Howto - second gateway - rules



  • Hi,

    we are using pfsense 2.2.2 a whole time and all is working well.
    1 LAN= 192.168.10.X / 2VLANs on LAN for voice and guest telephone ( 192.168.11.X and 192.168.12.X ) / 1 DMZ=10.10.13.X / 1 WAN= DHCP
    we use a mailgateaway in the DMZ zone and an Exchange server in the LAN zone.
    a second exchange server 50km further with also a pfsense 2.2.2 connects to the first with two tunnels in ipsec.
    this is working good with no pb's
    the company has ordered a second provider, not for loadbalancing or failover, but only for the mail.

    so i added a new interface and configured a second gateway.
    have configured nat to use the second gateway for port 25 ( mail) and 443 to access mailgateway web interface.
    this is working well, we have just one pb: the mailgateway is receiving mail from the new provider ( we adjust MX to use the new ip ), but when sending mail, the mailgateway is using the default gateway.
    i configured the DMZ rules to answer only to LAN via default gateway and all other via the second gateway.

    ipv4*    *  *  192.168.10.0/24      *          *    none
    ipv4*    *  *  192.168.50.0/24      *          *    none
    ipv4*  mailgateway    *    *                  *    WAN2GW    none

    problem is the mailgateway is still using the default gateway when sending mail.
    a simple telnet test with HELO still answer with the telenet provider ( default gateway ) and not belgacom ( WAN2GW - second gateway).

    have rest the states, but no avail…..

    can somebody help ????


  • LAYER 8 Netgate

    Is WAN2GW up?

    if pfSense thinks the gateway is down it will, by default, remove the GW from the rule and route according to the routing table.

    Status > Gateways

    Is the alias mailgateway set to the IP address of the local, Real IP of the mail server on DMZ? Are you positive that's the address being used as the source address for the mail connections?



  • Hi,

    state of WAN2GW is up.

    alias of mailgateway is 10.10.13.25 which is in the DMZ zone. ( Fortimail 100 ).

    public ip 1 = default gw
    public ip 2 = WAN2GW which is mailgw.flexus.be.

    when i do a telnet test to mailgw.flexus.be the mailgw answer.
    doing HELO and responds with the defaultgw.

    best regards



  • what interface-tab did you put this?

    
    ipv4*   mailgateway    *    *                  *    WAN2GW     none
    
    

  • LAYER 8 Netgate

    Guess it's time to look at states and do packet captures to be sure everything is as you think it is.

    If everything was configured as as you say it is it would be working.

    What's in Firewall > NAT, Outbound tab for the DMZ interface?



  • Hi,

    the interface-tab i put is in DMZ. ( heper )

    I use hybrid nat outbound

    WAN    any  udp/5060  *  udp/5060  WAN address  *  YES   
    edit 
    delete  duplicate

    add

    Automatic rules:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description 
      icon  WAN    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  500  WAN address  *  YES  Auto created rule for ISAKMP   
      icon  WAN    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  *  WAN address  *  NO  Auto created rule   
      icon  WAN2    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  500  WAN2 address  *  YES  Auto created rule for ISAKMP   
      icon  WAN2    127.0.0.0/8 192.168.10.0/24 10.10.13.0/24 192.168.11.0/24 192.168.12.0/24 192.168.19.0/24  *  *  *  WAN2 address  *  NO  Auto created rule

    thanks for helping…


  • LAYER 8 Netgate

    I can't make any sense out of that. Please post screen shots.

    ETA - actually I see what that is saying now. It looks like everything that needs to be there is there.

    You meed to find out what is not matching what you have put in place.

    Open a telnet from the mail server out  to port 25 then:

    Diagnostics > States and filter by the destination IP address.  What does it show?

    If that doesn't show you what's wrong, it's down to packet captures on DMZ, WAN, and WAN2 to see what's really happening.

    Does the mail server have a web browser?  What does www.wimi.com say?



  • Hi,

    after packet capture, WAN2GW was not used for out.
    removed an old nat setting for port 25 ( had removed route but not nat.)
    reconfigured nat port 25 and 443 for WAN2GW and reconfigured the DMZ zone.
    all is working perfectly now.

    thanks for helping !!!


Log in to reply