pfSense is one of the most popular open-source firewalls available. It’s basically a fork of m0n0wall project by Chris Buechler and Scott Ullrich. It can be found on imbedded devices, servers, and as pre-configured virtual machines for various hypervisors.
Many small and medium sized businesses use pfSense because of its simplicity and its dual role where it can also act as an SMB router. In this case we’re mainly interested with port forwarding because most of the time, admins will NAT a specific port (in this case, SMTP port 25) from a public IP address to an internal IP address.
Since we’re mainly concerned with our modusGate product, usually you will deploy modusGate on a separate machine from your production mail server. You would need to NAT an available public IP address bound to the pfSense firewall via port 25 to the modusGate box, and from there modusGate will transfer clean mail to the internal mail server.
Step 1 – Connect to your pfSense firewall.You should get to the Dashboard as the default page.
Step 2- Click on Firewall -> NAT and make sure you select the Port Forward tab
Step 3 – Click on “+” to add a new rule
Step 4- Configure the port forwarding:
Interface: WAN, Protocol: TCP
Destination: In a sense, it’s the “source” of the traffic in terms of the interfaces. Select “WAN Address” if you have a single public IP pointing to this firewall, or select the IP Address that is mapped via your “Virtual IP” table under Firewall -> Virtual IPs. The IP usually appears with a parenthesis at the end. Example: 10.10.10.10 ().
Destination port range: You can type in port 25 in the text box or just use the pull-down to select SMTP on the “from port”. The “to port” will be the same.
Redirect target IP: Put in the internal IP of the machine you want to direct the SMTP traffic to. In our case it’s 192.168.100.6.
Redirect target port: Type in port 25 or simply use the pull-down to select “SMTP”.
Description: Put in a proper description (Inbound SMTP to gate in our case) and finally hit save.
[cta id=’18654′]
Step 5- Accept the changes:
In the port forwarding list, an “accept changes” option will appear at the top. Accept. Once you’e done, the new IP and port forward will appear in the list.
At this point, if you telnet from the outside to port 25, you should see the SMTP banner of your modusGate.
A note about Virtual IPs
Since pfSense can act as both a firewall and a router, you need to define each IP in your Virtual IP table if you route more than one IP Address to your pfSense server from the WAN. This is normally done under Firewall -> Virtual IPs. Usually they will be defined as single addresses x.x.x.x/32 and the type will be Proxy ARP. If those are not defined here, they will not appear in the “destination” pull-down of the port forwarding pane.
Example:
Did you like the article? Have you used pfsense before? Was it easy to setup? Don’t hesitate to share your experiences with us to continue the conversation.
Leave a Comment