USG Flex 500 doesn't connect to mail server
Freshman Member
I recently moved from a Flex 100 to a Flex 500, and carefully (I hope) copied across all the settings. That all went fine, with one exception. We run a mail server called VPOP3. Mostly that just serves clients on the local net, but it should also serve external mail clients. To do that I've created a NAT rule which allows external connections to the WAN address port 143 to be redirected to the mail server:143. There's also a firewall rule to let that port 143 traffic through. Setups for the NAT rule and the firewall rules are attached.
That seems to work, the log shows this:
But the mail server doesn't respond. I had assumed that once a request packet was through the firewall and forwarded to the mail server it would be treated just like an internal request from a machine on the LAN, but that appears not to be the case.
What am I missing, please?
Many thanks
David
All Replies
-
If it was working fine on FLEX100 the 500 should work in the same way.
Not sure if maybe you need NAT loopback checked for that NAT rule?
It would seem that you do if the address to 143 is WAN IP to then loopback to internal mail server.
Or setup DNS on your internal LAN to point to mail server to its LAN IP.
Unless your problem is external to internal? In which case it another problem?
Does the mail server have two WAN NIC or just the one?
Does FLEX500 has more then one WAN interface?
If you Wireshark on the mail server and do you see TCP SYN to the server port 143 but no SYN, ACK out from 143?
0 -
The previous router had NAT loopback ticked, and that's how the new one is set also.
The Mail server has its IP defined under "IPv4 Address Configuration"
Mail server has multiple NICs, which are teamed with a single address of 10.10.1.101
FLEX 500 has only a single WAN interface connected. That seems to be fine as the email packet arrives, is NATTED and passed through.
Wireshark is not something I've ever used seriously, a very steep learning curve.
0 -
Taking everything at face value everything on the USG is done correct, auto SNAT with use the default trunk which being only one WAN can only go out that one, the TCP SYN should being getting too to server which really only leaves the server to be the problem? unless the sever has no gateway set on it? or some how the firewall on the server is blocking it? or maybe a switch between the server and USG has some ACL MAC blocking which the new USG has a new MAC ?
0 -
The server has a gateway properly set, Windows firewall is disabled on the mail server at the moment, and there's nothing else on the server to block network traffic. No MAC blocking anywhere. And the incoming email client messages don't seem to reach the server at all, trying to telnet from outside to mailserver:143 fails.
Next thing is to swap the old router back in, I think, and see what happens.
0 -
I think I've found it. The multiple NICs on the mail server are teamed, using a Microsoft driver. I've had some problems with this driver before, so I uninstalled it, then reinstalled it, and at present I think my problems have gone away. For some reason the Intel teaming stuff doesn't seem to work (Server 2016).
Thanks to Peter for making me think through the whole chain again, and find a weak link.
David
0
Guru Member
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 126 Nebula Status and Incidents
- 6.3K Security
- 515 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight
