Exchange Server on Multi WAN

DJBenson

I've had an exchange server running on my network for almost two years with zero issues, luckily the static IP I got from my ISP was "clean" so not on any spam lists. I've just added a second WAN connection and despite a couple of teething problems (i.e. online banking freaking out about connections from multiple IP addresses  :o) it's working OK.

When I set up the multi WAN (which is in load-balancing mode) I didn't give it a second thought until I saw that my mails were now being flagged as spam - when I checked the headers I saw that they were coming from the dynamic IP of WAN2 which is on at least 3 spam lists. I thought I'd sorted the issue by adding a NAT rule which sent outbound mail traffic (25, 465 and 587) originating from my LAN (192.168.1.0/24) over WAN1 only. I sent several test emails to GMail (as it's easier for me to check headers using GMail) and they were all originating from my static IP on WAN1.

Fast forward to today, I emailed my accountant and immediately got a bounce-back from Exchange that their mail server had rejected my mail due the IP being on a block list. I can only assume (as the bounceback originated internally based on the rejection by the recipient mail server) that the external server was still seeing the mail as originating from WAN2. I tried multiple times to send the mail and each time I got a bounce-back with the same message. Disabling WAN2 from the interfaces list and re-sending the mail resulted in it going straight away and an auto reply from the target mail server was received as I expected.

What am I missing in the firewall rules to ensure that ALL traffic to/from my mail server uses only WAN1? Inbound seems to work fine, but outbound is (it seems) still being load balanced.

I have updated the NAT rules to filter from 192.168.1.211/32 (the mail server address) but am still getting the bounce back if WAN2 is enabled.

dotdash

Add a firewall rule on the LAN side with the source as the mail server IP, destination anywhere, set the gateway to WAN under advanced.

DJBenson

Believe it or not, that's exactly what I was just trying.

Not many people run their own Windows domain, Exchange server, multi wan etc. on a home network, so apologies for going through my learning curve here :)

DJBenson

Am I right in assuming if I use a port alias containing 25,465 and 587 and assign that to the rule you suggested, any other traffic originating from the mail server will still load balance (i.e. normal HTTP/S traffic)?

EDIT: I've just fired off a test email to the accountants mail server and got the auto response (the one I expect to receive) so the rules appear to be working (or I fluked a hit on WAN1  8) )

dotdash

@DJBenson:

Am I right in assuming if I use a port alias containing 25,465 and 587 and assign that to the rule you suggested, any other traffic originating from the mail server will still load balance (i.e. normal HTTP/S traffic)?

Yes, set the destination for smtp, etc and the other traffic will progress to the default rule. You may want to put https on a failover group (not load balanced) to avoid the problems you saw with banking sites, etc.