Access from DMZ to mail server in LAN
I messed up how to organize access to mailserver in one local segment from another local segment.
1. WAN interface - 184.108.40.206. Public network 220.127.116.11/29 is routed to this ip.
2. LAN interface - 192.168.0.254/24
3. DMZ interface - 172.16.0.254/24 - guest access, wi-fi
4. exchange mail server 192.168.0.10. Public IP 18.104.22.168 is 1-1 mapped to mailserver.
5. Pass rules are set up to pass traffic from internet to mailserver and from DMZ to mailserver. For ex.
pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echoreq keep state label "USER_RULE: Exchange SMTP" pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echorep keep state label "USER_RULE: Exchange SMTP"</mailserver></mailserver>
where <mailserver>alias contains both 22.214.171.124 and 192.168.0.10 at the moment.
1. mailserver is accessible from Internet.
2. mailserver is accessible from DMZ if you ping ip 192.168.0.10
3. mailserver is NOT accessible from DMZ if you ping ip 126.96.36.199
When I start tcpdump - I can see echo request arriving on the router interface, but I don't see it passing out ANY router interface.
When I try to see NAT states with
pfctl -ss | egrep '(>.*>|<.*<)' | grep icmp | grep 188.8.131.52
- I don't see any states added…
What do I do wrong? :)
I am sure, I'm not the one who has setup like this. How did you configured NAT?</mailserver>
ok, I found that.
trick is in the NAT reflection settings.
Working config is to enable NAT reflection (either in system advanced settings, either in rule-specific settings) AND to enable tick "Automatically create outbound NAT rules…" in system advanced settings.
With this adjustment I see following packets in tcpdump (actually this is one ping packet):
13:59:07.684110 IP 192.168.0.68 > 184.108.40.206: ICMP echo request, id 512, seq 45843, length 40 13:59:07.684172 IP 192.168.0.254 > 192.168.0.10: ICMP echo request, id 29846, seq 45843, length 40 13:59:07.684299 IP 192.168.0.10 > 192.168.0.254: ICMP echo reply, id 29846, seq 45843, length 40 13:59:07.684313 IP 220.127.116.11 > 192.168.0.68: ICMP echo reply, id 512, seq 45843, length 40
and without a second tick i get:
14:00:37.735766 IP 192.168.0.68 > 18.104.22.168: ICMP echo request, id 512, seq 46099, length 40 14:00:37.735820 IP 192.168.0.68 > 192.168.0.10: ICMP echo request, id 512, seq 46099, length 40
mailserver then replies directly to my pc in local network, but it doesn't expect this echo reply…