Setting up router for e-mail

ramon82 · April 27, 2011, 1:42pm

Hi all

I got an RB450G and want to use it as firewall between the Internet and a mail server. I need to open specifically these ports and drop everything else:

Port 80 forwarded to mail server (for webmail)
SMTP
POP3
DNS

Can someone advise correct command?

Thanks

fewi · April 27, 2011, 2:08pm

You’re giving very little info. This would be easier with more details.

So let’s assume that the public IP is going to be 1.1.1.2/24, and the default WAN gateway is 1.1.1.1, with public DNS servers at 2.2.2.2 and 3.3.3.3. The LAN address is 192.168.0.1/24 and the email server has a static IP of 192.168.1.2. The WAN interface has been renamed to ‘outside’, the LAN interface has been renamed to ‘inside’.

First, assign the router IP addresses.

/ip address
add address=1.1.1.2/24 interface=outside
add address=192.168.1.1/24 interface=inside

Then assign the default route

/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1

Then configure the internal DNS servers so the routers can resolve names

/ip dns
set allow-remote-requests=yes servers=2.2.2.2,3.3.3.3

Then configure outbound source NAT and inbound port forwarding for tcp/53,80,25,110, and udp/53

/ip firewall nat
add chain=srcnat out-interface=outside action=masquerade
add chain=dstnat in-interface=outside protocol=tcp dst-port=53,80,25,110 action=dst-nat to-address=192.168.1.2
add chain=dstnat in-interface=outside protocol=udp dst-port=53 action=dst-nat to-address=192.168.1.2

Then configure firewalling so that the above ports can go through, and that the mail server itself can access the Internet without restrictions:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=outside protocol=tcp dst-port=80,25,110 action=accept
add chain=forward in-interface=inside action=accept
add chain=forward action=drop

Then also configure firewall rules to protect the router itself and allow administration only from 192.168.1.0/24:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=inside action=accept
add chain=input action=drop

ramon82 · April 28, 2011, 7:47am

Hello again. I followed all of your steps but now I cannot connect to the router anymore (

Funnily enough I can ping it, and even from Winbox can view it in the list with its MAC address however its not allowing me to get in its configuration…even using Internet explorer…looks like its blocking me

Any idea how I could be able to get in without having to hard reset it again?

Thanks

fewi · April 28, 2011, 3:06pm

Did you replace any of the IP addresses as required? What I posted would lock down access to only be possible from 192.168.1.0/24.

ramon82 · April 28, 2011, 3:43pm

Yes I changed IPs accordingly. Could ping internal interface but could not connect to it with Winbox or IE…seems that after entering those commands the router got isolated and could not accept connections??

fewi · April 28, 2011, 3:45pm

Shouldn’t have as long as the commands were edited right.

Access it via serial console and look at firewall rules.