I hit a wall here:

What i want:

I have a useless exchange server in a network which ofc costs an insane amount of money yet no antipam and stuff so what i am trying to do:

My postfix server from building A is the antispam which will filter then relay the mail to the exchange

What i am trying to do is: only accept mail on 25 from postfix but allow smtp connections on a different port for clients

On the MK where the exchange server is i have the following nat rules:

;;; EXchange 2525
chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=25 protocol=tcp in-interface=E1-Wan dst-port=2525

;;; EXchange 110
chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=110 protocol=tcp in-interface=E1-Wan dst-port=110

;;; EXchange 25
chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=25 protocol=tcp in-interface=E1-Wan dst-port=25


The filter rules:

;;; Accept smtp
chain=forward action=accept protocol=tcp in-interface=E1-Wan dst-port=2525

;;; Drop smtp unless from postfix
chain=input action=drop protocol=tcp src-address-list=!safe in-interface=E1-Wan dst-port=25

My problem is: with these 2 rules it blocks all ... i can't telnet on 2525 either
Everything goes to the 2nd filter rule
I am sure that only 1 rule must be changed or something, the minute i disable the 2nd rule all is fine. I can telnet from the postfix server without a problem.

Anyone got an ideea on how i could change this so it will accept connection on 2525 while dropping on 25?


Thank you

That's because forward filter happens after dstnat ( http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram If you understand it), so port 2525 has already been translated to 25.

If you want to distinguish you could try with packet marking.

Leave Dstnat the same.

Thanks for the reply, i will have to try it out