Exchange mailbox access on cell phones

sema · February 8, 2018, 6:08pm

Basic setup with hEX r3 as a router/firewall and wAP AC as a wireless.
Few NAT rules. Exchange server on the LAN network. Single subnet, DHCP on the Windows server.
Everything works great except one thing.

Users have Exchange mailboxes configured on the phones. Server address looks like mail.domain.com and points to the public IP of the office. When users are outside of the office and using their data plans emails work fine. As soon as users connected to the company wireless phones cannot connect to the Exchange server.

Do I need to add a rule to allow phones connect to the Exchange on the local network using public name/IP?

Thanks

cdiedrich · February 9, 2018, 11:33am

https://wiki.mikrotik.com/wiki/Hairpin_NAT
-Chris

SPKA16 · February 9, 2018, 12:47pm

..or point your internal (Windows) DNS server (forward zone) so that mail.domain.com points to the internal IP of your mailserver.

pcunite · February 9, 2018, 2:13pm

Hair pin example. NAT works in conjunction with your firewall rules. Although the DNS suggestion sounds nice.

# Hairpin example
# 10.1.0.1 is the router
# 10.1.0.2 is your internal server

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Allow established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop   comment="Drop all other input"

add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop   comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN  comment="Default masq"
add chain=srcnat action=masquerade out-interface=bridge-LAN dst-address=!10.1.0.1 src-address=10.1.0.0/24 comment="Hairpin"
add chain=dstnat action=dst-nat    dst-address-type=local   dst-address=!10.1.0.1 to-addresses=10.1.0.2   dst-port=80 to-ports=80 protocol=tcp comment="Hairpin"

sema · February 9, 2018, 10:31pm

Hair pin rules fixed an issue.
Thanks gentleman!