RE: [pfSense Support] Outbound mail & multi-wan
As others have said, you could statically force it out one interface, but to me, that seems like a rather inelegant solution. Another option would be to use an external smarthost to relay outbound mail. One of your ISPS may allow you to do this, or there are plenty of other mail servers out there that would, too. Using a smarthost, the mail has two routes to get to the outside world (and your SPOF is a sitting safe in a datacenter somewhere). Some mail servers (Exchange for one) let you setup multiple external connectors, so you could actually configure several smarthosts to eliminate SPOFs entirely. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC From: Robert Mortimer [mailto:rmorti...@bluechiptechnology.co.uk] Sent: Thursday, June 18, 2009 1:28 AM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail & multi-wan IMHO The CARP is good in the event that an entire firewall fails. Each firewall should have access to BOTH WANs Use the load ballencer on each - it's easy to set up with fail over. Insert a route for mail (TCPIP port 25) before your route to the load balanced interface on both firewalls BINGO We have this setup withour CARP - Original Message - From: "Evgeny Yurchenko" To: support@pfsense.com Sent: Wednesday, 17 June, 2009 19:58:00 GMT +00:00 GMT Britain, Ireland, Portugal Subject: RE: [pfSense Support] Outbound mail & multi-wan -Original Message- From: JJB [mailto:onephat...@earthlink.net] Sent: June 17, 2009 2:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail & multi-wan We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad & att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the AT&T interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the AT&T interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say "all traffic 'from this DMZ address to anywhere' should be transmitted via the AT&T link" is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: > On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote: > >>> Yes, setup your rules on the interface with the mail server accordingly. >>> >> I don't know how to set up pfsense to bind the mail server to the AT&T >> network interface instead of the Covad, can someone provide me with details >> of how this would be done? It doesn't look like static routes would work >> since the mail server needs to talk to an unlimited # of machines on the >> internet. >> >> > > Just add a firewall rule matching traffic from the mail server and > select the appropriate gateway or failover pool. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > We - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org May we have screenshot of your rules for the interface your mail-server is connected to? Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
IMHO The CARP is good in the event that an entire firewall fails. Each firewall should have access to BOTH WANs Use the load ballencer on each - it's easy to set up with fail over. Insert a route for mail (TCPIP port 25) before your route to the load balanced interface on both firewalls BINGO We have this setup withour CARP - Original Message - From: "Evgeny Yurchenko" To: support@pfsense.com Sent: Wednesday, 17 June, 2009 19:58:00 GMT +00:00 GMT Britain, Ireland, Portugal Subject: RE: [pfSense Support] Outbound mail & multi-wan -Original Message- From: JJB [mailto:onephat...@earthlink.net] Sent: June 17, 2009 2:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail & multi-wan We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad & att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the AT&T interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the AT&T interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say "all traffic 'from this DMZ address to anywhere' should be transmitted via the AT&T link" is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: > On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote: > >>> Yes, setup your rules on the interface with the mail server accordingly. >>> >> I don't know how to set up pfsense to bind the mail server to the AT&T >> network interface instead of the Covad, can someone provide me with details >> of how this would be done? It doesn't look like static routes would work >> since the mail server needs to talk to an unlimited # of machines on the >> internet. >> >> > > Just add a firewall rule matching traffic from the mail server and > select the appropriate gateway or failover pool. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > We - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org May we have screenshot of your rules for the interface your mail-server is connected to? Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Outbound mail & multi-wan
-Original Message- From: JJB [mailto:onephat...@earthlink.net] Sent: June 17, 2009 2:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail & multi-wan We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad & att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the AT&T interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the AT&T interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say "all traffic 'from this DMZ address to anywhere' should be transmitted via the AT&T link" is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: > On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote: > >>> Yes, setup your rules on the interface with the mail server accordingly. >>> >> I don't know how to set up pfsense to bind the mail server to the AT&T >> network interface instead of the Covad, can someone provide me with details >> of how this would be done? It doesn't look like static routes would work >> since the mail server needs to talk to an unlimited # of machines on the >> internet. >> >> > > Just add a firewall rule matching traffic from the mail server and > select the appropriate gateway or failover pool. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > We - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org May we have screenshot of your rules for the interface your mail-server is connected to? Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
On Wed, Jun 17, 2009 at 2:47 PM, JJB wrote: > We've tried this 10 different ways, so far it has not worked. > > Current Config is two pfsense 1.22 firewalls with CARP two WAN connections > (not load balanced or failover) (covad & att), with a DMZ interface where > our mail and other internet servers live. > > I want the mail server to only make SMTP connections using the AT&T > interface, but it defaults to using the WAN interface (on the Covad). We > route all generic traffic over the covad 10mb wan link (the default) and for > server-to-server traffic (such as Iron Mountain backups we route to a > specific ip block or address over the AT&T interface. > > It is obvious how to do this with a static route when you have a specific > address or block to communicate with, but to say "all traffic 'from this DMZ > address to anywhere' should be transmitted via the AT&T link" is not > working. > You should really never use static routes with multi-WAN, other than directing traffic initiated by the firewall (which should only be your DNS servers). Make sure your rules are in the right order, first match wins. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad & att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the AT&T interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the AT&T interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say "all traffic 'from this DMZ address to anywhere' should be transmitted via the AT&T link" is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote: Yes, setup your rules on the interface with the mail server accordingly. I don't know how to set up pfsense to bind the mail server to the AT&T network interface instead of the Covad, can someone provide me with details of how this would be done? It doesn't look like static routes would work since the mail server needs to talk to an unlimited # of machines on the internet. Just add a firewall rule matching traffic from the mail server and select the appropriate gateway or failover pool. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org We - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote: >> Yes, setup your rules on the interface with the mail server accordingly. > > I don't know how to set up pfsense to bind the mail server to the AT&T > network interface instead of the Covad, can someone provide me with details > of how this would be done? It doesn't look like static routes would work > since the mail server needs to talk to an unlimited # of machines on the > internet. > Just add a firewall rule matching traffic from the mail server and select the appropriate gateway or failover pool. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
Yes, setup your rules on the interface with the mail server accordingly. I don't know how to set up pfsense to bind the mail server to the AT&T network interface instead of the Covad, can someone provide me with details of how this would be done? It doesn't look like static routes would work since the mail server needs to talk to an unlimited # of machines on the internet. Thanks, Joel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Outbound mail & multi-wan
Chris Buechler wrote: > On Sat, Jun 13, 2009 at 3:07 PM, JJB wrote: > >> Hello, >> >> pfsense 1.22 >> >> we have a mail server: >> >> mail.domain.com >> >> We have two wan links >> >> WAN_ATT (T1) and WAN (covad DSL) >> >> reverse DNS is configured for the ATT link for mail.domain.com and for the >> covad link as mail01.domain.com >> >> is there some way to enable the mail server to open smtp connections over >> either link as mail.domain.com without failing reverse and or forward >> lookups? (some more strict email servers do both now). >> >> > > Reverse DNS can be the same on both. For forward lookups that's not > possible, and there isn't any way for your mail server to know which > pipe it's going out to be able to change its hostname. Very few > servers check that forward and reverse matches, most just check for > existence of PTR or that PTR matches EHLO. > > I'd keep it on one WAN, but have PTR on the second so you can fail > over. That'll suffice for nearly all mail servers. > > >> Also, is there a way to force the server to always use either the ATT or >> Covad link to send mail? >> >> > > Yes, setup your rules on the interface with the mail server accordingly. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > Can you provide a few more details - would this be outbound NAT rules or ? thanks, Joel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org If you do not have loadbalancer then your e-mail server should always use one interface according to routing table. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
Chris Buechler wrote: On Sat, Jun 13, 2009 at 3:07 PM, JJB wrote: Hello, pfsense 1.22 we have a mail server: mail.domain.com We have two wan links WAN_ATT (T1) and WAN (covad DSL) reverse DNS is configured for the ATT link for mail.domain.com and for the covad link as mail01.domain.com is there some way to enable the mail server to open smtp connections over either link as mail.domain.com without failing reverse and or forward lookups? (some more strict email servers do both now). Reverse DNS can be the same on both. For forward lookups that's not possible, and there isn't any way for your mail server to know which pipe it's going out to be able to change its hostname. Very few servers check that forward and reverse matches, most just check for existence of PTR or that PTR matches EHLO. I'd keep it on one WAN, but have PTR on the second so you can fail over. That'll suffice for nearly all mail servers. Also, is there a way to force the server to always use either the ATT or Covad link to send mail? Yes, setup your rules on the interface with the mail server accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Can you provide a few more details - would this be outbound NAT rules or ? thanks, Joel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail & multi-wan
On Sat, Jun 13, 2009 at 3:07 PM, JJB wrote: > Hello, > > pfsense 1.22 > > we have a mail server: > > mail.domain.com > > We have two wan links > > WAN_ATT (T1) and WAN (covad DSL) > > reverse DNS is configured for the ATT link for mail.domain.com and for the > covad link as mail01.domain.com > > is there some way to enable the mail server to open smtp connections over > either link as mail.domain.com without failing reverse and or forward > lookups? (some more strict email servers do both now). > Reverse DNS can be the same on both. For forward lookups that's not possible, and there isn't any way for your mail server to know which pipe it's going out to be able to change its hostname. Very few servers check that forward and reverse matches, most just check for existence of PTR or that PTR matches EHLO. I'd keep it on one WAN, but have PTR on the second so you can fail over. That'll suffice for nearly all mail servers. > Also, is there a way to force the server to always use either the ATT or > Covad link to send mail? > Yes, setup your rules on the interface with the mail server accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org