, not for loadbalancing or failover, but only for the mail.

      so i added a new interface and configured a second gateway.
      have configured nat to use the second gateway for port 25 ( mail) and 443 to access mailgateway web interface.
      this is working well, we have just one pb: the mailgateway is receiving mail from the new provider ( we adjust MX to use the new ip ), but when sending mail, the mailgateway is using the default gateway.
      i configured the DMZ rules to answer only to LAN via default gateway and all other via the second gateway.

      ipv4*    *  *  192.168.10.0/24      *          *    none
      ipv4*    *  *  192.168.50.0/24      *          *    none
      ipv4*  mailgateway    *    *                  *    WAN2GW    none

      problem is the mailgateway is still using the default gateway when sending mail.
      a simple telnet test with HELO still answer with the telenet provider ( default gateway ) and not belgacom ( WAN2GW - second gateway).

      have rest the states, but no avail…..

      can somebody help ????

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Is WAN2GW up?

        if pfSense thinks the gateway is down it will, by default, remove the GW from the rule and route according to the routing table.

        Status > Gateways

        Is the alias mailgateway set to the IP address of the local, Real IP of the mail server on DMZ? Are you positive that's the address being used as the source address for the mail connections?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W
          wilwin
          last edited by

          Hi,

          state of WAN2GW is up.

          alias of mailgateway is 10.10.13.25 which is in the DMZ zone. ( Fortimail 100 ).

          public ip 1 = default gw
          public ip 2 = WAN2GW which is mailgw.flexus.be.

          when i do a telnet test to mailgw.flexus.be the mailgw answer.
          doing HELO and responds with the defaultgw.

          best regards

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            what interface-tab did you put this?

            
            ipv4*   mailgateway    *    *                  *    WAN2GW     none
            
            
            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Guess it's time to look at states and do packet captures to be sure everything is as you think it is.

              If everything was configured as as you say it is it would be working.

              What's in Firewall > NAT, Outbound tab for the DMZ interface?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • W
                wilwin
                last edited by

                Hi,

                the interface-tab i put is in DMZ. ( heper )

                I use hybrid nat outbound

                WAN    any  udp/5060  *  udp/5060  WAN address  *  YES   
                edit 
                delete  duplicate

                add

                Automatic rules:

                Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description 
                  icon  WAN    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  500  WAN address  *  YES  Auto created rule for ISAKMP   
                  icon  WAN    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  *  WAN address  *  NO  Auto created rule   
                  icon  WAN2    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  500  WAN2 address  *  YES  Auto created rule for ISAKMP   
                  icon  WAN2    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  *  WAN2 address  *  NO  Auto created rule

                thanks for helping…

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  I can't make any sense out of that. Please post screen shots.

                  ETA - actually I see what that is saying now. It looks like everything that needs to be there is there.

                  You meed to find out what is not matching what you have put in place.

                  Open a telnet from the mail server out  to port 25 then:

                  Diagnostics > States and filter by the destination IP address.  What does it show?

                  If that doesn't show you what's wrong, it's down to packet captures on DMZ, WAN, and WAN2 to see what's really happening.

                  Does the mail server have a web browser?  What does www.wimi.com say?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • W
                    wilwin
                    last edited by

                    Hi,

                    after packet capture, WAN2GW was not used for out.
                    removed an old nat setting for port 25 ( had removed route but not nat.)
                    reconfigured nat port 25 and 443 for WAN2GW and reconfigured the DMZ zone.
                    all is working perfectly now.

                    thanks for helping !!!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.