You can track this issue here: http://redmine.pfsense.org/issues/958
On Thu, Oct 28, 2010 at 5:15 PM, Adam Thompson <[email protected]> wrote: > *bump* > > Ermal, this still doesn't work for me. > > How should I setup the rule? > > (I need to force all inbound-NAT'd connections to reply via the NAT > session, *not* via the system routing table.) > > > On Tue, 2010-10-19 at 21:43 +0100, Ermal Luçi wrote: >> On Tue, Oct 19, 2010 at 9:28 PM, Adam Thompson <[email protected]> wrote: >> > Repeat of the earlier problem under 1.x, I remember Chris saying this >> > would be do-able under 2.0 but it still doesn't work for me. Most >> > likely I've forgotten the magic trick required... or I just don't >> > understand how WAN reply-to has to be configured under 2.0. >> > >> > (FYI, Chris' original reply was under the subject "Re: 1:1 multi-homed >> > NAT broken?" at 19:10 July 14 2010.) >> > >> > To recap the scenario: >> > >> > SBS (yeah, three guesses...) sits on em0 at 192.168.232.201. >> > em2 is outbound to MRNet, BGP feed with ~13K routes (*not* including >> > 0.0.0.0/0). >> > em3 is outbound to TeraGo, default route. >> > >> > CARP VIP configured on em3 for 67.226.137.178. >> > 1:1 NAT configured to map 192.168.232.201 to 67.226.137.178. >> > Firewall rule allowing inbound TCP port 25 to 192.168.232.201. >> > >> > Inbound mail works for any sender NOT reachable via em2 but breaks for >> > any senders reachable via em2. >> > >> > Example: >> > Remote host "R" (130.179.31.46) trying to send me mail. Attempts TCP >> > connection to port 25 @ 67.226.137.178. >> > Pfsense receives packet, translates to 192.168.232.201, forwards to SBS. >> > SBS replies to packet, so far so good. >> > Pfsense receives reply packet and sends it out em2 with the 1:1 NAT >> > address, which promptly gets blackholed by the next-hop router. >> > >> > I've tried adding a policy rule (first rule on em0) that applies to TCP >> > packets from SBS with a source port of 25, forcing the packet out via >> > TeragoGW (i.e. via em3), but that doesn't work - I suspect because PF is >> > already treating this as an "established" connection. >> > >> > Then I tried adding a Gateway to the original allow-inbound-smtp rule, >> > which produced an error message: >> > [[ >> > There were error(s) loading the rules: /tmp/rules.debug:170: direction >> > must be explicit with rules that specify routing pfctl: Syntax error in >> > config file: pf rules not loaded - The line in question reads [170]: >> > pass $GWTeraGOGW proto tcp from any to $SBS port 25 flags S/SA >> > keep state label "USER_RULE: inbound SMTP to Exchange" >> > ]] >> > >> > I've experimenting with various combinations of in/out and gateway >> > settings, but all I've succeeded on doing so far is breaking ALL smtp >> > connections... >> > >> > Can anyone explain how I use this new feature in 2.0? >> > >> There is nothing more to do regarding configuration but >> just wait for a snapshot build to finish and upgrade to it. >> >> I fixed it just today because of it having some small issue remaining. >> That new snapshot should work with your setup without glitches. >> >> > Thanks, >> > -Adam Thompson >> > [email protected] >> > (204) 291-7950 >> -- >> Ermal > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
