Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External Site resolving to WAN & not NAT??

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      helloworld
      last edited by

      Dealing with SMTP issues.

      I have a port & 1:1 NAT setup for an internal SMTP server (for the sake of doubling the effort)

      (resolving a SPAM issue) I noticed that an external SMTP server resolved my sending Server as the WAN port on the firewall vs the NAT'd SMTP server.

      WAN x.x.x.1
      SMTP External x.x.x.2
      SMTP internal y.y.y.2

      Comcast business is the internet supplier with 13 IPs

      if I nslookup my SMTP host from the outside I get the correct IP, but for some reason some SMTPs are seeing me as the WAN? Maybe as I'm connecting via that host?

      With sufficient thrust, pigs fly just fine - RFC1925

      1 Reply Last reply Reply Quote 0
      • M
        muswellhillbilly
        last edited by

        @helloworld:

        if I nslookup my SMTP host from the outside I get the correct IP, but for some reason some SMTPs are seeing me as the WAN? Maybe as I'm connecting via that host?

        What do you expect the correct IP to be, exactly? Externally, anyone sending email to your internal host must resolve your WAN address as the correct address to relay to, as it's the only address anyone can see outside your LAN. Your sending server will always appear as the WAN address to external receiving hosts, since it's NATing outbound from your firewall.

        From what you describe, everyone outside your LAN should be seeing your sending/receiving mail host as your WAN address, otherwise you wouldn't be able to send or receive emails. So - to make a long story short - I'm not sure what the problem is your're having.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          huh??

          See what as your host wan?  So you you, so you have public IP 1.2.3.1 on your wan, you created a vip for your smtp server 1.2.3.2, you then did a 1:1 Nat to your smtp server…  Why would you not just forward ports needed to this host is another question...  1:1 is needed why exactly, smtp server normally only need 25 inbound to it..

          Anyhoo..  So who exactly resolves what?  lets call your mx record smtp.yourpublicdomain.tld, this points to an A record of your what IP??  what are your ptrs for both your public 1.2.3.1 and your 1.2.3.2?  Do you have an A records that point to your 1.2.3.1?  address?

          Much easier to help if you gave us your domain in question.  PM if you don't want to post public and I will take a look see at what your dns is showing.

          When you send mail, what is your source IP listed on the person getting the mail.. Does it show up as your 1.2.3.1 or your .2?  Most likely you want to make sure your outbound traffic is using your vip IP of .2

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • H
            helloworld
            last edited by

            Initially the site had a linux box setup as a the network firewall, smtp, & web server. The system was under spec'd to handle the load was constantly becoming overloaded & crashing.

            Plus the people who configured it were morons, as they had no NAT & had given internal servers with 3 IPs. IPv6, 192 addresses & public IPs. Basically a clusterfuck ratsnest.

            As I separated the firewall & made the necessary internal routing/IP changes most everything has been running fine for awhile. But we got on an RBL list for comcast.

            The linux box still runs smtp & web. But I took it's original external IP & applied that to the pfsense appliance.

            I changed the MX records to point to another IP made the NAT changes. I also replaced the old smtp Qmail with Postfix. (much easier working with virtual domains)

            Per muswellhillbilly I've gone & reset my MX records back to the WAN IP & setup the NAT with the WAN to Linux for port 25.

            MX record = smtp.ecofront.com
            WAN = 172.12.16.179
            Initial =172.12.16.189 [I've reset the DNS to 179]
            Internal 192.168.1.1

            With sufficient thrust, pigs fly just fine - RFC1925

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              did you typo the first octet?

              ;; ANSWER SECTION:
              ecofront.com.          7200    IN      MX      10 smtp.ecofront.com.

              ;; ADDITIONAL SECTION:
              smtp.ecofront.com.      7200    IN      A      173.12.16.179

              This really needs to be changed.

              ;; QUESTION SECTION:
              ;179.16.12.173.in-addr.arpa.    IN      PTR

              ;; ANSWER SECTION:
              179.16.12.173.in-addr.arpa. 3600 IN    PTR    173-12-16-179-panjde.hfc.comcastbusiness.net.

              your PTR should match your forward for your smtp server…

              Also showing a problem connecting

              Connecting to 173.12.16.179
              1/21/2016 10:44:52 AM Connection attempt #1 - Unable to connect after 15 seconds. [15.03 sec]

              I can get to the .189

              Connecting to 173.12.16.189

              220 smtp.ecofront.com ESMTP Postfix [688 ms]

              So looks like inbound mail would be failing since your mx points to an IP that doesn't answer on 25..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • H
                helloworld
                last edited by

                yes I did typo it.

                I'll see if comcast can fix the PTR. Must be something on their end, as I don't use them as the DNS server

                port 25 is open for pass for anyone hitting the old ip 189 & the WAN port, but I'm not seeing any logs for attemps to the wan ip.

                I'm resetting to the old IP & contact comcast for their internet PTR issue

                With sufficient thrust, pigs fly just fine - RFC1925

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  well your not going to be getting any mail once the ttl on your old mx expires since 25 does not seem open to your wan IP from my test.

                  The owner of the IP has to change the PTR.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.