Access from DMZ to mail server in LAN



  • Hi all!

    I messed up how to organize access to mailserver in one local segment from another local segment.

    Setup:
    1. WAN interface - 1.1.1.1. Public network 1.1.0.0/29 is routed to this ip.
    2. LAN interface - 192.168.0.254/24
    3. DMZ interface - 172.16.0.254/24 - guest access, wi-fi
    4. exchange mail server 192.168.0.10. Public IP 1.1.0.1 is 1-1 mapped to mailserver.
    5. Pass rules are set up to pass traffic from internet to mailserver and from DMZ to mailserver. For ex.

    
    	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echoreq keep state label "USER_RULE: Exchange SMTP"
    	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echorep keep state label "USER_RULE: Exchange SMTP"</mailserver></mailserver> 
    

    where <mailserver>alias contains both 1.1.0.1 and 192.168.0.10 at the moment.

    Result:
    1. mailserver is accessible from Internet.
    2. mailserver is accessible from DMZ if you ping ip 192.168.0.10
    3. mailserver is NOT accessible from DMZ if you ping ip 1.1.0.1

    When I start tcpdump - I can see echo request arriving on the router interface, but I don't see it passing out ANY router interface.

    When I try to see NAT states with

    
    	pfctl -ss | egrep '(>.*>|<.*<)' | grep icmp | grep 1.1.0.1
    
    
    • I don't see any states added…

    What do I do wrong? :)
    I am sure, I'm not the one who has setup like this. How did you configured NAT?</mailserver>



  • ok, I found that.

    trick is in the NAT reflection settings.

    Working config is to enable NAT reflection (either in system advanced settings, either in rule-specific settings) AND to enable tick "Automatically create outbound NAT rules…" in system advanced settings.
    With this adjustment I see following packets in tcpdump (actually this is one ping packet):

    
            13:59:07.684110 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 45843, length 40
            13:59:07.684172 IP 192.168.0.254 > 192.168.0.10: ICMP echo request, id 29846, seq 45843, length 40
            13:59:07.684299 IP 192.168.0.10 > 192.168.0.254: ICMP echo reply, id 29846, seq 45843, length 40
            13:59:07.684313 IP 1.1.0.1 > 192.168.0.68: ICMP echo reply, id 512, seq 45843, length 40
    
    

    and without a second tick i get:

    
            14:00:37.735766 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 46099, length 40
            14:00:37.735820 IP 192.168.0.68 > 192.168.0.10: ICMP echo request, id 512, seq 46099, length 40
    
    

    mailserver then replies directly to my pc in local network, but it doesn't expect this echo reply…


Locked