I run mailscanners that are set o accept traffic coming from our private network. I just put in a 450g box to route traffic to the scanners and all is working well, except all inbound messages say they originated from my private IP, rather than the true public Ip as the source. Spammers are getting through in droves now because of this. Is there a way to set dst-nating so the originating IP info is passed to my scanners instead of my private IP?
Yes, don’t masquerade that traffic. You have too generic a source NAT rule. Make it more specific based on in-interface or dst-address. If you’re not sure how to post the output of “/ip firewall nat export” and a network diagram with ports and IP address scheme.
Duh.. Not sure why I used the word “masquerade”. I forwarded port 25 from one public Ip to a private Ip on port 25
Here is the header of the message from my mailscanner:
:
IP Address Hostname Country RBL Spam Virus All
10.10.1.2 gateway-1.domainname.org (GeoIP Lookup Failed)
It should show all the IPs the mail traversed to get to my scanner, not the private Ip of my router.
This is the line I used to create the nat rule:
/ip firewall nat add chain=dstnat dst-address=public IP protocol=tcp dst-port=25
action=dst-nat to-addresses=10.10.1.94 to-ports=25
Right. You appear to also have a masquerade rule that causes that. Post the output of the command I requested.
add action=masquerade chain=srcnat comment=“” disabled=no
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
pub.lic.ip.24 dst-port=25 protocol=tcp to-addresses=10.10.4.22 to-ports=25.25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
pub.lic.ip.11 dst-port=25 protocol=tcp to-addresses=10.10.4.20 to-ports=25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=\8.17.155.25
pub.lic.ip.17 dst-port=25 protocol=tcp to-addresses=10.10.4.20 to-ports=25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
pub.lic.ip.18 dst-port=25 protocol=tcp to-addresses=10.10.4.20 to-ports=25.25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.3
dst-port=25 protocol=tcp to-addresses=10.10.4.20 to-ports=25address=pub.lic.ip
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=\ess=pub.lic.ip
pub.lic.ip.22 dst-port=80 protocol=tcp to-addresses=10.10.4.25 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
pub.lic.ip.17 dst-port=80 protocol=tcp to-addresses=10.10.4.3 to-ports=808.148
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=\ess=pub.lic.ip
pub.lic.ip.11 dst-port=80 protocol=tcp to-addresses=10.10.4.20 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.4
dst-port=25 protocol=tcp to-addresses=10.10.4.22 to-ports=25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.3
dst-port=80 protocol=tcp to-addresses=10.10.4.72 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.4
dst-port=3389 protocol=tcp to-addresses=10.10.4.70 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.4
dst-port=5500 protocol=tcp to-addresses=10.10.4.70 to-ports=5500
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.4
dst-port=5900 protocol=tcp to-addresses=10.10.1.94 to-ports=5900
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.lic.ip.3
dst-port=143 protocol=tcp to-addresses=10.10.4.13 to-ports=143
Got it fixed by specifying the outbound interface.
Thanks for the reply