Proper dst-nat for SMTP server

BARVIK · March 4, 2025, 11:52pm

Hello community,
I’d highly appreciate if someone could suggest on possible optimization for the following case.
Given task: Mikrotik hAP ax3 in front and Exim SMTP server behind it. Routing is done using dstnat rule, here’s the rules chain:

/ip firewall nat
add action=dst-nat chain=dstnat comment=“Web/mail server port forwarding” dst-address-list=WAN_IP dst-port=80,443,25,465,993,143 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.110
add action=accept chain=srcnat out-interface-list=LAN src-address=192.168.10.80-192.168.10.99
add action=src-nat chain=srcnat comment=“LAN NAT masquerade” out-interface-list=WAN src-address=192.168.10.0/24 to-addresses=<WAN_IP>
add action=src-nat chain=srcnat comment=“Guest NAT masquerade” out-interface-list=WAN src-address=192.168.11.0/24 to-addresses=<WAN_IP>

Comments
192.168.10.1 - Internal IP of Mikrotik router
192.168.10.110 - Internal IP of SMTP server
192.168.10.80-192.168.10.99 - pool of VPN clients IP
WAN_IP - external static IP or router

Problem description: with current settings the average connection time to SMTP server is about 5-6 seconds and it is too long for some SMTP clientsm hence they interrupt the connection with timeout. With try and errors method it was detected that with introduction of NAT rule

add action=masquerade chain=srcnat comment=“Masquerade all other LAN traffic” out-interface-list=LAN

the connection time reduces to only tenth of seconds, but the drawback that of course extrernal client’s IP are masked with router’s internal IP:

Example:
Here’s the result of the test when rule “Masquerade all other LAN traffic” was disabled
2025-02-28 00:59:07 H=keeper-us-east-1d.mxtoolbox.com [18.209.86.113] sender verify fail for <supertool@mxtoolboxsmtpdiag.com>: all relevant MX records point to non-existent hosts
2025-02-28 00:59:07 H=keeper-us-east-1d.mxtoolbox.com [18.209.86.113] F=<supertool@mxtoolboxsmtpdiag.com> rejected RCPT <test@mxtoolboxsmtpdiag.com>: relay not permitted

And here - when enabled
2025-02-28 01:00:21 H=<my.router.name> (keeper-us-east-1d.mxtoolbox.com) [192.168.10.1] sender verify fail for <supertool@mxtoolboxsmtpdiag.com>: all relevant MX records point to non-existent hosts
2025-02-28 01:00:21 H=<my.router.name> (keeper-us-east-1d.mxtoolbox.com) [192.168.10.1] F=<supertool@mxtoolboxsmtpdiag.com> rejected RCPT <test@mxtoolboxsmtpdiag.com>: relay not permitted

Can you suggest any best practice to keep the connection speed and remain the client’s original IP addresses?

anav · March 5, 2025, 1:07am

I see errors and problems but I will not comment without seeing the complete config for context
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys)

LdB · March 5, 2025, 2:16am

This line is weird

add action=accept chain=srcnat out-interface-list=LAN src-address=192.168.10.80-192.168.10.99

You want to control the guest WAN IP from the SRC-NAT … then control it stop messing around

add action=src-nat chain=srcnat comment="Guest SRC-NAT to some WAN IP" src-address=192.168.10.80-192.168.10.99 to-addresses=<SOME_WAN_IP>

BARVIK · March 6, 2025, 9:10am

Thanks for your answer. Here it is:
last_config.rsc (18.5 KB)
Please highlight the incorrect config.

BARVIK · March 6, 2025, 9:12am

This line is weird
add action=accept chain=srcnat out-interface-list=LAN src-address=192.168.10.80-192.168.10.99
You want to control the guest WAN IP from the SRC-NAT … then control it stop messing around
add action=src-nat chain=srcnat comment="Guest SRC-NAT to some WAN IP" src-address=192.168.10.80-192.168.10.99 to-addresses=<SOME_WAN_IP>

Thanks for your comment.
That IP pool is dedicated to VPN clients only.

anav · March 6, 2025, 2:33pm

I see that you are allergic to vlans, which would be the most efficient process to use with the AX3.
Two bridges is not recommended.

My advice is two fold
a. remove the second bridge, make the bridge subnet another vlan, and go from there
b. temporarily take ether5 off the bridge, give it an IP address and configure the router from the port safely off any bridge while configuring,
c. remove all the bloatware firewall rules…

Otherwise…
I am no sure how there can be four pools but but only two dhcp-servers (two bridges) and two IP addresses ( okay take one away for VPN - still leaves one extra ??)

Unable to assist further because I dont understand the interaction of setting up bridge and vlans when its all done in datapath with two bridges and bridge filtering, too complex for me.
This certainly indicates an issue…
add bridge=bridge1-LAN interface=*12

My advice is to use wifi JUST for wifi and drop bridge filtering LOL.