Manual Outbound Spam fitler

[Julien]

Dear all,
Our scenario is as next

Internet >>>> OPNSENSE>>>>> SPAM FILTER >>>> MAIL SERVER
MAIL SERVER IS using spam filter as it smarthost to send out emails.
SPAM filter has it own VIP which configured on the virtual ip 20.344.55.56
Default WAN of the OPNSESNE is . 20.344.55.50
Outbount is automatically.
whenever we send out email using spam filter as smarthost of the mail server it still uses the Default WAN IP of the OPNsense 20.344.55.50.
i tried to change outbount from automatically to manually and created a rules for this

Code Select Expand

WAN1  summitgrid_relay  *  *  *  20.344.55.50 *   Outbound NAT Rule for Email Relay

the internet stops working. i thought the rules will remain created when i change from auto to manual.
also the email still delevered from the default opnsese ip and not spam filter.

Can someone please advies how to get this fixed ?

Thank you

[mimugmail]

You use the postfix plugin to send out mails?

[bartjsmit]

You need to set up a 1:1 NAT for the spam server if you want it to have its own public IP for outbound traffic.

Bart...

[Julien]

You need to set up a 1:1 NAT for the spam server if you want it to have its own public IP for outbound traffic.

Bart...

Thanks Bart,
i am pulling my hair out to get this 1:1 nat configured
on NAT >>> one to one
i have created a BNAT see screenshot 1
after i created the rule on the WAN side to allow the smtp / https but it not working.

the outbound is Hybrid outbound NAT rule generation but i cannot seem to access the server behind on port 443 or smtp to it,

what am i doing wrong ?
are  Reflection for 1:1 and Automatic outbound NAT for Reflection relevant here ? because i do not have them enabled.

[bartjsmit]

Hi Julien,

Reflection allows for hairpin traffic; going out via the default outbound NAT and back in via the public IP address for the 1:1 NAT. It won't matter for external clients.

Does the relay alias point to an internal IP address?

Here is one of my 1:1's for comparison:

Interface: WAN
Type: BINAT
External network: X.Y.Z.139
Source: internal IP for host
Destination: any
NAT reflection: enabled

The firewall rule is defined on the WAN interface and has:
source: any
source port: any
destination: internal IP for host
destination port: 443
gateway: any

My main outbound NAT is on X.Y.Z.137 for the default outbound traffic.

Bart...

[Julien]

Hi Bart,
Thank you so much for your answer, how is your outbound ( Hybrid or Auto ) ?
When i chose auto outbound it does not works, it route through the default WAN IP.
i have Hybrid Outbount with two created rules see attached

i am using port forwarding on the WAN side to the internal server  like the exchange OWA and port 25.
Do i have to remove those rules ? can i get it configure with port forwarding already on the WAN ?

i do have 34 Rules on the WAN side 25 to server 1 and server 2 and port 334 to server 1 and server 2.

and want to get the 1:1 so emails will be routed through the virtual IP.

[bartjsmit]

Hi Julien,

I have hybrid outbound NAT but with no manual rules related to the WAN interface. I also don't have any virtual IP's configured. I just pick a free public IP from the range assigned by my ISP.

For the 1:1 NAT's, I don't have any port forwarding. By definition all traffic from the internal IP to the external IP and vice versa will NAT on the strength of the 1:1 rule that ties them together. All I configure for each 1:1 is the firewall rules for the inbound traffic, since the WAN has default deny inbound, while the LAN has default allow outbound.

You may have overcomplicated things ;-)

Bart...

[Julien]

Hi Julien,

I have hybrid outbound NAT but with no manual rules related to the WAN interface. I also don't have any virtual IP's configured. I just pick a free public IP from the range assigned by my ISP.

For the 1:1 NAT's, I don't have any port forwarding. By definition all traffic from the internal IP to the external IP and vice versa will NAT on the strength of the 1:1 rule that ties them together. All I configure for each 1:1 is the firewall rules for the inbound traffic, since the WAN has default deny inbound, while the LAN has default allow outbound.

You may have overcomplicated things ;-)

Bart...

Hi Bart,
Thank you for your answer, without manual rules on the outbound it not working for us. i have to configure to configure the rule on the out with hybrid in order to get one IP working however the second one is not working even i have configure the same rules as the first 1:1.
outbound and inbound are not working.
are there some kind of limitation ?

[bartjsmit]

Sorry Julien, I can't see any cause.

If you want we could exchange configs by pm (passwords redacted of course) to see if there is an environmental factor we're missing?

Bart...