Don't have communication between two static public IP Address



  • Hello,

    I have currently two interfaces one WAN and one Lan recently i create Virtual IP address following this instructions from the video https://www.youtube.com/watch?v=zrBr0N0WrTY and all was fine.

    I'm using first public IP address(x.x.x.93) on one Plesk panel and the second public Virtual IP address for my second Plesk (x.x.x.95)

    Now the problem is: sending and receiving emails between the two Plesk servers is not working. In my logs i found this:
    postfix/smtp[12173]: 6BA3E18E04C7: to=user@domain.com, relay=none, delay=603590, delays=603559/0/31/0, dsn=4.4.1, status=deferred (connect to webmail.domain.com[x.x.x.95]:25: Connection timed out)

    and the emails are in Mail Queue in the Plesk panel.

    I tried with telnet and when i ping private ip address between the servers its working perfectly, but when i ping my public static ip address from the other server or from my domain I'm getting an error:
    trying x.x.x.95
    telnet: unable to connect to remote host: Connection time out

    NOTE: Port 25 is open and the clients can send and receiving e-mails to WAN

    What is your opinion, what I'm doing wrong, and why my emails are not working between my two servers?



  • @palancanac said in Don't have communication between two static public IP Address:

    I tried with telnet and when i ping private ip address between the servers its working perfectly, but when i ping my public static ip address from the other server or from my domain I'm getting an error:
    trying x.x.x.95
    telnet: unable to connect to remote host: Connection time out

    Then use these private addresses ;)
    Use a host override so that postfix uses private LAN address of the other server, not some WAN address.

    Something else : do I understand this correctly : you have 2 mail servers behind pfSense ? Only one can can have it's WAN address port 25 natted to it.


  • Rebel Alliance Global Moderator

    So your trying to send mail to the public IP, that would need to be forwarded back inside on the same interface via a hairpin from actual IP to the vip..

    If your servers on the same lan why would you not just send to the rfc1918 via a host override so when it dns domain.com it gets the rfc1918 address.

    What your trying to do is a nat reflection nightmare ;)



  • Yes i have two mail servers behind Pfsense,
    I'm using HA proxy package not DNS Resolver in my Pfsense.

    I want to be able to sent e-mails to WAN from both of the servers and have local communication between them.

    How can i achieve this with RFC1918?
    Can i create local communication only for certain domain which i host
    ex. domain.com(Plesk 1) and to domain.com (Plesk 2)?

    Do i have to edit the main configuration from here and what should i change - /etc/postfix/main.cf ?

    Will adding a second NIC like WAN 2 on my Firewall and instead of Vip i use a second Public IP is going to fix the problem?

    I'm still learning so any help will be appreciated :)


  • Rebel Alliance Global Moderator

    so both of these domains are the same?

    ex. domain.com(Plesk 1) and to domain.com (Plesk 2)?

    Or are the domains different, domainA.com and domainB.com?

    I have to assume these servers are hosting different domains, or why would server1 need to send mail to 2 if the same domain, etc.

    So lets say server 1 is 192.168.1.100 and server 2 is 192.168.1.200

    Create a MX record in pfsense dns (these servers do point to pfsense for dns right?)
    That says domainA.com mx 192.168.1.100
    DomainB.com mx 192.168.1.200

    Now when server for domainA needs to send mail to domainB it will know to send the traffic to 192.168.1.200 and not the public IP.. No nat reflection..



  • @johnpoz domains are different and i already have MX records for them as you say, 192.168.1.100 and the other 192.168.1.200 both of the domains can send emails now to Outlook,Gmail and other domains, they can't send emails only between them, and there is my problem.


  • Rebel Alliance Global Moderator

    @palancanac said in Don't have communication between two static public IP Address:

    x.x.x.95]:25:

    That is not the rfc1918 address.. Where did you setup these MX records.. And what did you set them up in? Are the servers using the NS you set them up in..

    From your info it is trying to send to the public IP so clearly it did not use your MX record pointing to the local IP..



  • @johnpoz said in Don't have communication between two static public IP Address:

    Create a MX record in pfsense dns (these servers do point to pfsense for dns right?)
    That says domainA.com mx 192.168.1.100
    DomainB.com mx 192.168.1.200

    Where should i put the records, in DNS Forwarder or DNS Resolver ?

    Should i insert them like this or without webmail?
    local=mx-host=10.0.0.22,webmail.domain.com,0
    local=mx-host=10.0.0.31,webmail.domain.com,0

    I forgot to mention that i use the servers for shared hosting, on each of them i have more than 10 websites that are currently hosted. Should i enter the records for each of them separately?


  • Rebel Alliance Global Moderator

    Are you using the forwarder or the resolver..

    And yeah if you have multiple domains you will need multiple mx records pointing to the correct server..

    Why do you have them both listed for the same domain..

    If your on .22 who hosts mail for domain... Why would it need to send mail to .31 for user@domain.com ????

    So your domain is webmail.domain.com?? so your users send mail to user@webmail.domain.com ?

    And that is NOT how you would add it to unbound or dnsmasq anyway..

    example for unbound

    server: 
    local-data: "mail.domain.com. IN A 10.0.0.22"
    local-data: "domain.com. IN MX 10 mail.domain.com."
    local-data-ptr: "10.0.0.22 mail.domain.com."
    
    C:\>dig domain.com MX
    
    ; <<>> DiG 9.12.3 <<>> domain.com MX
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37096
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;domain.com.                    IN      MX
    
    ;; ANSWER SECTION:
    domain.com.             3600    IN      MX      10 mail.domain.com.
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.3.10#53(192.168.3.10)
    ;; WHEN: Fri Nov 23 07:58:09 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 60
    

    And here would be the A record

    C:\>dig mail.domain.com
    
    ; <<>> DiG 9.12.3 <<>> mail.domain.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 488
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;mail.domain.com.               IN      A
    
    ;; ANSWER SECTION:
    mail.domain.com.        3600    IN      A       10.0.0.22
    
    ;; Query time: 2 msec
    ;; SERVER: 192.168.3.10#53(192.168.3.10)
    ;; WHEN: Fri Nov 23 07:58:46 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 60
    


  • Are you using the forwarder or the resolver..
    In my case i use HA proxy package

    Last time when i tried with these record in DNS resolver:

    local-data: "mail.domain.com. IN A 10.0.0.22"
    local-data: "domain.com. IN MX 10 mail.domain.com."
    local-data-ptr: "10.0.0.22 mail.domain.com."

    first i opened the port 53 in NAT for both of my public addresses and i lost the google name servers, but now i just added the record without opening the public ports in NAT and it finally works as it should.

    Thank you for your help.



  • Now i'm facing a similar problem with a WHMCS system that i host on server 1 and try to connect it to server 2. It uses a default port 8443 from Plesk and i cannot get a connection between the two of them.
    I should and i use the public addresses when i try to connect but i can't get a connection with the private one too.

    In my Pfsense i use the same NAT rules as the one that i use for the mails just for a different port.
    I contacted the support from Plesk and WHMCS, and their response was that from their side everything is as it should be and that my problem lies within my firewall.

    Can you help me with this somehow?


  • Rebel Alliance Global Moderator

    Dude if you want to hit the PUBLIC ip to get reflected back in then you need to use nat reflection..

    If your using the local IP to talk to some other server on the same network then the "firewall" has zero to do with... Comes down to name resolution which I still don't think you actually grasp as a concept overall.

    Sounds like you were having your servers point to pfsense for dns and the public - so they would resolve public IP vs local.. And then you prevented them from talking to public for dns.. But you still have them pointing to public and pfsense for dns???

    You can not point a box to more than 1 dns if the dns you point to resolve different IP for same fqdn.. Since you never know what ns a box will be using.. You can point to multiple IPs - but they need to be able to resolve the same thing... google doesn't know shit about your local records.. But your local does - if you point to local and google you have no idea which one your machine is going to ask... So you can only point your machine to local - it will resolve your local stuff, and if asked for something public it will resolve that or forward it to something that will.

    Setup local dns to resolve whatever this whmcs is to the local IP vs public IP... Or setup nat reflection..



  • Ok thank you.