1
16.1 Legacy Series / Problem with MailServer behind opnsense (OpenVPN+fixed IP+Port Forwarding)
« on: April 25, 2016, 06:45:34 pm »
Dear all,
first of all I want to say, that opnsense is a really nice and reliable firewall solution.
After having a steep learning curve we now got very reliable results in comparison to pfsense.
With pfsense (a nice firewall solution as well) we did many times crash our configuration without any clue, why this happened.
With opnsense everything works as it should - besides a nasty problem with our mailserver.
Problem (configuration details see below):
Mailserver with fixed IP over OpenVPN-Client-DialIn to an IP-Provider. NAT of ports 25 (SMTP), 143 (IMAP with StartSSL), 587 (Submission with StartSSL). NAT-Outbound rules are set.
The mailserver is working well. Mail can be received and sent by SMTP (25) to the outside world.
Clients can fetch and send email by IMAP (143)and SMTP (587) from all LAN interfaces.
But #1: clients cannot fetch and send email from outside our LAN.
But #2: Sometimes it works from outside our LAN...
Detailed problem description:
External IP of mailserver: 42.8.5.2 (changed for example)
Internal IP of mailserver: 10.2.1.100 (changed for example)
DNS-name of mailserver (split DNS): mail.domain.it
That means: ping domain from outside our LAN = IP is 42.8.5.2
ping domain from inside our LAN = IP is 10.2.1.100
We are testing the mailserver with: telnet mail.domain.it 143 and telnet 42.8.5.2 143
The problem is: it works - sometimes...
Firewall tells us: connection (TCP) established
But if we test with telnet from different WAN-line or by LTE we cannot always connect with telnet.
Two lines do work, other lines do not work...
Our log does not tell us any blocked situation.
Our configuration:
OpenVPN-client to IP-Provider (Portunity) to get a fixed IP.
WAN-DialIn with Fritzbox-Routers. Opnsense ? exposed host.
IP of Routers: 10.3.201.1 | 10.3.202.1 | 10.3.203.1 - mmh, one LAN interface does have the same IP range, but different Mask.... opnsense has fixed IPs according to those IPs: 10.3.201.2 | 10.3.202.2 | 10.3.203.2
Mask: 255.255.255.0
Could that be part of the problem?
On the Portunity-Interface we have the following firewall rules:
Rule on "WAN-Portunity":
Proto Source Port Destination Port Gateway Schedule Description
IPv4 TCP * * 10.2.1.100 25 * NAT
IPv4 TCP/UDP * * 10.2.1.100 587 * NAT
IPv4 TCP/UDP * * 10.2.1.100 143 * NAT
_____________
Rule on "DMZ" (where the mailserver is located):
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * * * DMZ net * *
...
IPv4 * 10.2.1.100 * * * WAN_Portunity
...
_____________
NAT Port Forwarding
Source Destination NAT
If Proto Address Ports Address Ports IP Ports
WAN_Portunity TCP * * * 25 10.2.1.100 25
WAN_Portunity TCP/UDP * * * 587 10.2.1.100 587
WAN_Portunity TCP/UDP * * * 143 10.2.1.100 143
Comment: we put also our external IP (42.8.5.2) as destination address in those rules - no difference. We used TCP/UDP for Ports 587+143 just for testing, whether StartSSL could cause our problem.
_____________
NAT Outbound manual rule
Source Destination NAT Static
If Source Port Destination Port NAT Address Port Port
WAN_Portunity 10.2.1.100/32 * * * WAN_Port_addr. * NO
Does anybody have a clue, what we made wrong???
Thanks for your support!
Regards, Markus
first of all I want to say, that opnsense is a really nice and reliable firewall solution.
After having a steep learning curve we now got very reliable results in comparison to pfsense.
With pfsense (a nice firewall solution as well) we did many times crash our configuration without any clue, why this happened.
With opnsense everything works as it should - besides a nasty problem with our mailserver.
Problem (configuration details see below):
Mailserver with fixed IP over OpenVPN-Client-DialIn to an IP-Provider. NAT of ports 25 (SMTP), 143 (IMAP with StartSSL), 587 (Submission with StartSSL). NAT-Outbound rules are set.
The mailserver is working well. Mail can be received and sent by SMTP (25) to the outside world.
Clients can fetch and send email by IMAP (143)and SMTP (587) from all LAN interfaces.
But #1: clients cannot fetch and send email from outside our LAN.
But #2: Sometimes it works from outside our LAN...
Detailed problem description:
External IP of mailserver: 42.8.5.2 (changed for example)
Internal IP of mailserver: 10.2.1.100 (changed for example)
DNS-name of mailserver (split DNS): mail.domain.it
That means: ping domain from outside our LAN = IP is 42.8.5.2
ping domain from inside our LAN = IP is 10.2.1.100
We are testing the mailserver with: telnet mail.domain.it 143 and telnet 42.8.5.2 143
The problem is: it works - sometimes...
Firewall tells us: connection (TCP) established
But if we test with telnet from different WAN-line or by LTE we cannot always connect with telnet.
Two lines do work, other lines do not work...
Our log does not tell us any blocked situation.
Our configuration:
OpenVPN-client to IP-Provider (Portunity) to get a fixed IP.
WAN-DialIn with Fritzbox-Routers. Opnsense ? exposed host.
IP of Routers: 10.3.201.1 | 10.3.202.1 | 10.3.203.1 - mmh, one LAN interface does have the same IP range, but different Mask.... opnsense has fixed IPs according to those IPs: 10.3.201.2 | 10.3.202.2 | 10.3.203.2
Mask: 255.255.255.0
Could that be part of the problem?
On the Portunity-Interface we have the following firewall rules:
Rule on "WAN-Portunity":
Proto Source Port Destination Port Gateway Schedule Description
IPv4 TCP * * 10.2.1.100 25 * NAT
IPv4 TCP/UDP * * 10.2.1.100 587 * NAT
IPv4 TCP/UDP * * 10.2.1.100 143 * NAT
_____________
Rule on "DMZ" (where the mailserver is located):
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * * * DMZ net * *
...
IPv4 * 10.2.1.100 * * * WAN_Portunity
...
_____________
NAT Port Forwarding
Source Destination NAT
If Proto Address Ports Address Ports IP Ports
WAN_Portunity TCP * * * 25 10.2.1.100 25
WAN_Portunity TCP/UDP * * * 587 10.2.1.100 587
WAN_Portunity TCP/UDP * * * 143 10.2.1.100 143
Comment: we put also our external IP (42.8.5.2) as destination address in those rules - no difference. We used TCP/UDP for Ports 587+143 just for testing, whether StartSSL could cause our problem.
_____________
NAT Outbound manual rule
Source Destination NAT Static
If Source Port Destination Port NAT Address Port Port
WAN_Portunity 10.2.1.100/32 * * * WAN_Port_addr. * NO
Does anybody have a clue, what we made wrong???
Thanks for your support!
Regards, Markus