On Thu, Jul 8, 2010 at 3:17 PM, Adam Thompson <athom...@c3a.ca> wrote: > My problem: reply packets to inbound NAT’d connection are being sent back > out the wrong interface, and being rejected as bogons by the next-hop > router. > > > > > > The setup… > > OPT1(OPT1) -> vlan0 -> 192.139.69.168 (/28) > > WAN -> vlan1 -> 67.226.137.177 (/29) > > LAN -> vlan2 -> 192.168.232.1 (/24) > > OPT2(OPT2) -> vlan3 -> 192.168.233.1 (/24) > > > > Virtual CARP IPs are set up on WAN, for 64.226.137.178/32 & .179/32. (Using > two different VHID groups, don’t know if that makes any difference.) > > > > 1:1 NAT configured on WAN:67.226.137.179/32==192.168.232.201/32 (my mail > server). There’s a firewall rule allowing inbound TCP:25 from * to > 192.168.232.201. > > > > A static route is defined on OPT1 for 130.179.0.0/16 via my next-hop; > they’re actually another BGP hop away from me. (I was using BGPd, but it > just doesn’t work for me so back to static routes for now…) > > > > *Outbound* connections from my mail server to mail servers in 130.179.0.0/16 > work just fine – they get NAT’d out the OPT1 interface correctly. > > > > *Inbound* connections from mail servers in 130.179.0.0/16, however do *not* > succeed – they time out. Tcpdump(1) reveals why, the return packets are > leaving via vlan0 (OPT1) instead of vlan1 (WAN). Interesting to note that > they appear to have the correct source IP, but of course my next-hop router > is rejecting these as bogons. This trace was limited to the mail server for > cs.umanitoba.ca, one of the affected domains. This is what happens when it > attempts to make a connection to my public MX (67.226.137.178) on vlan1 > (WAN).
This sounds like a missing reply-to, but I'm not entirely sure why. The inbound SMTP rule should be overriding the routing and sending the traffic out the right path. Take a look at /tmp/rules.debug and see if the inbound SMTP rule has a reply-to on it. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
