OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: RamSense on July 24, 2021, 09:14:53 am
-
Dear community,
I have a mailserver running behind opnsense. The mailserver is working and have the port forward rules for ports used 25, 587, etc
Now I was thinking, Is there a way to configure opnsense so to protect the mailserver that only the local IPrange and vpn range can log in into the mail server and being able to sent email? Using an alias?
but so that the mailserver can receive emails being sent to it from anybody?
Sounds like a solid option, but I don't know if this is possible while the mailserver must being able to communicatie with the world?
Hope my question makes sense and somebody with knowledge of running mailservers and opnsense have a best practise for how to set secure port forwards/alias etc.
-
Just open the port 587 only internally. Foreign servers will always send mails to 25.
-
Thanks Fabian,
I will change this right away!
-
@Fabian
I changed port 587 in the firewall on the mailserver to only allow internally.
In opnsense I still have :
Firewall->NAT->Port Forward-> rule:
Interface (WAN) - protocol (TCP) - Source Adress (*) - Ports (*) - Destination Address (WAN address) - Ports (587) - NAT IP (local IP mailserver) - Ports (587)
and the auto added rule Firewall->Rules->Wan-> rule:
Protocol (IPv4 TCP) - Source (*) Port (*) - Destination (local IP mailserver) - Port (587) - Gateway (*) - Schedule (*)
How to change this for the "open port 587 only internally?
Thanks in advance for your explanation!
-
Source IP is just all LAN addresses you want to allow in the firewall rule.
-
@Fabian, thank you for your reply.
So I change this in the NAT portforward so it get changed also in the firewall-rules-wan?
See attached pictures? Or should I Leave the Nat port forward untouched and only change firewall-rules-wan?
-
somehow the LAN addresses used above did not work for my iPhone on 4g (with vpn to opnsense).
Than I thought, when I make an alias with the ip-range from LAN and VPN and use that as source ip....
changed it, and this works!
I do not understand what is different from the LAN address with this alias, but that has to do with my learning of how opnsense / firewall works. Or should Source IP - lan address also have worked? What did I do wrong than?
-
LAN Address - OPNsense IP-Address on the LAN interface
LAN Network - The network which is directly attached to the LAN interface (so this includes the hosts) <- you usually need this one
This Firewall - Any IP address assigned to this firewall
-
Ah great! Now I Understand. Thanks for that. Learned something again today.
And problem solved :-)
-
Humm...
I still must be doing something wrong.
When choosing LAN Network or just the Ip range of VPN 10.8.0.0/24
the port 587 gets blocked by opnsense.
My iPhone 4g connected to opnsense with vpn has a virtual-ip 10.8.0.2 but opnsense blocks it. Have I something wrong in the port forward or is this something I have done wrong in the vpn setup? with Redirect Gateway enabled....
In the firewall log I see the REALIP of the iPhone getting blocked and not the virtual ip 10.8.0.2 getting handled...
p.s. this happened after updating to opnsense 21.7
-
Testing with Wireguard VPN -> it works and connection to email (587)
Testing with OpenVPN -> gets blocked
I am convinced openvpn was also working before opnsense 21.7. But I can't figure out why it is not working now, if it has to do with the upgrade to 21.7 and Wireguard works like it should.. I am obviously missing something
-
Is your opnvpn tunnel otherwise functional? Correct FW rules?
What is the error message you get?
Do a package capture on openvpn/LAN to see, where the packages are blocked...
-
Dear Chemlud,
Thank you for your reply.
Yes the OPNvpn is working on all other parts. I can connect, browse the internet and connect to lan available services/devices.
When I look at the firewall live view I see that my iPhone real IP gets blocked while I have an alias nat port forward with alias for 10.8.0.0/24 as for local lan and Wireguard. The last 2 are working, only the vpn/10.8.0.0/24 does not.
The realIP gets blocked instead of the virtualIP/VPNIP gets through
I have attached 2 pictures
-
maybe this is happening?
https://forum.opnsense.org/index.php?topic=24183.0 (https://forum.opnsense.org/index.php?topic=24183.0)
-
Looks like it was an missing NAT outbound rule(?)
When I add a NAT - outbound rule >
Interface (LAN) - source (any) - source port (*) - Destination (*) - Destination port (*) - NAT Address (interface address) - NAT port (*) - Static port (NO)
it works.......
Now I have to figure it out how to narrow it down I think.
(I'm still a fairly new user in opnsense)
-
humm… on Opnsense 21.7 I tried some different settings in the outbound rule.
When:
- changing the source to myVPN network address -> after some time, the iPhone 4g email stops working. It looks like it takes a couple of minutes before the changed outbound rule is taking effective.
- changing the source to the ip range of openvpn -> same result - stops working
- changing the source to <Lan address> (I learned earlier that this is the opnsense ip-address on the lan only) -> same result, stops working
- changing the source to <Lan Network> same result
- changing to source to OpenVPN network -> same result - stops working
- changing to source to This Firewall -> I can receive emails on my MacBook Pro on local wifi and using an email to sent to my own email server e-mailaccount. Replying on that email back (with my own email server) is not working….
- changing to source any -> everything is working again…. I find this very strange… I should be able to narrow this rule in my opinion.
And when source is any -> on my iPhone 4 g -NOT connected to VPN - and trying to get email en sent email on the mail app for my own mailserver works also….
I surely do not know what is causing this all. I have on my synology firewall a rule to only accept port 587 and 993 to accept ip range lan and ip range vpn.
So when no vpn is on on the iPhone 4g, it should not accept email…. But it does… It looks to me that there is a flaw in opensense 21.7 to let the connection trough with the ip 192.168.1.1 (the ip of opnsense) ????
What is causing this? Openvpn fault? Opnsense 21.7 fault? Or my fault in what?