NAT Outbound not working

hsv

I have a Mail server I would like goes out over a interface but it do not work. It still goes out over default gateway and not the virtual IP I have selected.

The mail server has a local IP number of 192.168.11.39 and I would like it to go out over WAN-01
This is how I configure the outbound NAT under "Hybrid Outbound NAT"
Do not NAT: not selected
Interface: WAN
Address Family: IPv4
Source: Network 192.168.11.39/32 Port:1-65535
Destination: Any Port: left empty
Address: WAN-01
Port or Range: left empty

What has I done wronge?

Regards
Henning

johnpoz

@hsv did you create the policy route rule in your firewall rules to send it out that specific gateway?

Or is that your only out and you want it to use your vip you created?

hsv

Hi
No I have not made a policy route rule in my firewall. I will try that.

Yes this vip will only be used for this mail server.

Thanks
Henning

johnpoz

@hsv well if wan is your only out interface and its default, then the hybrid would be used. You sure the vip works, sniff on your wan as traffic leaves from this IP address, your saying its not using the vip - or is it using the vip and just can not get anywhere.

chpalmer

It still goes out over default gateway and not the virtual IP I have selected.

Firewall / NAT / Outbound / Edit

Down to "Translation"..

"Address" choose your virtual address..

You probably want this too- since it is a mail server..
Check the box.. "Static Port"

hsv

@johnpoz
Hi
No I have multiple WAN outs, but this is only for E-Mail server.
But to make the test easier I have change it to my WEB server.
If i set it up with NAT 1:1 it work as it should, but if I split it in forward and NAT outbound it do not work.
The reason I need to split it up are because my mail setup needs smart hosts on the way out. So the way in is not the way out.
The configuration is infact more complicated then that as I also has WAN loadbalance, but start with this problem.

When I tested with my WEB Server
NAT forward Interface: WAN-01 Port: 443 to 192.168.11.39 port: 443
Firewall source any to 192.168.11.39 port 443
NAT Outbound as described
Firewall source 192.168.11.39 port: any to any port: any (with loggin)

I still can get it to work

Regards
Henning

johnpoz

@hsv said in NAT Outbound not working:

No I have multiple WAN outs, but this is only for E-Mail server.

Well then you need to make sure the email server goes out the wan you want with the IP address on it via policy routing. And port its going to could be used in the policy route - ie 25, and you want to make sure no existing states exist.

hsv

@johnpoz
I can simply not get policy routing to work and cannot find an explanation on how to do it when you have multi public ip numbers on the same interface.

I cannot see how to define a gateway where my public ip number for mail server can be set so I can route out over that ip number.

It works out of the boxs with NAT 1:1 but when I have to do it where I spilt it in forward/outbound it do not work.
It taks default gateway all the time. I have tried to create a WAN loadbalancer where only this VIP with this IP number is selected and choos this group gateway as my gateway and that also do not work.
I am out of idears. And cannot find anything in the documentation to help me.

Example on how to make this policy route and gateway will be appreciate.

Regards
Henning

johnpoz

@hsv so you only have 1 wan, but you have vips on it? Well then you don't need a policy route, since it can only go out your 1 wan "interface"

All that is needed for that to work is hybrid outbound nat.. Is this vip you have inside your normal wan IP network?

So my public IP is a /20 range - I don't have any actual IPs that would work.. But I can for sure just create a vip inside that network (that is not actually mine) for a test.. My public IP on my wan does not end in .254

So you see here I created a vip inside my public wan /20, ending in .254.. I then created a outbound hybrid nat using that vip address, and if my test box IP that 192.168.2.12 tries to go to 8.8.8.8 on 25 nat it to that vip on the wan. As you can see from packet capture on the wan - it sends the traffic from that vip.. and not the normal wan IP..

You need to make sure you don't have any states that would match up with what your doing - if the state already exists, then the state would be used vs your hybrid nat..

hsv

@johnpoz
Thank you.
With this example it was easy to see what I did wrong.
It is a bit embarrassing, as I had understood your explanation, but had written the source ip number as 192.168.11.38 and not 39, which is the correct number, in the NAT Outbound rule.
Sorry.

Thanks again for your patient help.
Henning

johnpoz

@hsv happy to help and glad you finally got it sorted.

hsv

@johnpoz
One question more.
If I switch to "Manual Outbound NAT" but regret it at some point, can I switch back to "Hybrid Outbound NAT" and all will be setup automatically, but I have to make my own manunal NAT rules again?

Regards
Henning

rcoleman-netgate

@hsv Hybrid allows for the auto-made ones and your manual ones.

johnpoz

@hsv said in NAT Outbound not working:

If I switch to "Manual Outbound NAT"

I never really understand why anyone would do that - but yeah you can always go back to auto or hybrid mode..

It would really have to be a specific case to not just use hybrid.. All the BS guides out there about switching to manual nat for vpn services don't make a lot of sense since hybrid works just fine for natting to your vpn interface, etc.