Outbound NAT for SMTP



  • I have 2x WAN and 1x LAN

    I'm having trouble forcing the mail out via WAN1.

    1.  WAN1 172.16.1.2  Upstream Gateway 172.16.1.1.  The mail should go out here.
    2.  WAN2 172.16.2.2  Upstream Gateway 172.16.2.1.  This is Default Gateway.
    3.  LAN  192.168.0.0 / 24

    Exchange Mail Server at 192.168.0.3.  Incoming mail from WAN1 is working.

    This is the Outbound NAT Mapping.  It does not work
    Interface  Source       Source Port Destination Destination Port     NAT Address     NAT Port Static Port   Description
    WAN1   192.168.0.3/32  tcp/*     *             tcp/25             172.16.1.1/32                25 No   Mail Out
    I have this right at the top.

    When I disable WAN2 the mail goes out without a problem.



  • Looks ok, except that the NAT Address should be the IP address of the WAN1 interface (172.16.1.2). If that change doesn't work, post your firewall rules.



  • @Groen:

    This is the Outbound NAT Mapping.  It does not work
    Interface  Source       Source Port Destination Destination Port     NAT Address     NAT Port Static Port   Description
    WAN1   192.168.0.3/32  tcp/*     *             tcp/25             172.16.1.1/32                25 No   Mail Out
    I have this right at the top.

    I think you must change the gateway and not NAT, so you have to remove the NAT rule and add a rule under Firewall->Rules->LAN

    
     	States	Protocol 	Source 		Port 	Destination 	Port	Gateway 	Queue 	Schedule 	Description 	Actions
    	...	IPv4*		192.168.0.3/32	*	*		tcp/25	172.16.1.1	none			Mail Out 
    
    


  • Out of the box, you wouldn't need outbound NAT for SMTP, given the default rule from LAN to WAN is 'permit' anyway. The assumption I'm making here is that you have removed the default rule and are selectively adding rules. The firewall rule given in shadowconnect's post is correct, but the NAT rule should still have the WAN1 interface address (172.16.1.2) as the 'NAT Address' entry. From the firewall's perspective, you're NATing through the external firewall address, not the next hop.



  • Thanks for the replies.

    I'm busy testing.



  • We had a 50/50 success/fail rate without the NAT/Rule.  The load balancer used to sent mail out randomly on WAN1 and WAN2.


    If I see the values incrementing  under "states" in the new rule, after I have send out a test email, does it work then?  (evaluations, packets, bytes).

    I have now sent 10 emails with success.


  • LAYER 8 Global Moderator

    you really shouldn't have to change anything in the outbound nat.. All you should have to do is create a policy that routes the traffic out the gateway you want to use.



  • @ shadowconnect .  It looks like that solved the proiblem.

    I will report back in a day.



  • SOLVED.  Thanks.


Log in to reply