On Wed, Jul 14, 2010 at 1:06 PM, Bill Marquette <bill.marque...@gmail.com> wrote: > On Tue, Jul 13, 2010 at 1:19 PM, Adam Thompson <athom...@c3a.ca> wrote: >>> -----Original Message----- >>> From: Bill Marquette [mailto:bill.marque...@gmail.com] >>> Sent: Monday, July 12, 2010 8:30 PM >>> To: support@pfsense.com >>> Subject: Re: [pfSense Support] 1:1 multi-homed NAT broken? >>> >>> This sounds like a missing reply-to, but I'm not entirely sure why. >>> The inbound SMTP rule should be overriding the routing and sending the >>> traffic out the right path. Take a look at /tmp/rules.debug and see if the >>> inbound SMTP rule has a reply-to on it. >> >> Looks right to me: >> binat on em1 from 192.168.232.201/32 to any -> 67.226.137.178/32 >> pass in quick on $wan proto tcp from any to <SBS> port = 25 keep >> state queue (qwandef, qwanacks) label "USER_RULE: NAT forward inbound mail" >> pass in quick on $OPT1 reply-to (em0 192.139.69.161) proto tcp from >> any to <SBS> port = 25 keep state label "USER_RULE: NAT forward public web >> sites" >> >> Yes, the comment about "web sites" is misleading - actually it's flat-out >> wrong, I probably cloned the rule from the HTTP rule and forgot to edit the >> comment. >> >> I'm not sure that the binat combined with reply-to actually works - as I >> said, I realize this is a corner case that probably isn't (ever?) often >> tested. Is there a way to limit binat to only affecting one public >> interface? >> > > hmmm, actually, that looks wrong. You're missing a reply-to on the > $wan rule, so the reply traffic that should go out $wan is taking your > static route out $OPT1. Not sure what the fix is, I haven't been in > the code in way too long, hopefully one of the other devs can take a > look. >
Yeah WAN rules in 1.2.x don't have reply-to. They do in 2.0. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
