DNAT not working

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DNAT not working

Victor Amram
Hello - I'm trying to receive email on a non-standard port.  I use a 3rd-party MX record service which sends to my internal domain on TCP port 26.  I have a DNAT rule configured to listen for incoming connections on TCP 26 and ALLOW/forward the connection to my internal server running SMTP on port 26 instead of 25.
 
This works seamlessly when I point the router to send port 26 traffic to a Microsoft ISA 2004 server that I'm trying to retire, but fails miserably with the EFW.  No mail at all comes in if I switch the NAT to point to the RED interface of the EFW, but it does work if I point it to the equivalent "RED" interface of the MS ISA server.
 
I've tried disabling the IDS, same result, no mail gets in.
 
The EFW is behind my ISP router, so the RED interface is using a private IP in the 192.168.10.x range.  The Green interface is on my internal network, and my mail server is using a 172.16.x.x IP address.
 
Please help!
 
Thanks,
VW72

------------------------------------------------------------------------------

_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: DNAT not working

Jason Oglesby
This is a mostly dead group now...
I just retired (2) Open Endian boxes in place for pfSense Hardware.

But to try to get your situation fixed.

You need to NAT the incoming interface and set the rule (and port) to map over to the correct values to talk to your server.  If you have antivirus or any other options that might interfere with normal mail ops on the EFW - disable those, once you have smtp on 26, just do a portmapping from 25 to 26... (in all honesty, if you can run SSL - best way) - and I believe you can make that transparent though the firewall/proxy, depending on how you have it setup.

Let me know what the IP schemes are on each and... and what the EFW(s) are config'd as far as IP and routes...

Thanks
Jason

On 6/16/15 5:20 PM, Victor Amram wrote:
Hello - I'm trying to receive email on a non-standard port.  I use a 3rd-party MX record service which sends to my internal domain on TCP port 26.  I have a DNAT rule configured to listen for incoming connections on TCP 26 and ALLOW/forward the connection to my internal server running SMTP on port 26 instead of 25.
 
This works seamlessly when I point the router to send port 26 traffic to a Microsoft ISA 2004 server that I'm trying to retire, but fails miserably with the EFW.  No mail at all comes in if I switch the NAT to point to the RED interface of the EFW, but it does work if I point it to the equivalent "RED" interface of the MS ISA server.
 
I've tried disabling the IDS, same result, no mail gets in.
 
The EFW is behind my ISP router, so the RED interface is using a private IP in the 192.168.10.x range.  The Green interface is on my internal network, and my mail server is using a 172.16.x.x IP address.
 
Please help!
 
Thanks,
VW72


------------------------------------------------------------------------------


_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user

-- 
The unauthorized disclosure or interception of e-mail is a federal crime. See 18 U.S.C. Sec. 2517(4). This message is confidential and intended for the identified recipient only.  It may contain privileged or confidential information. This e-mail and any files transmitted with it are the property of the sender, are confidential and may be privileged, and are intended solely for the use of the individuals or parties to whom this e-mail is addressed. If you are not one of the named recipients or have received this message in error, please notify the sender immediately and delete this message. You are also hereby notified that any unauthorized dissemination, distribution, or copying of this information is strictly prohibited. The sender shall not be liable for any unauthorized use of, or inaccuracies resulting from additions to or deletions from, information originally contained in this transmission

------------------------------------------------------------------------------

_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: DNAT not working

Victor Amram
In reply to this post by Victor Amram
 Jason - I see there's not a lot of traffic on it.  Guess that doesn't bode well for using the community version of EFW...but I figure if I can get it working w/this, I should be able to get it working w/IPFire or another UTM/FW.  Thanks for jumping in, i'll try and answer your question as I understand the technology.
 
- I have a public email domain I host at home.
- I use a 3rd-party services as my public MX record and have public DNS entries for it.
- Message sent to "mydomain.com" goes to the public MX, which relays it to the public IP address of my home cable provider's router here in my house.  The ISP blocks port 25 so I'm using an alternate port, say, 26.  My MX hosting service knows this and forwards email for my domain to my ISP public address on port 26.
- The EFW is a simple RED/GREEN dual-homed network config.  The RED interface has the private IP address of 192.168.10.1. 
- I enabled a "DMZ host" on the ISP router's interface and pointed it to the RED interface of the EFW.  So ALL traffic, good and evil, hits the EFW.
- The GREEN interface is on my home network.  GREEN IP is 172.16.10.1.
- My home mail server runs on IP address 172.16.10.26.  The SMTP service runs on TCP PORT 26 as well, not 25.
 
- I have a DNAT rule on the EFW as follows:
 
Incoming IP:  Uplink/ANY
Service:  TCP/26
Policy:  ALLOW (no IPS)
Translate to:  172.16.10.26:26
 
This works seamlessly w/the MS ISA server publishing rule, but it turns my mail server into a useless brick when I switch to the EFW, w/or w/out the IPS service running.
 
Thanks in advance for your suggestions!
 
Víctor

------------------------------------------------------------------------------

_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: DNAT not working

Madalin Hotmail
In reply to this post by Victor Amram
Hello
 
Default in EFW Firewall, outgoing connections only port 25 for SMTP is allowed. Try to modify that  rule ( add port 26) and see if it works.
 
Date: 17 iunie 2015 01:20
Subject: [Efw-user] DNAT not working
 
Hello - I'm trying to receive email on a non-standard port.  I use a 3rd-party MX record service which sends to my internal domain on TCP port 26.  I have a DNAT rule configured to listen for incoming connections on TCP 26 and ALLOW/forward the connection to my internal server running SMTP on port 26 instead of 25.
 
This works seamlessly when I point the router to send port 26 traffic to a Microsoft ISA 2004 server that I'm trying to retire, but fails miserably with the EFW.  No mail at all comes in if I switch the NAT to point to the RED interface of the EFW, but it does work if I point it to the equivalent "RED" interface of the MS ISA server.
 
I've tried disabling the IDS, same result, no mail gets in.
 
The EFW is behind my ISP router, so the RED interface is using a private IP in the 192.168.10.x range.  The Green interface is on my internal network, and my mail server is using a 172.16.x.x IP address.
 
Please help!
 
Thanks,
VW72


------------------------------------------------------------------------------


_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user

------------------------------------------------------------------------------

_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user