Angelo, pfSense specifically has a feature known as NAT reflection which allows this to be possible, mainly because split horizon DNS is not always a reasonable solution. In the case of the person who started this thread, he has approx 700 email domains across various servers behind a NAT-- so when someone from one domain on one server tries to email another person within the same "system" (but on different servers), SMTP won't connect because the MX record resolves to a public IP (as it should). I have the exact same issue myself, with the exception that the number of domains I have to deal with is probably 30-40 somewhere.
So in these cases, what would you choose? ;) Dimitri Rodis Integrita Systems LLC -----Original Message----- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Thursday, February 07, 2008 1:09 AM To: [email protected] Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall Trave Harmon wrote: > Mine is on but it still doesn't work. > > Is there a way to verifiy at the command prompt level if it is working? > > -----Original Message----- > From: Dimitri Rodis [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 06, 2008 8:10 PM > > Maybe I'm off the mark by saying this, but I think NAT reflection should > be ON by default-- can't think of any security risks associated with it > really, since the machine you are trying to hit is presumably already > behind the same NAT as you are.. > > That would solve any future issues, anyway.. Wait a minute, historically the BSD stack (or at least the FreeBSD implementation) has always been unable to do NAT on a single interface. To be more clear, it's not possible to rewrite a packet and have it leave the stack back on the same interface from which it came on first hand. Please read http://www.openbsd.org/faq/pf/rdr.html#reflect (see: Redirection and Reflection ) So, reflection rules work great if the LAN hosts need to access the NAT-ed hosts on a DMZ, but not on single internal lan (or, in my example, for reciprocal access by the DMZ hosts). In your case the solution is 'Split-Horizon DNS'. Put the addresses of all the MX servers in a single dns zone, and configure the servers themselves to receive resolution for that zone from an internal DNS which will hand out internal IPs. Angelo Turetta --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
