Firewall NAT Port Forward Help

[baqwas]

Hello,

I have reviewed the documentation at https://docs.opnsense.org/manual/nat.html for the most basic port forwarding exercise (i.e. traffic to an internal mail server) as follows:

Code Select Expand


Firewall: NAT: Port Forward
Edit Redirect entry
Disabled unchecked
No RDR (NOT) unchecked
Interface WAN
TCP/IP Version IPv4
Protocol TCP
Source any
Source port range from any to any
Destination / Invert unchecked
Destination Single host or Network
74.6.235.14 30
Destination port range
from: IMAP/S to: IMAP/S
Redirect target IP Single host or Network
192.168.1.3
Redirect target port IMAP/S
Pool Options: Default
Log unchecked
Description My description
Set local tag <blank>
Match local tag <blank>
No XMLRPC Sync unchecked
NAT reflection Use system default
Filter rule association None


Unfortunately, recognized external mail servers (viz. Gmail, Hotmail, Yahoo, etc.) are unable to communicate to my mail server for this purpose. Live View of the filtered log provides the originating IP addresses of the traffic that were passed to the internal mail server (and WhoIs lookup confirmed my presumption about Hotmail server).

My mail server is working fine in the intranet and also, FWIW, can SMTP directly via the WAN interface.

What is my mistake, please? Thanks.

Kind regards.

[mihak]

IMAP/S connections at large email providers are typically used with TLS option - they require a valid server certificate from a trusted certificate authority in order to establish TLS IMAP session.

Are you sure you have a valid cert installed on your 192.168.1.3 so IMAP/S can authenticate succesfully?

[marjohn56]

Try changing your Destination to WAN address.

[baqwas]

Hello @mihak,

The mail server has worked successfully with POP3/S and IMAP/S using "a trusted CA" for several years and it has not expired. The issue lies in my understanding of OPNsense NAT configuration. As you can imagine the configuration is something simple and routine but I seem to be unqualified to configure it. This is the reason for my plea for help. Thanks.

I will try the suggestion from @marjohn56 shortly.

Kind regards.

[marjohn56]

I should have asked you if you have multiple WAN IP's like I have? I have a /29 block and some of the addresses are using 1:1 NAT to the internal servers.

[baqwas]

Hello @marjohn56,

Thx. Much appreciated. Allow me to answer to your questions chronologically:

Try changing your Destination to WAN address.

On the Firewall: NAT: Port Forward page, the Destination Address is the ISP assigned external static IP address and the ports are for the mail traffic (SMTP, SMTP/S, IMAP/S and POP3/S) respectively. The NAT IP is the intranet mail server address with no change in port assignments. Under Source, Interface is set to WAN and Address/Port are */*.

I should have asked you if you have multiple WAN IP's like I have?

I have single WAN IP address; I need the most basic 1:1 NAT to the mail server which is doing its job for all intranet traffic right now.

The forwarding rules are in the following order (omitting the default port numbers for brevity):
SMTP -> SMTP/S -> SUBMISSION -> IMAP/S -> POP3/S

Do these need to be reordered? (Of course, the default Anti-Lockout Rule is at the top)

Thanks again.

Kind regards.

[marjohn56]

OK, try this: Delete the rule you have, we'll use aliases to create the rules, it's neater.


First create an alias for the internal mail server: Firewall->Aliases like so:





Create another new alias and add the ports you need, for a mail server you may need all of these  25,143,443,465, 587,993, depends on your mail server setup. I have my mail server split across a two separate servers, so you don't see port 25 on this one.





Now go to firewall rules and create a new floating rule, they have a higher priority. Set it up using the following:


Action: Pass
Disabled: Unchecked
Quick: Checked
Interface: WAN
Direction: In
TCP Version: IPv4
Protocol: TCP
Source Invert: Unchecked
Source: Any
Destination Invert: Unchecked
Destination: Drop down list, choose the Alias you created for you mail server IP
Destination Port Range: From and To - Select the Ports Alias you created
Log: Checked - We want to see it working in the firewall logs.

The rest you can leave at default.

Try that and see if it works.

[baqwas]

Hello @marjohn56,

I'm sorry I couldn't complete your instructions on the Firewall: Rules: Floating page. Here are the screenshots confirming that I was able to complete your instructions for the Aliases (good suggestion, thx again):

Host alias

Port alias

The selection of the destination port range is disabled (sorry, could not capture the cursor):
Floating rules

Please do let me know if you have an alternate suggestion or spot any typing mistakes on my part while following your instructions. Thanks.

Kind regards.

[marjohn56]

Click on the Advanced button under Source

[baqwas]

Hello @marjohn56,

Thanks for your patience.

The floating rules were configured per your guidance without further roadblocks. I sent a test message from Hotmail. The Firewall Log Files Live View duly captured the packet(s) as in the second attachment (as evidenced by the Source IP address for this set of entries which belongs to Microsoft). Unfortunately, the message was not posted to the InBox (of the Thunderbird client) where I can continue to view other messages (that are being sent internally) from the mail server.

Presumably, "some" handshake is not occuring for the message body to be transferred. Thoughts? Thanks.

Kind regards.

1st. attachment is confirmation of the Floating Rules using Aliases
2nd. attachment is the filtered log entries

[baqwas]

Hello @marjohn56,

Many, many thanks to you for your patience and understanding. In my haste, I wasn't paying detailed attention to the one-line test messages.

Bottom line: your suggestion solved my issue with Gmail and Yahoo. It doesn't matter that Yahoo was working also prior to the change to Aliases (I prefer the Aliases approach and thanks to you I've learnt something new to leverage).

I'm still having problems with Hotmail. This could be the infamous DNSBL issue where the ISP voluntarily gave a pool of consumer grade IP addresses to prevent use of SOHO mail servers. DNSBL will not honor my request to remove my static address and the original ISP (company infrastructure has changed ownership twice). My issue to resolve but forum inquiry may be considered as closed.

Wish you all the best and admire your professionalism in supporting newbies.

Kind regards.