Migrated to Flex 500, but having problem with sending email from mail server to GMAIL addresses
Hi,
we have migrated our working firewall from USG310 to new Flex 500 and we are using internal Mail Server.
If we use old USG310 instead everything works fine without any problems even to GMAIL addresses and MXToolBox gives green light on all of their tests. Also we have added to our DNS records everything that Google says they need or want.
When we swap USG310 to Flex 500 then everything continues to work, but sending emails from our internal Mail Server to GMAIL addresses we get bounce back from Googles mail server. Sending email to other than GMAIL addresses continues to work normally.
What I can figure out from GMAIL response is that the public server address 213.xxx.yyy.195 does not translate correctly with Flex 500 and this shows as public WAN port address 213.xxx.yyy.194 and therefore GMAIL can not resolve this our Mail Servers address correclty.
As I use Nebula Cloud to confgure our Flex 500 there is most likely some setting or policy still off that I just can't figure this out as the Nebula interface is quite different compared to older USG310 interface which was more straight forward to me (IMHO).
Google Gmail system gives following bounce back email:
receiver@gmail .com: host gmail-smtp-in.l.google.com[64.233.161.27] said:
550-5.7.26 Your email has been blocked because the sender is
unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with
either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [company.fi] with ip:
[213.xxx.yyy.194] = did not pass 550-5.7.26 550-5.7.26 For instructions
on setting up authentication, go to 550 5.7.26
https://support.google.com/mail/answer/81126#authentication
2adb3069b0e04-5532105c5d5si1747124e87.122 - gsmtp (in reply to end of DATA
command)
Reporting-MTA: dns; firma.fi
X-Postfix-Queue-ID: 4b6Fy65Bb7zfdYg
X-Postfix-Sender: rfc822; sender@company .fi
Arrival-Date: Tue, 27 May 2025 17:53:50 +0300 (EEST)
Final-Recipient: rfc822; receiver@gmail .com
Original-Recipient: rfc822;receiver@gmail .com
Action: failed
Status: 5.7.26
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26
Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF
[company.fi] with ip: [213.xxx.yyy.194] = did not pass 550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26
https://support.google.com/mail/answer/81126#authentication
2adb3069b0e04-5532105c5d5si1747124e87.122 - gsmtp
——— start of USG 310 settings ———
Network settings:
Gateway IP 213.xxx.yyy.193
WAN port IP 213.xxx.yyy.194
LAN port IP 192.xxx.yyy.1/24
Public Mail Server IP 213.xxx.yyy.195
LAN Mail Server IP 192.xxx.yyy.30
We have following settings on our USG310 firewall:
Network - Interface Settings:
Ethernet:
WAN Port
Port IP Address 213.xxx.yyy.194
GW IP Address 213.xxx.yyy.193
Subnet Mask 255.255.255.240
LAN Port Port IP Address 192.xxx.yyy.1 Subnet Mask 255.255.255.0 Trunk: Default WAN Trunk Enable Default SNAT ON
Routing settings:
Policy Route NONE
Static Route NONE
DDNS Settings:
NONE
NAT settings:
Use Static-Dynamic Route to Control 1-1 NAT Route - off
NAT rule for Internal Mail Server:
Enable Rule: ON
Port Mapping Type
Classification 1:1 NAT
Mapping Rule:
Incoming Interface WAN port
Source IP ANY
External IP 213.xxx.yyy.195 (Public IP of mail server)
Internal IP 192.xxx.yyy.30 (Internal IP of mail server)
Port Mapping Type ANY
Related Settings:
Enable NAT Loopback ON
Redirect Service settings:
none
Security Policy settings:
Policy Control:
Name SERVER_PUBLIC
From ANY
To Any (excluding ZyWall)
IPv4 Source Any
IPv4 Destination 213.xxx.yyy.195 (Public IP fo mail server)
Service ANY
User ANY
Schedule NONE
Action ALLOW
Name SERVER_INTERNAL From ANY To ANY (excluding ZyWall) IPv4 Source ANY IPv4 Destination 192.xxx.yyy.30 (Internal IP of mail server) Service ANY User ANY Schedule NONE Action ALLOW
——— end of USG 310 settings ———
We have following settings on our Flex 500 firewall on Nebula Cloud:
——— start of Flex 500 settings ———
Interface
WAN interface Confguration
WAN IP Address 213.xxx.yyy.194
SNAT ON
Type STATIC
IP Address 213.xxx.yyy.194
Subnet Mask 255.255.255.240
Default GW 213.xxx.yyy.193
Proxy ARP ON (default)
LAN Interface Configuration LAN IP Address 192.xxx.yyy.1 Subnet Mask 255.255.255.0
Routing
Policy Route/Traffic Shaping
LAN network
Source 192.xxx.yyy.1/24
Destination ANY
Service ANY
Policy Route ON
Type INTERNET TRAFFIC
Next-Hop WAN
Traffic Shaping ON
Download Limit UNLIMITED
Upload Limit UNLIMITED
Priority HIGHTHEST(1)
NAT
Virtual Server rule #1
Enable OFF (tried also ON)
Uplink WAN
Protocol BOTH
Public IP 213.xxx.yyy.194
Public Port 1-65535
LAN IP 192.xxx.yyy.30
Local Port 1-65535
Virtual Server rule #2 Enable OFF (tried also ON) Uplink WAN Protocol BOTH Public IP 213.xxx.yyy.195 Public Port 1-65535 LAN IP 192.xxx.yyy.30 Local Port 1-65535 1:1 NAT NAT 1:1 Rule #1 Public IP 213.xxx.yyy.195 LAN IP 192.xxx.yyy.30 Uplink WAN Allowed inbound connections Rule #1 Enable ON Protocol BOTH Local Port 1-65535 Remote IPs ANY
Security Policy
Rule #1
Action DENY
Policy NONE
Protocol ANY
Source ANY
Destination 192.xxx.yyy.30
Dst Port ANY
User ANY
Schedule ALWAYS
Implicit Allow Rules Allow LAN to ANY ALWAYS Allow LAN to the appliance ALWAYS Implicit Deny Rule Deny All ALWAYS Anomaly Detection and Prevention Enable Anomaly Detection and Prevention ON
Security Service
Content Filter
Drop connection when there is an HTTPS connection with SSL v3(or previous version) ON
DNS/URL Threat Filter
DNS Threat Filter ON
URL Threat Filter ON
IP Reputation
Enabled ON
Policy BLOCK
Threat Level Threshold HIGH
Anti-Malware
Enabled ON
Scan Mode EXPRESS MODE
Sandboxing
Enabled ON
Policy DESTROY
IPS
Enabled ON
Mode PREVENTION
External Block List
IP Reputation (EBL) ON
DNS/URL Threat Filter (EBL) ON
——— end of Flex 500 settings ———
Any help is appreciated to figure this out,
Kari / Tector
Accepted Solution
-
You need to make the following routeing rule
incoming LAN of 192.xxx.yyy.30
next hop WAN
SNAT 213.xxx.yyy.195
0
All Replies
-
You need to make the following routeing rule
incoming LAN of 192.xxx.yyy.30
next hop WAN
SNAT 213.xxx.yyy.195
0 -
Thank you!
This helped me to make working settings to our Flex 500 firewall. These might not be just the bere minimum settings, but at least sending emails to GMAIL address started working without problems.
On Firewall > Routing I made this rule.Policy Route / Traffic Shaping:
Rule #1 LAN to WAN
Matching Criteria:
Source: 192.xxx.yyy.30
Destination: 213.xxx.yyy.195
Service: AnyPolicy Route:
Type: Internet Traffic
Next-Hop: P2_WANTraffic Shaping:
Download Limit: Unlimited
Upload Limit: Unlimited
Priority: Highest(1)
Static Route:Rule #1
Subnet: 192.xxx.yyy.0/24
Next Hop Type: Interface
Next Hop: P2_WAN
Metric(0-127): 1
Description: LAN to WAN
On Firewall > NAT I made this rule.1:1 NAT:
Name: SN_LAN_to_WAN
Public IP: 213.xxx.yyy.195
LAN IP: 192.xxx.yyy.30
Uplink: P2_WAN
Allowed inbound connections
ENABLED
Protocol Both
Local Port: 1-65535
Remote IPs: ANY0
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 118 Nebula Status and Incidents
- 6.1K Security
- 428 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight