Migrated to Flex 500, but having problem with sending email from mail server to GMAIL addresses

Options
Tector
Tector Posts: 3  Freshman Member
First Comment

Hi,
we have migrated our working firewall from USG310 to new Flex 500 and we are using internal Mail Server.

If we use old USG310 instead everything works fine without any problems even to GMAIL addresses and MXToolBox gives green light on all of their tests. Also we have added to our DNS records everything that Google says they need or want.

When we swap USG310 to Flex 500 then everything continues to work, but sending emails from our internal Mail Server to GMAIL addresses we get bounce back from Googles mail server. Sending email to other than GMAIL addresses continues to work normally.

What I can figure out from GMAIL response is that the public server address 213.xxx.yyy.195 does not translate correctly with Flex 500 and this shows as public WAN port address 213.xxx.yyy.194 and therefore GMAIL can not resolve this our Mail Servers address correclty.

As I use Nebula Cloud to confgure our Flex 500 there is most likely some setting or policy still off that I just can't figure this out as the Nebula interface is quite different compared to older USG310 interface which was more straight forward to me (IMHO).

Google Gmail system gives following bounce back email:
receiver@gmail .com: host gmail-smtp-in.l.google.com[64.233.161.27] said:
550-5.7.26 Your email has been blocked because the sender is
unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with
either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [company.fi] with ip:
[213.xxx.yyy.194] = did not pass 550-5.7.26 550-5.7.26 For instructions
on setting up authentication, go to 550 5.7.26
https://support.google.com/mail/answer/81126#authentication
2adb3069b0e04-5532105c5d5si1747124e87.122 - gsmtp (in reply to end of DATA
command)
Reporting-MTA: dns; firma.fi
X-Postfix-Queue-ID: 4b6Fy65Bb7zfdYg
X-Postfix-Sender: rfc822; sender@company .fi
Arrival-Date: Tue, 27 May 2025 17:53:50 +0300 (EEST)
Final-Recipient: rfc822; receiver@gmail .com
Original-Recipient: rfc822;receiver@gmail .com
Action: failed
Status: 5.7.26
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26
Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF
[company.fi] with ip: [213.xxx.yyy.194] = did not pass 550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26
https://support.google.com/mail/answer/81126#authentication
2adb3069b0e04-5532105c5d5si1747124e87.122 - gsmtp

——— start of USG 310 settings ———
Network settings:
Gateway IP 213.xxx.yyy.193
WAN port IP 213.xxx.yyy.194
LAN port IP 192.xxx.yyy.1/24
Public Mail Server IP 213.xxx.yyy.195
LAN Mail Server IP 192.xxx.yyy.30

We have following settings on our USG310 firewall:
Network - Interface Settings:
Ethernet:
WAN Port
Port IP Address 213.xxx.yyy.194
GW IP Address 213.xxx.yyy.193
Subnet Mask 255.255.255.240

LAN Port
	Port IP Address	192.xxx.yyy.1
	Subnet Mask 255.255.255.0
	
Trunk:
Default WAN Trunk
	Enable Default SNAT ON

Routing settings:
Policy Route NONE
Static Route NONE

DDNS Settings:
NONE

NAT settings:
Use Static-Dynamic Route to Control 1-1 NAT Route - off
NAT rule for Internal Mail Server:
Enable Rule: ON
Port Mapping Type
Classification 1:1 NAT
Mapping Rule:
Incoming Interface WAN port
Source IP ANY
External IP 213.xxx.yyy.195 (Public IP of mail server)
Internal IP 192.xxx.yyy.30 (Internal IP of mail server)
Port Mapping Type ANY
Related Settings:
Enable NAT Loopback ON

Redirect Service settings:
none

Security Policy settings:
Policy Control:
Name SERVER_PUBLIC
From ANY
To Any (excluding ZyWall)
IPv4 Source Any
IPv4 Destination 213.xxx.yyy.195 (Public IP fo mail server)
Service ANY
User ANY
Schedule NONE
Action ALLOW

Name	SERVER_INTERNAL
From	ANY
To	ANY (excluding ZyWall)
IPv4 Source	ANY
IPv4 Destination	192.xxx.yyy.30 (Internal IP of mail server)
Service	ANY
User	ANY
Schedule	NONE
Action	ALLOW

——— end of USG 310 settings ———

We have following settings on our Flex 500 firewall on Nebula Cloud:
——— start of Flex 500 settings ———
Interface
WAN interface Confguration
WAN IP Address 213.xxx.yyy.194
SNAT ON
Type STATIC
IP Address 213.xxx.yyy.194
Subnet Mask 255.255.255.240
Default GW 213.xxx.yyy.193
Proxy ARP ON (default)

LAN Interface Configuration
	LAN IP Address 192.xxx.yyy.1
	Subnet Mask 255.255.255.0

Routing
Policy Route/Traffic Shaping
LAN network
Source 192.xxx.yyy.1/24
Destination ANY
Service ANY
Policy Route ON
Type INTERNET TRAFFIC
Next-Hop WAN
Traffic Shaping ON
Download Limit UNLIMITED
Upload Limit UNLIMITED
Priority HIGHTHEST(1)
NAT
Virtual Server rule #1
Enable OFF (tried also ON)
Uplink WAN
Protocol BOTH
Public IP 213.xxx.yyy.194
Public Port 1-65535
LAN IP 192.xxx.yyy.30
Local Port 1-65535

Virtual Server rule #2
	Enable OFF (tried also ON)
	Uplink WAN
	Protocol BOTH
	Public IP 213.xxx.yyy.195
	Public Port	1-65535
	LAN IP 192.xxx.yyy.30
	Local Port 1-65535

1:1 NAT
	NAT 1:1 Rule #1
	Public IP	213.xxx.yyy.195
	LAN IP	192.xxx.yyy.30
	Uplink	WAN
	Allowed inbound connections
		Rule #1
		Enable ON
		Protocol BOTH
		Local Port 1-65535
		Remote IPs	ANY
		

Security Policy
Rule #1
Action DENY
Policy NONE
Protocol ANY
Source ANY
Destination 192.xxx.yyy.30
Dst Port ANY
User ANY
Schedule ALWAYS

Implicit Allow Rules
	Allow LAN to ANY ALWAYS
	Allow LAN to the appliance ALWAYS

Implicit Deny Rule
	Deny All ALWAYS

Anomaly Detection and Prevention
	Enable Anomaly Detection and Prevention ON

Security Service
Content Filter
Drop connection when there is an HTTPS connection with SSL v3(or previous version) ON
DNS/URL Threat Filter
DNS Threat Filter ON
URL Threat Filter ON
IP Reputation
Enabled ON
Policy BLOCK
Threat Level Threshold HIGH
Anti-Malware
Enabled ON
Scan Mode EXPRESS MODE
Sandboxing
Enabled ON
Policy DESTROY
IPS
Enabled ON
Mode PREVENTION
External Block List
IP Reputation (EBL) ON
DNS/URL Threat Filter (EBL) ON
——— end of Flex 500 settings ———

Any help is appreciated to figure this out,
Kari / Tector

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,891  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    You need to make the following routeing rule

    incoming LAN of 192.xxx.yyy.30

    next hop WAN

    SNAT 213.xxx.yyy.195

All Replies

  • PeterUK
    PeterUK Posts: 3,891  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    You need to make the following routeing rule

    incoming LAN of 192.xxx.yyy.30

    next hop WAN

    SNAT 213.xxx.yyy.195

  • Tector
    Tector Posts: 3  Freshman Member
    First Comment

    Thank you!

    This helped me to make working settings to our Flex 500 firewall. These might not be just the bere minimum settings, but at least sending emails to GMAIL address started working without problems.

    On Firewall > Routing I made this rule.

    Policy Route / Traffic Shaping:

    Rule #1 LAN to WAN
    Matching Criteria:
    Source: 192.xxx.yyy.30
    Destination: 213.xxx.yyy.195
    Service: Any

    Policy Route:
    Type: Internet Traffic
    Next-Hop: P2_WAN

    Traffic Shaping:
    Download Limit: Unlimited
    Upload Limit: Unlimited
    Priority: Highest(1)

    Static Route:

    Rule #1
    Subnet: 192.xxx.yyy.0/24
    Next Hop Type: Interface
    Next Hop: P2_WAN
    Metric(0-127): 1
    Description: LAN to WAN

    On Firewall > NAT I made this rule.

    1:1 NAT:

    Name: SN_LAN_to_WAN
    Public IP: 213.xxx.yyy.195
    LAN IP: 192.xxx.yyy.30
    Uplink: P2_WAN
    Allowed inbound connections
    ENABLED
    Protocol Both
    Local Port: 1-65535
    Remote IPs: ANY