Outbound Traffic from an Internal Server not Routing Through Correct External IP

NEP

Hello. We recently moved sites and had some trouble getting multiple Static IPs to work properly with our ATP device.

At our old location, the IP block was contiguous. Under Network\Interface, the added Ethernet interface has all of the IPs listed in its config because they are together. Under NAT and Policy Control we added records which routes inbound traffic from the external IP to the internal one. When email is sent from our mail server it appears to route through the appropriate external IP. That based on the message details of an email that was received. There is no outbound configuration set up, so is this because the router knows what IP it came in on?

At the new location, we have a single main IP and then a block of IPs. Under Network\Interface, the Ethernet interface only knows about the main IP. We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP. As a result, we also had to add a route which precedes that. It checks if the destination is on the LAN and if so routes it differently.

While that works, we aren't sure why that is necessary given that the config is almost identical to the other location. Is it because of the non-contiguous IP block? If so, is this the appropriate way to handle this? Two routes for external Static IP. Is it possible to use one record with some sort of exclusion?

Let me know if you need any other information. Thank you!

PeterUK

When inbound traffic comes in and you NAT to the server the ATP knows to use the appropriate external IP or else it will fail.

As for outgoing traffic the ATP SNAT by default on the WAN IP interface so the only way to SNAT out a given WAN IP is by a routing rule.

Zyxel_Jeff

Hi @NEP

"There is no outbound configuration set up, so is this because the router knows what IP it came in on?"

Regarding this question, as PeterUK mentioned, the outbound IP would typically default to the WAN IP.

"We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP."

Based on the description, what appropriate IP address do you expect to see? Is it your WAN IP? Also, can you provide more information about the topology of both the old and new locations? What is the IP address of the added router in the new location? Is it a WAN IP or LAN IP? If you can share the topology for both old and new locations, it would be helpful for us to better understand your questions. Thanks.

Zyxel_Jeff

Hi @NEP

Furthermore, you can check if your NAT settings for the email server are configured for 1:1 NAT. You may find this article on the difference between Virtual Server and 1:1 NAT helpful. Note that 1:1 NAT has a SNAT behavior.

NEP

Hi @PeterUK and @Zyxel_Jeff,

Guess I'm at a bit of a loss. I thought I followed PeterUK's and your first comments. They seemed to jive with what we had to do to get it working correctly. However, your second post threw a "monkey wrench" into that.

We are set up exactly the same as the link that you provided. That is, we have multiple 1:1 NATs that have the External IP, the Internal IP, and a specific port set. With this type of setup that article indicates that "the outgoing interface for the server 192.168.1.33 uses 61.222.75.17 to access Internet." Considering that our setup is the same as that, unless I overlooked something, it stands to reason that traffic should be exiting on the defined External IP. That doesn't appear to be the case.

Some of the following information has been changed for obfuscation sake. Regardless of that, the info all matches up to what is set in our firewall. For the sake of this example, let's assume that our main External IP is 50.25.50.100 and we have a separate block of LAN IPs (15 IPs starting at 50.50.50.10).

NAT

Name	Type	Interface	Source IP	External IP	Internal IP	Protocol	External Port	Internal Port
Mail	1:1 NAT	ge8	any	50.50.50.10	10.10.10.50	any	25,465	25,465
Owa	1:1 NAT	ge8	any	50.50.50.15	10.10.10.75	any	80,443	80,443
Other	1:1 NAT	ge8	any	50.50.50.20	10.10.10.100	any	443	443

SNAT Status

NAT Rule	Source	Protocol	Source Port	Destination	Outgoing	SNAT
Mail	10.10.10.10	any	25,465	any	ge8	50.50.50.10
Owa	10.10.10.15	any	80,443	any	ge8	50.50.50.15
Other	10.10.10.20	any	443	any	ge8	50.50.50.20

Policy Route

Incoming	Source	Destination	Service	Source Port	Next-Hop	SNAT
any (Excluding ZyWALL)	Mail	LAN	any	any	auto	none
any (Excluding ZyWALL)	Mail	any	any	any	ge8	50.50.50.10

As you can see, there is a Policy Route set up for Mail (to make it work correctly) but nothing for Owa or Other. However, all three "appear" to exit on the proper External IP according to "SNAT Status". That said, I can't say that Owa and Other are exiting on the proper IP. I'm not aware of a way to test that. Nor does it matter. Both are just displaying a web interface.

However, the Mail server was verified to have an issue by checking the message details of an email received outside of the company (eg. Google and Yahoo). Without the Policy Route listed above, the message always shows the main External WAN IP instead of the External IP defined in the NAT.

To me it seems like the configuration is proper, but maybe I missed something. Let me know if you would like any other information. Thank you!

PeterUK

I'm a bit lost too with SNAT Status and Policy Route.

The NAT looks fine...

So...delete all SNAT Status and Policy Route and strat over

You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10

Do the same for the others make sure these rules are at the top of the list

NEP

I don't know what you mean by "You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10". That is what I have in the Policy Route. Are you saying it should be somewhere else?

As for the SNAT Status, that is simply the Maintenance > Packet Flow Explore > SNAT Status interface. Based on the link @Zyxel_Jeff provided, it should show the outbound path traffic takes.

The Policy Route was added because it didn't work without it. The first one lets LAN traffic be routed correctly, while the second routes outbound traffic. I cannot remove either of these. Mail will break if I do.

PeterUK

Yes routing and move it to the top rule do not add ports to the rule

NEP

I believe we are talking about the same place already.

Configuration > Network > Routing > Policy Route

The two routes are already at the top. Traffic with a LAN destination is #1 and WAN destination is #2.

I do have ports applied though. Why is that an issue exactly?

PeterUK

For a start you used Source Port which likely will not match the outgoing traffic based on the ports you have put in and use the default SNAT

post a picture of Policy Route

also you say 15 IPs starting at 50.50.50.10 yet NAT shows 50.50.50.1 and 50.50.50.2

NEP

If the outbound traffic is on another port (ie. not 25, 465), then yes I suppose the rules wouldn't match that. I'll have to double-check that on the old firewall.

As for the 15 IPs, what I stated is correct. The 0 and 5 wrap to the next line. Not my fault, it's how the forum sized the columns. Those settings are exactly what is set up in the firewall, aside from the values being obfuscated.