Repeat of the earlier problem under 1.x, I remember Chris saying this would be do-able under 2.0 but it still doesn't work for me. Most likely I've forgotten the magic trick required... or I just don't understand how WAN reply-to has to be configured under 2.0.
(FYI, Chris' original reply was under the subject "Re: 1:1 multi-homed NAT broken?" at 19:10 July 14 2010.) To recap the scenario: SBS (yeah, three guesses...) sits on em0 at 192.168.232.201. em2 is outbound to MRNet, BGP feed with ~13K routes (*not* including 0.0.0.0/0). em3 is outbound to TeraGo, default route. CARP VIP configured on em3 for 67.226.137.178. 1:1 NAT configured to map 192.168.232.201 to 67.226.137.178. Firewall rule allowing inbound TCP port 25 to 192.168.232.201. Inbound mail works for any sender NOT reachable via em2 but breaks for any senders reachable via em2. Example: Remote host "R" (130.179.31.46) trying to send me mail. Attempts TCP connection to port 25 @ 67.226.137.178. Pfsense receives packet, translates to 192.168.232.201, forwards to SBS. SBS replies to packet, so far so good. Pfsense receives reply packet and sends it out em2 with the 1:1 NAT address, which promptly gets blackholed by the next-hop router. I've tried adding a policy rule (first rule on em0) that applies to TCP packets from SBS with a source port of 25, forcing the packet out via TeragoGW (i.e. via em3), but that doesn't work - I suspect because PF is already treating this as an "established" connection. Then I tried adding a Gateway to the original allow-inbound-smtp rule, which produced an error message: [[ There were error(s) loading the rules: /tmp/rules.debug:170: direction must be explicit with rules that specify routing pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [170]: pass $GWTeraGOGW proto tcp from any to $SBS port 25 flags S/SA keep state label "USER_RULE: inbound SMTP to Exchange" ]] I've experimenting with various combinations of in/out and gateway settings, but all I've succeeded on doing so far is breaking ALL smtp connections... Can anyone explain how I use this new feature in 2.0? Thanks, -Adam Thompson [email protected] (204) 291-7950
<<attachment: winmail.dat>>
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
