hello all
at my new place of work they use a mikrotik 2.9.28 an i am trying to remove the masquerade that is setup on the nat for the email server.
when i disable the masquerade mail stops flowing and no matter how much swearing and kicking i do i cant get it to work.
in a nut shell our MX record points to xx.xx.xx.20 and our internal service ip is yy.yy.yy.25
============
chain=dstnat dst-address=xx.xx.xx.20 protocol=tcp dst-port=0-65535 action=dst-nat to-addresses=yy.yy.yy.25 to-ports=0-65535
chain=srcnat out-interface=DataCenter dst-address=yy.yy.yy.25 action=masquerade
chain=forward out-interface=DataCenter dst-address=x.x.x.20 protocol=tcp dst-port=0-65535 action=accept
chain=forward out-interface=DataCenter dst-address=xx.xx.xx.20 connection-state=established action=accept
chain=forward out-interface=DataCenter dst-address=xx.xx.xx.20 action=drop
=============
would someone be so kind as to tell me what i am missing to get mail flowing when the masquerade line is removed?
Thankyou
JimC
Re: remove masquerade
Well, your MX record points to xx.xx.xx.20 and your mail server have the address yy.yy.yy.25. You have to change the MX record to yy.yy.yy.25, or change the mail servers IP address to xx.xx.xx.20.
Re: remove masquerade
Well, your MX record points to xx.xx.xx.20 and your mail server have the address yy.yy.yy.25. You have to change the MX record to yy.yy.yy.25, or change the mail servers IP address to xx.xx.xx.20.
i want to use NAT to do this
jim
Re: remove masquerade
I think I see the issue...
There are two types of NAT in question.
1) Masqurade (will use the address of gateway pointing port) Sorry, no better way of wording it...
2) NAT This is a One to One translation.
For services where a seporate IP is available, I use NAT.
This will require a "SRC NAT" and a "DST NAT" (sometimes refered to as a "Full NAT").
Here is where it gets fun !!!
You MUST, MUST, MUST (I cant type that MUCH) remember that NAT happens FIRST...
Here is the process in a nutshell..
1) Assign an address to face the internet IE: 50.50.0.2/32 (Assuming: 50.50.0.1/8 is a std class A range)
This would most likely be used on ether1 if it is the "WAN" interface.
2) Create a DST NAT for 50.50.0.1/32 with an action of "NAT" to the internal IP of: 10.0.0.20/32 for example..
3) Create a SRC NAT for 10.0.0.20/32 with an action of NAT to the external assress of: 50.50.0.2.
The NAT has been Created. (Place this above any NAT rules that NAT the internal network IE NAT of 10.0.0.0/8 action masqurade) The "exception NAT" MUST happen first, or the outbound traffic will originate from a differant address then the inbound, and the conversation will most likely fail.
You will then need to create filtering rules...
A good rule of thumb is create your "chain" befor you create the rule in the "Forward" section of the firewall.
The reason I mentioned the NAT happening first is this...
The filter rules will be written for the packest AFTER the nat has taken place..
IE a filter that accepts port 80 traffic for 50.50.0.2 would actualy look like this:
Chain=web src-address=0.0.0.0/0 dst-address=10.0.0.20 Action=Accept
Notice that I used the NATTED address and not the public address to work with the packet.
That is because the NAT happens first !! before the firewall / filter processing.
I hope this helps...
Normis, Arnis, John,,, Please don't smack me if I forgot something...
What do you expect for nothing.... A rubber biskit ???? Bow.,,, Bow,,,, Bow....
There are two types of NAT in question.
1) Masqurade (will use the address of gateway pointing port) Sorry, no better way of wording it...
2) NAT This is a One to One translation.
For services where a seporate IP is available, I use NAT.
This will require a "SRC NAT" and a "DST NAT" (sometimes refered to as a "Full NAT").
Here is where it gets fun !!!
You MUST, MUST, MUST (I cant type that MUCH) remember that NAT happens FIRST...
Here is the process in a nutshell..
1) Assign an address to face the internet IE: 50.50.0.2/32 (Assuming: 50.50.0.1/8 is a std class A range)
This would most likely be used on ether1 if it is the "WAN" interface.
2) Create a DST NAT for 50.50.0.1/32 with an action of "NAT" to the internal IP of: 10.0.0.20/32 for example..
3) Create a SRC NAT for 10.0.0.20/32 with an action of NAT to the external assress of: 50.50.0.2.
The NAT has been Created. (Place this above any NAT rules that NAT the internal network IE NAT of 10.0.0.0/8 action masqurade) The "exception NAT" MUST happen first, or the outbound traffic will originate from a differant address then the inbound, and the conversation will most likely fail.
You will then need to create filtering rules...
A good rule of thumb is create your "chain" befor you create the rule in the "Forward" section of the firewall.
The reason I mentioned the NAT happening first is this...
The filter rules will be written for the packest AFTER the nat has taken place..
IE a filter that accepts port 80 traffic for 50.50.0.2 would actualy look like this:
Chain=web src-address=0.0.0.0/0 dst-address=10.0.0.20 Action=Accept
Notice that I used the NATTED address and not the public address to work with the packet.
That is because the NAT happens first !! before the firewall / filter processing.
I hope this helps...
Normis, Arnis, John,,, Please don't smack me if I forgot something...
What do you expect for nothing.... A rubber biskit ???? Bow.,,, Bow,,,, Bow....
Re: remove masquerade
There is obviously a reason why there is a masquerade rule to the destination address yy.yy.yy.25. The reason might be that the network/host on one side of your router is unknown for the other network, and if that is the case, you need a routing rule for that particular network/host.