Outbound Traffic from an Internal Server not Routing Through Correct External IP

NEP
NEP Posts: 72  Ally Member
First Comment Friend Collector Second Anniversary
edited March 2023 in Security

Hello. We recently moved sites and had some trouble getting multiple Static IPs to work properly with our ATP device.

At our old location, the IP block was contiguous. Under Network\Interface, the added Ethernet interface has all of the IPs listed in its config because they are together. Under NAT and Policy Control we added records which routes inbound traffic from the external IP to the internal one. When email is sent from our mail server it appears to route through the appropriate external IP. That based on the message details of an email that was received. There is no outbound configuration set up, so is this because the router knows what IP it came in on?

At the new location, we have a single main IP and then a block of IPs. Under Network\Interface, the Ethernet interface only knows about the main IP. We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP. As a result, we also had to add a route which precedes that. It checks if the destination is on the LAN and if so routes it differently.

While that works, we aren't sure why that is necessary given that the config is almost identical to the other location. Is it because of the non-contiguous IP block? If so, is this the appropriate way to handle this? Two routes for external Static IP. Is it possible to use one record with some sort of exclusion?

Let me know if you need any other information. Thank you!

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    When inbound traffic comes in and you NAT to the server the ATP knows to use the appropriate external IP or else it will fail.

    As for outgoing traffic the ATP SNAT by default on the WAN IP interface so the only way to SNAT out a given WAN IP is by a routing rule.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited March 2023

    Hi @NEP

    "There is no outbound configuration set up, so is this because the router knows what IP it came in on?"

    Regarding this question, as PeterUK mentioned, the outbound IP would typically default to the WAN IP.

    "We set up the same static IPs under NAT and Policy Control, however, outbound traffic for the mail server does not go over the appropriate IP. We fixed this by adding a route under Network\Routing which takes any traffic from the mail server IP and routes it through the appropriate IP."

    Based on the description, what appropriate IP address do you expect to see? Is it your WAN IP? Also, can you provide more information about the topology of both the old and new locations? What is the IP address of the added router in the new location? Is it a WAN IP or LAN IP? If you can share the topology for both old and new locations, it would be helpful for us to better understand your questions. Thanks.


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @NEP

    Furthermore, you can check if your NAT settings for the email server are configured for 1:1 NAT. You may find this article on the difference between Virtual Server and 1:1 NAT helpful. Note that 1:1 NAT has a SNAT behavior.


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • NEP
    NEP Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary

    Hi @PeterUK and @Zyxel_Jeff,

    Guess I'm at a bit of a loss. I thought I followed PeterUK's and your first comments. They seemed to jive with what we had to do to get it working correctly. However, your second post threw a "monkey wrench" into that.

    We are set up exactly the same as the link that you provided. That is, we have multiple 1:1 NATs that have the External IP, the Internal IP, and a specific port set. With this type of setup that article indicates that "the outgoing interface for the server 192.168.1.33 uses 61.222.75.17 to access Internet." Considering that our setup is the same as that, unless I overlooked something, it stands to reason that traffic should be exiting on the defined External IP. That doesn't appear to be the case.

    Some of the following information has been changed for obfuscation sake. Regardless of that, the info all matches up to what is set in our firewall. For the sake of this example, let's assume that our main External IP is 50.25.50.100 and we have a separate block of LAN IPs (15 IPs starting at 50.50.50.10).

    NAT

    Name

    Type

    Interface

    Source IP

    External IP

    Internal IP

    Protocol

    External Port

    Internal Port

    Mail

    1:1 NAT

    ge8

    any

    50.50.50.10

    10.10.10.50

    any

    25,465

    25,465

    Owa

    1:1 NAT

    ge8

    any

    50.50.50.15

    10.10.10.75

    any

    80,443

    80,443

    Other

    1:1 NAT

    ge8

    any

    50.50.50.20

    10.10.10.100

    any

    443

    443

    SNAT Status

    NAT Rule

    Source

    Protocol

    Source Port

    Destination

    Outgoing

    SNAT

    Mail

    10.10.10.10

    any

    25,465

    any

    ge8

    50.50.50.10

    Owa

    10.10.10.15

    any

    80,443

    any

    ge8

    50.50.50.15

    Other

    10.10.10.20

    any

    443

    any

    ge8

    50.50.50.20

    Policy Route

    Incoming

    Source

    Destination

    Service

    Source Port

    Next-Hop

    SNAT

    any (Excluding ZyWALL)

    Mail

    LAN

    any

    any

    auto

    none

    any (Excluding ZyWALL)

    Mail

    any

    any

    any

    ge8

    50.50.50.10

    As you can see, there is a Policy Route set up for Mail (to make it work correctly) but nothing for Owa or Other. However, all three "appear" to exit on the proper External IP according to "SNAT Status". That said, I can't say that Owa and Other are exiting on the proper IP. I'm not aware of a way to test that. Nor does it matter. Both are just displaying a web interface.

    However, the Mail server was verified to have an issue by checking the message details of an email received outside of the company (eg. Google and Yahoo). Without the Policy Route listed above, the message always shows the main External WAN IP instead of the External IP defined in the NAT.

    To me it seems like the configuration is proper, but maybe I missed something. Let me know if you would like any other information. Thank you!

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    I'm a bit lost too with SNAT Status and Policy Route.

    The NAT looks fine...

    So...delete all SNAT Status and Policy Route and strat over

    You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10

    Do the same for the others make sure these rules are at the top of the list

  • NEP
    NEP Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary

    I don't know what you mean by "You want 10.10.10.10 to SNAT 50.50.50.10 so do for routing interface LAN for source 10.10.10.10 destination any and port any next hop ge8 SNAT 50.50.50.10". That is what I have in the Policy Route. Are you saying it should be somewhere else?

    As for the SNAT Status, that is simply the Maintenance > Packet Flow Explore > SNAT Status interface. Based on the link @Zyxel_Jeff provided, it should show the outbound path traffic takes.

    The Policy Route was added because it didn't work without it. The first one lets LAN traffic be routed correctly, while the second routes outbound traffic. I cannot remove either of these. Mail will break if I do.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Yes routing and move it to the top rule do not add ports to the rule

  • NEP
    NEP Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary

    I believe we are talking about the same place already.

    Configuration > Network > Routing > Policy Route

    The two routes are already at the top. Traffic with a LAN destination is #1 and WAN destination is #2.

    I do have ports applied though. Why is that an issue exactly?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    For a start you used Source Port which likely will not match the outgoing traffic based on the ports you have put in and use the default SNAT

    post a picture of Policy Route

    also you say 15 IPs starting at 50.50.50.10 yet NAT shows 50.50.50.1 and 50.50.50.2

  • NEP
    NEP Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary

    If the outbound traffic is on another port (ie. not 25, 465), then yes I suppose the rules wouldn't match that. I'll have to double-check that on the old firewall.

    As for the 15 IPs, what I stated is correct. The 0 and 5 wrap to the next line. Not my fault, it's how the forum sized the columns. Those settings are exactly what is set up in the firewall, aside from the values being obfuscated.

Security Highlight