Actually, the split DNS would be the best solution for me. Changing the DNS per server is easy compared to changing the routes in the entire network.
I found a product that would auto create a private MX only record when I create a private record for a domain. This is the only solution that I found that is so far feasible. The reflection as I found out through extensive testing isn't working at all. I don't know if it's a bug in the latest version or so, but I spent up all last night testing, retesting, and testing again over and over and it isn't working. PF is responding just as m0n0wall does, reflection on or not. Either way, I will wait until the next version of PF before attempting it again but split DNS is the best option. Thanks everybody for your imput. INTENSELY helpful and appreciated. -----Original Message----- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 07, 2008 12:14 PM To: [email protected] Subject: RE: [pfSense Support] Multiple servers behind NAT'd firewall Angelo, pfSense specifically has a feature known as NAT reflection which allows this to be possible, mainly because split horizon DNS is not always a reasonable solution. In the case of the person who started this thread, he has approx 700 email domains across various servers behind a NAT-- so when someone from one domain on one server tries to email another person within the same "system" (but on different servers), SMTP won't connect because the MX record resolves to a public IP (as it should). I have the exact same issue myself, with the exception that the number of domains I have to deal with is probably 30-40 somewhere. So in these cases, what would you choose? ;) Dimitri Rodis Integrita Systems LLC -----Original Message----- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Thursday, February 07, 2008 1:09 AM To: [email protected] Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall Trave Harmon wrote: > Mine is on but it still doesn't work. > > Is there a way to verifiy at the command prompt level if it is working? > > -----Original Message----- > From: Dimitri Rodis [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 06, 2008 8:10 PM > > Maybe I'm off the mark by saying this, but I think NAT reflection should > be ON by default-- can't think of any security risks associated with it > really, since the machine you are trying to hit is presumably already > behind the same NAT as you are.. > > That would solve any future issues, anyway.. Wait a minute, historically the BSD stack (or at least the FreeBSD implementation) has always been unable to do NAT on a single interface. To be more clear, it's not possible to rewrite a packet and have it leave the stack back on the same interface from which it came on first hand. Please read http://www.openbsd.org/faq/pf/rdr.html#reflect (see: Redirection and Reflection ) So, reflection rules work great if the LAN hosts need to access the NAT-ed hosts on a DMZ, but not on single internal lan (or, in my example, for reciprocal access by the DMZ hosts). In your case the solution is 'Split-Horizon DNS'. Put the addresses of all the MX servers in a single dns zone, and configure the servers themselves to receive resolution for that zone from an internal DNS which will hand out internal IPs. Angelo Turetta --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
