• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Access from DMZ to mail server in LAN

Scheduled Pinned Locked Moved NAT
2 Posts 1 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    eduard.lenskiy
    last edited by Aug 30, 2012, 5:56 AM

    Hi all!

    I messed up how to organize access to mailserver in one local segment from another local segment.

    Setup:
    1. WAN interface - 1.1.1.1. Public network 1.1.0.0/29 is routed to this ip.
    2. LAN interface - 192.168.0.254/24
    3. DMZ interface - 172.16.0.254/24 - guest access, wi-fi
    4. exchange mail server 192.168.0.10. Public IP 1.1.0.1 is 1-1 mapped to mailserver.
    5. Pass rules are set up to pass traffic from internet to mailserver and from DMZ to mailserver. For ex.

    
	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echoreq keep state label "USER_RULE: Exchange SMTP"
	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echorep keep state label "USER_RULE: Exchange SMTP"</mailserver></mailserver>

    where <mailserver>alias contains both 1.1.0.1 and 192.168.0.10 at the moment.

    Result:
    1. mailserver is accessible from Internet.
    2. mailserver is accessible from DMZ if you ping ip 192.168.0.10
    3. mailserver is NOT accessible from DMZ if you ping ip 1.1.0.1

    When I start tcpdump - I can see echo request arriving on the router interface, but I don't see it passing out ANY router interface.

    When I try to see NAT states with

    
	pfctl -ss | egrep '(>.*>|<.*<)' | grep icmp | grep 1.1.0.1
    • I don't see any states added…

    What do I do wrong? :)
    I am sure, I'm not the one who has setup like this. How did you configured NAT?</mailserver>

    1 Reply Last reply Reply Quote 0
    • E
      eduard.lenskiy
      last edited by Aug 30, 2012, 8:04 AM

      ok, I found that.

      trick is in the NAT reflection settings.

      Working config is to enable NAT reflection (either in system advanced settings, either in rule-specific settings) AND to enable tick "Automatically create outbound NAT rules…" in system advanced settings.
      With this adjustment I see following packets in tcpdump (actually this is one ping packet):

      
        13:59:07.684110 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 45843, length 40
        13:59:07.684172 IP 192.168.0.254 > 192.168.0.10: ICMP echo request, id 29846, seq 45843, length 40
        13:59:07.684299 IP 192.168.0.10 > 192.168.0.254: ICMP echo reply, id 29846, seq 45843, length 40
        13:59:07.684313 IP 1.1.0.1 > 192.168.0.68: ICMP echo reply, id 512, seq 45843, length 40

      and without a second tick i get:

      
        14:00:37.735766 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 46099, length 40
        14:00:37.735820 IP 192.168.0.68 > 192.168.0.10: ICMP echo request, id 512, seq 46099, length 40

      mailserver then replies directly to my pc in local network, but it doesn't expect this echo reply…

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received