Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access from DMZ to mail server in LAN

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eduard.lenskiy
      last edited by

      Hi all!

      I messed up how to organize access to mailserver in one local segment from another local segment.

      Setup:
      1. WAN interface - 1.1.1.1. Public network 1.1.0.0/29 is routed to this ip.
      2. LAN interface - 192.168.0.254/24
      3. DMZ interface - 172.16.0.254/24 - guest access, wi-fi
      4. exchange mail server 192.168.0.10. Public IP 1.1.0.1 is 1-1 mapped to mailserver.
      5. Pass rules are set up to pass traffic from internet to mailserver and from DMZ to mailserver. For ex.

      
	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echoreq keep state label "USER_RULE: Exchange SMTP"
	pass in log quick on em0_vlan8 inet proto icmp from any to <mailserver>icmp-type echorep keep state label "USER_RULE: Exchange SMTP"</mailserver></mailserver>

      where <mailserver>alias contains both 1.1.0.1 and 192.168.0.10 at the moment.

      Result:
      1. mailserver is accessible from Internet.
      2. mailserver is accessible from DMZ if you ping ip 192.168.0.10
      3. mailserver is NOT accessible from DMZ if you ping ip 1.1.0.1

      When I start tcpdump - I can see echo request arriving on the router interface, but I don't see it passing out ANY router interface.

      When I try to see NAT states with

      
	pfctl -ss | egrep '(>.*>|<.*<)' | grep icmp | grep 1.1.0.1
      • I don't see any states added…

      What do I do wrong? :)
      I am sure, I'm not the one who has setup like this. How did you configured NAT?</mailserver>

      1 Reply Last reply Reply Quote 0
      • E
        eduard.lenskiy
        last edited by

        ok, I found that.

        trick is in the NAT reflection settings.

        Working config is to enable NAT reflection (either in system advanced settings, either in rule-specific settings) AND to enable tick "Automatically create outbound NAT rules…" in system advanced settings.
        With this adjustment I see following packets in tcpdump (actually this is one ping packet):

        
        13:59:07.684110 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 45843, length 40
        13:59:07.684172 IP 192.168.0.254 > 192.168.0.10: ICMP echo request, id 29846, seq 45843, length 40
        13:59:07.684299 IP 192.168.0.10 > 192.168.0.254: ICMP echo reply, id 29846, seq 45843, length 40
        13:59:07.684313 IP 1.1.0.1 > 192.168.0.68: ICMP echo reply, id 512, seq 45843, length 40

        and without a second tick i get:

        
        14:00:37.735766 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 46099, length 40
        14:00:37.735820 IP 192.168.0.68 > 192.168.0.10: ICMP echo request, id 512, seq 46099, length 40

        mailserver then replies directly to my pc in local network, but it doesn't expect this echo reply…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.