Dual WAN for email servers?



  • Hi,
    I was wondering if someone could shed some light if its possible what I have in mind? I would Right now I have pfSense with WAN and LAN everything is working great. But because users sometimes navigate or get infected My email server every now and then becomes blacklisted. So I was wondering if is possible to have a 2nd WAN for only email servers. and the WAN2 for users to navigate and so forth. Would I also need to load balance? because the purpose is just to isolate my email server WAN IP. And how would the rues be configured for that WAN1 the email server?

    Thank you see picture


  • LAYER 8 Netgate

    No problem.

    Policy route traffic on LAN source mail server port any dest any port 25 out WAN1. (Set the gateway in the rule to WAN1_GW)

    Put that rule above the one that routes everything else out the default gateway and make sure WAN2 is the default gateway.

    https://doc.pfsense.org/index.php/What_is_policy_routing

    And you might need this but probably not with such a specific policy route:

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing



  • Thanks for the reply,

    So quick question on the WAN2 (for only users to navigate) the Ipv4 upstream gateway I would leave blank but on the firewall rules the gateway would be from the WAN1?

    Thank you See pictures







  • LAYER 8 Netgate

    No. Delete that WAN rule. You opened up connections from the internet (into WAN) and routed them back to WANGW.

    Read the policy routing document and search for the countless threads here on the subject.

    When you want to route connections from LAN clients, you put the rules on LAN.



  • Thank you for the reply, I will do some more reading post back when im ready

    Thank you again



  • Hi,
    So im going at it again.

    Allright so I deleted the WAN rule, I guess my real question is that could i use the same gateway as my WAN but use a different static IP. When i configured the 181.xxx.xx.117 i wanted to add the upstream gateway has no option :(

    Thank you











  • LAYER 8 Netgate

    Both of those interfaces look to be on the same /29. That's not what Multi-WAN is for.

    If all you want to do is NAT out a different IP address then delete WAN2, add a VIP on WAN for the .117 address, and change outbound NAT on WAN so SMTP connections NAT to that instead of WAN address.



  • Hi,
    Thank you for the reply, So that does clear alot for me so i took your advice added the VIP .117 which is going to be the email server IP but my question im going to change my .114 to be only for users to navigate and my .117 to only be for my email server, OpenVPN,

    But theres a part where it says

    If you add a 1:1 NAT entry for any of the interface IPs on this system, it will make this system inaccessible on that IP address. i.e. if you use your WAN IP address, any services on this system (IPsec, OpenVPN server, etc.) using the WAN IP address will no longer function.

    Meaning that if I do the 1:1 it would break the 117?

    Thank you



  • LAYER 8 Netgate

    Why a 1:1? Why not just port forward port 25 to it?



  • Thank you for the reply,

    Well what im trying to do is making the LAN net to use .114 but the email server on the LAN use ONLY the .117

    Thank you


  • LAYER 8 Netgate

    All you have to do is a WAN port forward .117 port 25 to your mail server and make a host name that resolves to .117 the MX record for the domain(s).

    Then use a WAN outbound NAT rule to use .117 as the NAT address for anything sourced from the mail server with a destination port of tcp/25.

    Duplicate for any other ports you need.

    Firewall > NAT, Port Forward tab

    Interface: WAN
    Protocol: TCP
    Destination: 181.X.X.117
    Destination port range: 25
    Redirect target IP: EMAIL_SERVER
    Redirect target port: 25
    Description: Inbound SMTP

    Firewall > NAT, Outbound tab

    Select Hybrid Outbound NAT and add a rule

    Interface: WAN
    Protocol: TCP
    Source: Network, EMAIL_SERVER/32, Port blank
    Destination: any, Port 25
    Translation Address: 181.X.X.117
    Translation port: blank
    Description: MAP outbound EMAIL_SERVER/TCP/25 to .117

    For OpenVPN just add a pass rule for UDP 1194 to the VIP and tell the OpenVPN instance to listen on the VIP (or any) using the Interface select list.



  • Thank you for the reply, I will try on Friday I will post back if its a success with screen shots

    Thank you



  • UPDATE:

    So everything went amazing but Whats odd all i needed to do was to add the virtual IP thats all and NAT normally as i would.

    Thank you again


Log in to reply