Forward SMTP from Internet to LAN using IPSec

[Sascha79]

Hi!

I have OPNsense (21.7.5) running on a machine having an public (static) IP.
Now I'd like to forward incoming SMTP to my private mailserver in my home-network which is connected using IPsec like:

Internet -> Public-IP:25 -> NAT -> IPSec -> Private Mailserver

Traffic from OPNsense flows fine through IPSec-Tunnel.
Unfortunately, the Port Forward from WAN-Address:25 to the LAN-Address of my mailserver does not work.

Can anybody give me a tip how to set it up?

Edit:
* Port Probe using Source Address "LAN" to Mailserver works fine.
* Port Probe using "WAN" to Mailserver does not work.

Thanks!
Sascha

[Sascha79]

Did nobody ever try this with OPNsense?

[schnipp]

Can you explain in more detail what you try to achieve? Do I understand correctly that you have an IPsec tunnel with Opnsense and the mail server as two tunnel endpoints? What's the reason for it?

Additionally, please post relevant firewall and dnat rules as well as the IPsec configuration.

[Sascha79]

OPNsense is running at gridscale (an IaaS-Provider) and can get a static IPs from there.
It has two NICs: WAN and LAN.

(Reason for all this: at home, there's no static IP and therefore I'd like to send E-Mail through the tunnel.)

The only setting is a Port Forward matching WAN address at Port 25 natting to the IP on the other side of the tunnel.

A strange thing is: I can ping the private IP from OPNsense using it's LAN-Address but not using the WAN-Address?!

[schnipp]

There are still not enough information to help you. Additionally, to the already requested information can please provide us with an architecture overview and do the following checks:

• Check whether there is a firewall active on your private mail server
• Check whether you can establish a TCP (e.g. telnet) connection from Opnsense to your private mail server
• Check whether you can establish a TCP (e.g. telnet) connection from the Internet to your private mail server

[Sascha79]

There's really not much architecture - just the OPNsense-box at the remote location - it's one end of the IPSec-Tunnel. The other end of the tunnel is a MikroTik-Router (CCR2004 if it helps) connecting it to the private LAN where the mailserver sits. Firewall is completely open for IPSec.

I'm testing connection using OPNsense > Interfaces > Diagnostics > Port Probe
OPNsense succeeds opening connection to the mailserver if the LAN-NIC is selected as Source Address.

If WAN is selected, it says nc: connect to xxx.xxx.xxx.xxx port 25 (tcp) failed: Operation timed out

[schnipp]

It looks like your NAT, firewall, IPsec tunnel or mailserver is not properly configured. Without details it's like looking in a crystal ball.

BTW, in my eyes it's risky to forward internet mail traffic to a SMTP server within your LAN. If something breaks at the application layer an attacker might have access to you LAN environment. Furthermore, in case the IPsec tunnel covers the whole LAN subnet an there is no additional firewall in local LAN segment you have to trust your hoster and its security controls. It's better to have the internet connected mail server in the DMZ and only forward appropriate mails to your local LAN mailboxes.