Outbound NAT for SMTP
-
I have 2x WAN and 1x LAN
I'm having trouble forcing the mail out via WAN1.
1. WAN1 172.16.1.2 Upstream Gateway 172.16.1.1. The mail should go out here.
2. WAN2 172.16.2.2 Upstream Gateway 172.16.2.1. This is Default Gateway.
3. LAN 192.168.0.0 / 24Exchange Mail Server at 192.168.0.3. Incoming mail from WAN1 is working.
This is the Outbound NAT Mapping. It does not work
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN1 192.168.0.3/32 tcp/* * tcp/25 172.16.1.1/32 25 No Mail Out
I have this right at the top.When I disable WAN2 the mail goes out without a problem.
-
Looks ok, except that the NAT Address should be the IP address of the WAN1 interface (172.16.1.2). If that change doesn't work, post your firewall rules.
-
This is the Outbound NAT Mapping. It does not work
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN1 192.168.0.3/32 tcp/* * tcp/25 172.16.1.1/32 25 No Mail Out
I have this right at the top.I think you must change the gateway and not NAT, so you have to remove the NAT rule and add a rule under Firewall->Rules->LAN
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions ... IPv4* 192.168.0.3/32 * * tcp/25 172.16.1.1 none Mail Out
-
Out of the box, you wouldn't need outbound NAT for SMTP, given the default rule from LAN to WAN is 'permit' anyway. The assumption I'm making here is that you have removed the default rule and are selectively adding rules. The firewall rule given in shadowconnect's post is correct, but the NAT rule should still have the WAN1 interface address (172.16.1.2) as the 'NAT Address' entry. From the firewall's perspective, you're NATing through the external firewall address, not the next hop.
-
Thanks for the replies.
I'm busy testing.
-
We had a 50/50 success/fail rate without the NAT/Rule. The load balancer used to sent mail out randomly on WAN1 and WAN2.
If I see the values incrementing under "states" in the new rule, after I have send out a test email, does it work then? (evaluations, packets, bytes).
I have now sent 10 emails with success.
-
you really shouldn't have to change anything in the outbound nat.. All you should have to do is create a policy that routes the traffic out the gateway you want to use.
-
@ shadowconnect . It looks like that solved the proiblem.
I will report back in a day.
-
SOLVED. Thanks.