PF Route outgoing smtp through pptp tunnel

[daikon]

I am using freeBSD 11.1-RELEASE-p6 on a raspberry PI and I can't get it to route email out though a pptp tunnel instead of the default route through the ethernet connection.

If I change smtp_bind_address in postfix main.cf to the pptp tunnel address I can see the correct from address in pflog, but the packets are still going out of the ethernet connection not the pptp tunnel. If I try and add a route from the local pptp address to the remote pptp address with route I get an error saying the route already exists.

I have tried different nat and rdr rules but everything goes out the default route still.

Here is my pf.conf, which also includes anchors for fail2ban

pf.conf

# define macros for each network interface
ext_if = "ue0"
pptp_if = "ng0"

icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
tcp_services = "{ domain, 853, ssh, http, imaps, imap, pptp }"
tcp_mail_services = "{ smtp, submission }"
block_udp_services = "{ netbios-ns, 25213, 33612 }"
#bootpc and bootps are dhcp ports
udp_services = "{ bootps, bootpc, domain, ntp }"
icmp_types="echoreq"

pptp_ip = "10.0.0.20"
pptp_server = "10.0.0.2"
pptp_services = "{ pptp }"

set loginterface $ext_if

# Normalizes packets and masks the OS's shortcomings such as SYN/FIN packets
# [scrub reassemble tcp](BID 10183) and sequence number approximation
# bugs (BID 7487).
scrub in on $ext_if no-df random-id fragment reassemble
scrub in on $pptp_if no-df random-id fragment reassemble

#has same effect as smtp_bind_address changes ip but not route 
nat on $ext_if from $ext_if to any port $tcp_mail_services -> $pptp_if

# Anchor for fail2ban
anchor "f2b/*"

set skip on lo0

pass in quick proto gre from any to any
pass out quick proto gre from any to any

block in all

antispoof for $ext_if
antispoof for $pptp_if

#  make tcpdump clearer
#block local lima discovery and netbios
block in  quick on $ext_if inet proto udp from any to 192.168.1.255 port $block_udp_services
#block mikrotik discovery
block in  quick on $ext_if inet proto udp from any to 255.255.255.255 port 5678
block in  quick on $pptp_if inet proto udp from any to 255.255.255.255 port 5678
#block igmp discovery
block in  quick on $ext_if inet from any to 224.0.0.1

pass  in  quick on $ext_if inet proto tcp from any to $ext_if port $tcp_mail_services
pass  in  quick on $ext_if inet proto tcp from any to $ext_if port $tcp_services
pass  in  quick on $ext_if inet proto udp from any to $ext_if port $udp_services
pass  in  quick on $ext_if inet proto udp from any to 255.255.255.255 port bootps
pass  in  quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types

pass  in  quick on $pptp_if inet proto tcp  from any to ($pptp_if) port $pptp_services
pass  in  quick on $pptp_if inet proto icmp from any to ($pptp_if) icmp-type $icmp_types

pass  out quick log on $ext_if inet proto tcp from $ext_if to any port $tcp_mail_services
#pass  out on egress route-to (10.0.0.2 to 10.0.0.20) from 10.0.0.2:0
pass  out  quick     on $ext_if inet proto tcp from $ext_if to any port $tcp_services

pass  out quick log on $pptp_if inet proto tcp from ($pptp_if) to any port $tcp_mail_services
pass  out quick     on $pptp_if inet proto tcp from ($pptp_if) to any port $tcp_services

# --- UDP
pass  out quick on $ext_if inet proto udp from $ext_if to any port $udp_services

# --- ICMP
pass  out quick on $ext_if inet proto icmp  from $ext_if to any

# ------------------------------------------------------
# --- DEFAULT POLICY
# ------------------------------------------------------
block log all

netstat -nr

netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         ue0
10.0.0.2           link#4             UH          ng0
10.0.0.20          link#4             UHS         lo0
127.0.0.1          link#1             UH          lo0
192.168.1.0/24     link#2             U           ue0
192.168.1.3        link#2             UHS         lo0

 

[SirDice]

Your default gateway is set to 192.168.1.1 so everything is routed through that unless there's a specific route. The route is not important, the destination address is. That is what defines where the packet will go to. As long as there's no route that encompasses the destination address the route will go through the default.

 

[daikon]

Thanks for the info, I have seen examples for load balancing that change the outgoing interface for packets but they don't seem to be port specific. I think I will have to setup a gateway on a mikrotik device that routes the packets from the RPI accordingly as I am sure this can done on mikrotik.

 

[SirDice]

Do you only need the outgoing traffic from Postfix to go through the PPTP tunnel? Or does Postfix need to receive from it too? And do you require any working services on the normal LAN interface? The simplest solution is to change the default gateway and set it to the other end of the PPTP tunnel. But then all your traffic will go in and out of the tunnel. This may not be what you want.

 

[daikon]

Yes ideally only the outgoing, so if there is a problem with the PPTP tunnel it won't mess up the inbound email as I don't have backup MX servers at the minute. It also has dns over ssl with unbound which queries dnsmasq for local dns which also does DHCP.

I could changing the tunnel to the default root and see how it goes.

Do you only need the outgoing traffic from Postfix to go through the PPTP tunnel? Or does Postfix need to receive from it too? And do you require any working services on the normal LAN interface? The simplest solution is to change the default gateway and set it to the other end of the PPTP tunnel. But then all your traffic will go in and out of the tunnel. This may not be what you want.