New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1
Accepted Solution

Unable to forward SMTP to internal Router

So, I've followed and have the DNAT distribution of IPs & https://community.ubnt.com/t5/EdgeRouter/Multiple-IP-on-WAN-with-two-LAN-NAT/m-p/755942#M25566. 

 

So, what's REALLY odd here, is that  I can telnet to port 25 from somewhere else, where as my email hosting service can't telnet to port 25.  Other ports work, but SMTP just doesn't.... 

 

Any help/pointers/ideas is greatly appreciated... 

 

Here's my config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "allow traffic to 172.x.x.20"
            destination {
                address 172.x.x.20
            }
            log enable
            protocol all
        }
        rule 20 {
            action accept
            description "allow traffic to 172.x.x.30"
            destination {
                address 172.x.x.30
            }
            log enable
            protocol all
        }
        rule 30 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description GT-AC5300
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description RT-AC87U
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 46.x.x.74/29
        address 46.x.x.75/29
        description "Internet (PPPoE)"
        duplex auto
        poe {
            output off
        }
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password 
            user-id 
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 172.x.x.1/24
        description LocalDMZ
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 172.x.x.0/24 {
                default-router 172.x.x.1
                dns-server 172.x.x.1
                lease 86400
                start 172.x.x.38 {
                    stop 172.x.x.243
                }
                static-mapping GT-AC5300 {
                    ip-address 172.x.x.20
                    mac-address 
                }
                static-mapping RT-AC87U {
                    ip-address 172.x.x.30
                    mac-address 
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "forward 46.x.x.74 to 172.x.x.20"
            destination {
                address 46.x.x.74
                group {
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.20
            }
            log enable
            protocol all
            source {
                group {
                }
            }
            type destination
        }
        rule 2 {
            description "forward 46.x.x.75 to 172.x.x.30"
            destination {
                address 46.x.x.75
                group {
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.30
            }
            log enable
            protocol all
            source {
                group {
                }
            }
            type destination
        }
        rule 5000 {
            description "map 172.x.x.20 to 46.x.x.74"
            log enable
            outbound-interface eth0
            outside-address {
                address 46.x.x.74
            }
            protocol all
            source {
                address 172.x.x.20
            }
            type source
        }
        rule 5001 {
            description "map 172.x.x.30 to 46.x.x.75"
            log enable
            outbound-interface eth0
            outside-address {
                address 46.x.x.75
            }
            protocol all
            source {
                address 172.x.x.30
            }
            type source
        }
        rule 5002 {
            description "masquerade for WAN"
            log enable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    gateway-address 46.x.x.72
    host-name ubntexr
    ipv6 {
        disable
    }
    login {
        
        }
    }
    name-server 166.102.165.11
    name-server 166.102.165.13
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 172.x.x.20 {
            facility all {
                level debug
            }
        }
    }
    time-zone America/New_York
}

Accepted Solutions
New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1

Re: Unable to forward SMTP to internal Router

Well..... I fixed my problem..... Thanks to all that provided advice & insight.... 

 

All I did was set up a manual DNAT and added the firewall rules for inbound traffic.... 

 

Here's my sanitized config: 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Attackers {
            address 67.140.226.188
            description "Attackers to be denied"
        }
        address-group SMT_Approved_Hosts {
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            description "SMTP hosts from vendors"
        }
        port-group SMTP_ports {
            description "inbound SMTP ports"
            port 25
            port 587
        }
        port-group SSL_HTTP {
            description "inbound SSL+HTTP"
            port 443
            port 80
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allows SMTP"
            destination {
                group {
                    port-group SMTP_ports
                }
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Allows HTTP(S)"
            destination {
                group {
                    port-group SSL_HTTP
                }
            }
            log disable
            protocol tcp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description GT-AC5300
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description RT-AC87U
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 4x.x.x.74/29
        address 4x.x.x.76/29
        description "Internet (PPPoE)"
        duplex auto
        poe {
            output off
        }
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password xxxxxxxxxxxxxxx
            user-id yyyyyyyyyyyyyyyy
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 172.x.x.1/24
        description DMZ_Switch
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 172.x.x.0/24 {
                default-router 172.x.x.1
                dns-server 172.x.x.1
                lease 86400
                start 172.x.x.138 {
                    stop 172.x.x.175
                }
                static-mapping GT-AC5300 {
                    ip-address 172.x.x.20
                    mac-address 2c:4d:54:e7:bb:50
                }
                static-mapping RT-AC87U {
                    ip-address 172.x.x.40
                    mac-address 9c:5c:8e:b7:49:20
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "SMTP DNAT"
            destination {
                address 4x.x.x.73
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.20
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group SMT_Approved_Hosts
                }
            }
            type destination
        }
        rule 2 {
            description "OWA/DS DNAT"
            destination {
                address 4x.x.x.73
                group {
                    port-group SSL_HTTP
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.20
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    ubnt-discover-server {
        disable
    }
}
system {
    host-name ubntexr
    ipv6 {
        disable
    }
    login {
        user 
            authentication {
            }
            level admin
        }
    }
    name-server 166.102.165.11
    name-server 166.102.165.13
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
    }
}


View solution in original post


All Replies
SuperUser
Posts: 8,593
Registered: ‎01-05-2012
Kudos: 2268
Solutions: 1144

Re: Unable to forward SMTP to internal Router

From within your network, using the public ip address ?

New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1

Re: Unable to forward SMTP to internal Router

haven't tried from within my network as i don't have any hairpins set up... but my telnet that was successfull connected from a completely separate network

Highlighted
Veteran Member
Posts: 7,991
Registered: ‎03-24-2016
Kudos: 2083
Solutions: 913

Re: Unable to forward SMTP to internal Router

Note some ISPs block port25. 

SuperUser
Posts: 8,593
Registered: ‎01-05-2012
Kudos: 2268
Solutions: 1144

Re: Unable to forward SMTP to internal Router

Try

sudo tcpdump -ni pppoe0 port 25

Tenet from outside, do you see packets hitting your wan interface ?

New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1

Re: Unable to forward SMTP to internal Router

i've also tested on port 587 and that fails as well, and worked from the other connection.... 

 

i've enabled debug logging, and I don't see the incominng SMTP connection to either ports when test it from my mail hosting provider... 

 

New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1

Re: Unable to forward SMTP to internal Router

[ Edited ]

thanks redfive!!!!  

 

When I telnet from my other DSL connection (same provider), I can see packets, however in any of my other tests, I don't see a thing.... 

 

Here's the frustrating thing... 

 

if I take that GT-AC5300 and put it in place of the EX-r, and configure it for PPPOE, than all my port forwarding on the GT-AC5300 works without issue and Port 25 is working without issue and accessible from the internet (not blocked).  When i insert the EX-r in front of it, and make the EX-r handle the PPPOE, and the GT-AC5300 becomes mid-tier, that's when SMTP breaks from the same mail hosting provider that worked without issue with the GT-AC5300.

 

basically, i've configured a DMZ where I'm double-natted to my internal network...

New Member
Posts: 17
Registered: ‎05-03-2018
Solutions: 1

Re: Unable to forward SMTP to internal Router

Well..... I fixed my problem..... Thanks to all that provided advice & insight.... 

 

All I did was set up a manual DNAT and added the firewall rules for inbound traffic.... 

 

Here's my sanitized config: 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Attackers {
            address 67.140.226.188
            description "Attackers to be denied"
        }
        address-group SMT_Approved_Hosts {
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            address 
            description "SMTP hosts from vendors"
        }
        port-group SMTP_ports {
            description "inbound SMTP ports"
            port 25
            port 587
        }
        port-group SSL_HTTP {
            description "inbound SSL+HTTP"
            port 443
            port 80
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allows SMTP"
            destination {
                group {
                    port-group SMTP_ports
                }
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Allows HTTP(S)"
            destination {
                group {
                    port-group SSL_HTTP
                }
            }
            log disable
            protocol tcp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description GT-AC5300
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description RT-AC87U
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 4x.x.x.74/29
        address 4x.x.x.76/29
        description "Internet (PPPoE)"
        duplex auto
        poe {
            output off
        }
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password xxxxxxxxxxxxxxx
            user-id yyyyyyyyyyyyyyyy
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 172.x.x.1/24
        description DMZ_Switch
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 172.x.x.0/24 {
                default-router 172.x.x.1
                dns-server 172.x.x.1
                lease 86400
                start 172.x.x.138 {
                    stop 172.x.x.175
                }
                static-mapping GT-AC5300 {
                    ip-address 172.x.x.20
                    mac-address 2c:4d:54:e7:bb:50
                }
                static-mapping RT-AC87U {
                    ip-address 172.x.x.40
                    mac-address 9c:5c:8e:b7:49:20
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "SMTP DNAT"
            destination {
                address 4x.x.x.73
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.20
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group SMT_Approved_Hosts
                }
            }
            type destination
        }
        rule 2 {
            description "OWA/DS DNAT"
            destination {
                address 4x.x.x.73
                group {
                    port-group SSL_HTTP
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 172.x.x.20
            }
            log disable
            protocol tcp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    ubnt-discover-server {
        disable
    }
}
system {
    host-name ubntexr
    ipv6 {
        disable
    }
    login {
        user 
            authentication {
            }
            level admin
        }
    }
    name-server 166.102.165.11
    name-server 166.102.165.13
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
    }
}