Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
You'll need to setup a NAT Port Forward rule that looks like this: If Proto Ext Port Range NAT IP Int. Port Range Description LAN TCP 25 (SMTP) mailserver IP mailserver PORT Redirect SMTP traffic to mail server The problem is this. Your mail server *also* resides on the LAN interface. After processing the mail and trying to send it outbound, it too will be caught by the NAT redirect for the interface and will end up looping mail through itself. The only way around this is to place your mail server on a different interface. Unfortunately, I don't believe it is possible to do this sort of traffic redirection through pfSense at the IP/Subnet/block level, only a per interface level. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Joel Robison wrote: Hello All, I was wondering if anyone here would be able to give me some pointers in context of traffic redirection. What I am attempting (and failing at I should add) to do is redirect all SMTP traffic from the LAN to another machine on the LAN interface for mail processing with a given set of rules I have created for the postfix instance (Think DLP reasons). Essentially this should be no different that setting up a transparent proxy server with squid (redirecting all web traffic to another server before it egresses the firewall). I know that at some point I have used PFSense to do the latter, but as I mentioned before I am failing, as the rule I have added to the LAN tab never gets hits. Here is the rule: Proto Source Port Destination Port Gateway Schedule Description TCP/UDP LAN net * 10.10.1.151 25 (SMTP) * Any ideas what it is that I am NOT doing? or that I am doing wrong? -Joel
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 3:14 PM, Joel Robison robisonj...@gmail.com wrote: Hello All, I was wondering if anyone here would be able to give me some pointers in context of traffic redirection. What I am attempting (and failing at I should add) to do is redirect all SMTP traffic from the LAN to another machine on the LAN interface for mail processing with a given set of rules I have created for the postfix instance (Think DLP reasons). Essentially this should be no different that setting up a transparent proxy server with squid (redirecting all web traffic to another server before it egresses the firewall). I know that at some point I have used PFSense to do the latter, but as I mentioned before I am failing, as the rule I have added to the LAN tab never gets hits. Here is the rule: Proto Source Port Destination Port Gateway Schedule Description TCP/UDP LAN net * 10.10.1.151 25 (SMTP) * Any ideas what it is that I am NOT doing? or that I am doing wrong? -Joel The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 5:43 PM, Tim Nelson tnel...@rockbochs.com wrote: - Bill Marquette bill.marque...@gmail.com wrote: The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. Care to share the ways around the issue? :-) Specifying source IP/net in port forward rules, which isn't possible in pfSense 1.2 nor 2.0 at this time. It's on the feature request list already. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
I have done a little experimenting with this over the past few hours (while dodging IT requests, I am sure most of you are familiar). I setup a VLAN interface that is off of the LAN interface to put the email server in a DMZ. I then created a rule that will look for my workstation as a source IP and the Source PORT of 25 and forward them to the new VLAN subnet/machine on port 25. Admitantly, I am a little confused by this, as I had always thought that the source PORT range would most likely not be the port I was trying to match as most programs generate a higher port on the client side then establish a connection to the server. Am I wrong? What more information can I provide that would help me understand what is going on, and/or fix this issue? -Joel Robison On Mon, Feb 9, 2009 at 3:11 PM, Chris Buechler c...@pfsense.org wrote: On Mon, Feb 9, 2009 at 5:43 PM, Tim Nelson tnel...@rockbochs.com wrote: - Bill Marquette bill.marque...@gmail.com wrote: The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. Care to share the ways around the issue? :-) Specifying source IP/net in port forward rules, which isn't possible in pfSense 1.2 nor 2.0 at this time. It's on the feature request list already. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 5:11 PM, Chris Buechler c...@pfsense.org wrote: On Mon, Feb 9, 2009 at 5:43 PM, Tim Nelson tnel...@rockbochs.com wrote: - Bill Marquette bill.marque...@gmail.com wrote: The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. Care to share the ways around the issue? :-) Specifying source IP/net in port forward rules, which isn't possible in pfSense 1.2 nor 2.0 at this time. It's on the feature request list already. Erm, yeah, my mistake, I'm used to working in pf.conf :) My home firewall is much less complex than the stuff I deal with at work. It's possible to do, just not in pfSense at this time. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 5:30 PM, Joel Robison robisonj...@gmail.com wrote: I have done a little experimenting with this over the past few hours (while dodging IT requests, I am sure most of you are familiar). I setup a VLAN interface that is off of the LAN interface to put the email server in a DMZ. I then created a rule that will look for my workstation as a source IP and the Source PORT of 25 and forward them to the new VLAN subnet/machine on port 25. Admitantly, I am a little confused by this, as I had always thought that the source PORT range would most likely not be the port I was trying to match as most programs generate a higher port on the client side then establish a connection to the server. Am I wrong? Are you referring to the External port range in the port forward screen? If so, that's not source port, it's the original destination port. In which case, yes, you want port 25, you happen to also be forwarding it to port 25, but on a different host. If you truly mean the filter rule screen, I'd be willing to bet that the rule isn't matching, but some other rule (maybe a default allow?) is. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org