OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: Adam.P on March 27, 2020, 08:15:06 pm
-
Hi,
I recently switched from a SonicWall router to an OPNsense appliance. Behind this appliance I have a multi-tenant Exchange server and a VM running Proxmox Mail Gateway spam filter. When someone in the multi-tenant Exchange server emails anyone else that the spam filter is filtering email for, obviously reflection comes into play and it works. However, the sender IP address detected by the spam filter is the OPNsense appliance's LAN IP instead of the WAN IP:
Mar 27 15:05:22 mx01 postfix/smtpd[12870]: D43C632D238: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.7.1]
With the SonicWall, the orig_client was correctly detected as the WAN IP. This is causing problems with some domains with enforced SPF.
-
Hi,
a little awkward, but you can achieve this using two additional rules:
- outbound NAT rule: on LAN interface, src LAN Net, dst <ip> port 25, NAT address <external service ip>
- fw rule on LAN: src address <external service ip>, dst <ip> port 25
the second rule is necessary to avoid the "force gw" part of the automatic "let out anything from firewall host itself (force gw)" floating rule.
-
Thank you for the quick response. I tried this but it's still showing the router's LAN IP in the email server logs.
Maybe I'm doing it incorrectly... Any other detail you can provide?
-
strange. please check if that traffic actually hits the fw. Or if other rules keep the packets from hitting the new rules (packet counters via "Inspect")
-
The traffic is going through the firewall for sure. As for specifics, I think I'm looking for clarification...
- outbound NAT rule: on LAN interface, src LAN Net, dst <ip> port 25, NAT address <external service ip>
This seemed to have too broad of a scope. I made it like this:
-outbound NAT rule: on LAN interface, src Single host or Network <internal ip/32 of exchange server>, dst <internal ip/32 of spam filter server>, translation/target <virtual public IP>
Did I do any of that incorrectly? I'd like all traffic between the two that touches the router to appear as though it is from the external IP. When I enable this rule, it makes the traffic appear as though it's coming from the actual private IP instead of the gateway, but that's still not what I need.
- fw rule on LAN: src address <external service ip>, dst <ip> port 25
I'm sorry, but this is where I really started to get confused. I don't understand this rule or why it would be needed. Also not sure which IP <external service ip> is referring to. Can you explain in a bit more detail please?
Thanks!!
-
sorry for late answer.
I told you to check the packet counters, but alas the GUI does not even provide that feature for NAT rules :-/ You could check them in a ssh session (pfctl -s nat -v).
I think it is worth checking if the NAT rule really applies. The rule itself looks good to me, but maybe some other rule hits first so it does not apply.
The additional fw rule is just to make sure the re-written packet will be allowed. Also it gives you opportunity to activate logging for these packets (and not for others, which might be too much).
So activate logging for the outbound NAT rule and the additional fw rule, and try find these in the Log Files.