Outbound Traffic from an Internal Server not Routing Through Correct External IP
Hello. We recently moved sites and had some trouble getting multiple Static IPs to work properly with our ATP device.
At our old location, the IP block was contiguous. Under Network\Interface, the added Ethernet interface has all of the IPs listed in its config because they are together. Under NAT and Policy Control we added records which routes inbound traffic from the external IP to the internal one. When email is sent from our mail server it appears to route through the appropriate external IP. That based on the message details of an email that was received. There is no outbound configuration set up, so is this because the router knows what IP it came in on?
At the new location, we have a single main IP and then a block of IPs. Under Network\Interface, the Ethernet interface only knows about the main IP. We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP. As a result, we also had to add a route which precedes that. It checks if the destination is on the LAN and if so routes it differently.
While that works, we aren't sure why that is necessary given that the config is almost identical to the other location. Is it because of the non-contiguous IP block? If so, is this the appropriate way to handle this? Two routes for external Static IP. Is it possible to use one record with some sort of exclusion?
Let me know if you need any other information. Thank you!
All Replies
-
When inbound traffic comes in and you NAT to the server the ATP knows to use the appropriate external IP or else it will fail.
As for outgoing traffic the ATP SNAT by default on the WAN IP interface so the only way to SNAT out a given WAN IP is by a routing rule.
2 -
Hi @NEP
"There is no outbound configuration set up, so is this because the router knows what IP it came in on?"
Regarding this question, as PeterUK mentioned, the outbound IP would typically default to the WAN IP.
"We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP."
Based on the description, what appropriate IP address do you expect to see? Is it your WAN IP? Also, can you provide more information about the topology of both the old and new locations? What is the IP address of the added router in the new location? Is it a WAN IP or LAN IP? If you can share the topology for both old and new locations, it would be helpful for us to better understand your questions. Thanks.
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hi @NEP
Furthermore, you can check if your NAT settings for the email server are configured for 1:1 NAT. You may find this article on the difference between Virtual Server and 1:1 NAT helpful. Note that 1:1 NAT has a SNAT behavior.
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hi @PeterUK and @Zyxel_Jeff,
Guess I'm at a bit of a loss. I thought I followed PeterUK's and your first comments. They seemed to jive with what we had to do to get it working correctly. However, your second post threw a "monkey wrench" into that.
We are set up exactly the same as the link that you provided. That is, we have multiple 1:1 NATs that have the External IP, the Internal IP, and a specific port set. With this type of setup that article indicates that "the outgoing interface for the server 192.168.1.33 uses 61.222.75.17 to access Internet." Considering that our setup is the same as that, unless I overlooked something, it stands to reason that traffic should be exiting on the defined External IP. That doesn't appear to be the case.
Some of the following information has been changed for obfuscation sake. Regardless of that, the info all matches up to what is set in our firewall. For the sake of this example, let's assume that our main External IP is 50.25.50.100 and we have a separate block of LAN IPs (15 IPs starting at 50.50.50.10).
NAT
Name
Type
Interface
Source IP
External IP
Internal IP
Protocol
External Port
Internal Port
Mail
1:1 NAT
ge8
any
50.50.50.10
10.10.10.50
any
25,465
25,465
Owa
1:1 NAT
ge8
any
50.50.50.15
10.10.10.75
any
80,443
80,443
Other
1:1 NAT
ge8
any
50.50.50.20
10.10.10.100
any
443
443
SNAT Status
NAT Rule
Source
Protocol
Source Port
Destination
Outgoing
SNAT
Mail
10.10.10.10
any
25,465
any
ge8
50.50.50.10
Owa
10.10.10.15
any
80,443
any
ge8
50.50.50.15
Other
10.10.10.20
any
443
any
ge8
50.50.50.20
Policy Route
Incoming
Source
Destination
Service
Source Port
Next-Hop
SNAT
any (Excluding ZyWALL)
Mail
LAN
any
any
auto
none
any (Excluding ZyWALL)
Mail
any
any
any
ge8
50.50.50.10
As you can see, there is a Policy Route set up for Mail (to make it work correctly) but nothing for Owa or Other. However, all three "appear" to exit on the proper External IP according to "SNAT Status". That said, I can't say that Owa and Other are exiting on the proper IP. I'm not aware of a way to test that. Nor does it matter. Both are just displaying a web interface.
However, the Mail server was verified to have an issue by checking the message details of an email received outside of the company (eg. Google and Yahoo). Without the Policy Route listed above, the message always shows the main External WAN IP instead of the External IP defined in the NAT.
To me it seems like the configuration is proper, but maybe I missed something. Let me know if you would like any other information. Thank you!
0 -
I'm a bit lost too with SNAT Status and Policy Route.
The NAT looks fine...
So...delete all SNAT Status and Policy Route and strat over
You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10
Do the same for the others make sure these rules are at the top of the list
0 -
I don't know what you mean by "You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10". That is what I have in the Policy Route. Are you saying it should be somewhere else?
As for the SNAT Status, that is simply the Maintenance > Packet Flow Explore > SNAT Status interface. Based on the link @Zyxel_Jeff provided, it should show the outbound path traffic takes.
The Policy Route was added because it didn't work without it. The first one lets LAN traffic be routed correctly, while the second routes outbound traffic. I cannot remove either of these. Mail will break if I do.
0 -
Yes routing and move it to the top rule do not add ports to the rule
0 -
I believe we are talking about the same place already.
Configuration > Network > Routing > Policy Route
The two routes are already at the top. Traffic with a LAN destination is #1 and WAN destination is #2.
I do have ports applied though. Why is that an issue exactly?
0 -
For a start you used Source Port which likely will not match the outgoing traffic based on the ports you have put in and use the default SNAT
post a picture of
Policy Route
also you say 15 IPs starting at 50.50.50.10 yet NAT shows 50.50.50.1 and 50.50.50.2
0 -
If the outbound traffic is on another port (ie. not 25, 465), then yes I suppose the rules wouldn't match that. I'll have to double-check that on the old firewall.
As for the 15 IPs, what I stated is correct. The 0 and 5 wrap to the next line. Not my fault, it's how the forum sized the columns. Those settings are exactly what is set up in the firewall, aside from the values being obfuscated.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight