Date: Thu, 14 Apr 2005 13:59:11 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Kurt Buff <kurt.buff@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Routing question? Message-ID: <20050414185911.GI4842@dan.emsphone.com> In-Reply-To: <425EA573.5080302@gmail.com> References: <425DAA56.7040707@spro.net> <20050414013943.GG4842@dan.emsphone.com> <425EA573.5080302@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Apr 14), Kurt Buff said:
> Dan Nelson wrote:
> >In the last episode (Apr 13), Kurt Buff said:
> >>I have a FreeBSD 5.3 box running
> >>postfix/amavisd-new/spamassassin/clamav. Currently, we have two
> >>entrances to our network, one is the Watchguard FBIII for our T1,
> >>the other is a PC running Win2k and Winproxy, serving our DSL line.
> >>The PC is starting to flake out, and I'd like to replace it with a
> >>Wachguard SOHO that we have laying around.
> >>
> >>The default gateway for the FreeBSD box is pointed at the WG FBIII,
> >>as that's the way most of our email comes through.
> >>
> >>What the PC with Winproxy does is accept inbound email connections
> >>to our secondary MX, and presents them to the FreeBSD box. I'm
> >>assuming that the Winproxy program was doing something funky to
> >>make all of this happen, but I'm really set on replacing it. This
> >>has been working for a year or two, but lately the Winproxy program
> >>on the PC is falling over several times a day. It's not a hardware
> >>error - all other programs on the machine work just fine, but
> >>Winproxy is dieing.
> >>
> >>When I hook up the SOHO, I can't get emails through the DSL line.
>
> Failure mode is that when I telnet to the external IP address of the
> soho on port 25, I get no answer. On the SOHO, I have port 25 set to
> allow inbound access, only to the IP address of the postfix box. It
> smells to me like what's happening is that the inbound packets are
> making it to and through the SOHO, but then the postfix box obeys its
> DG setting, and tries to send the responses out the FBIII, and they
> never make it back to the originating box.
That's possible, since the FBIII won't allow those outgoing packets
without having seen the full TCP handshake.
You could use ipfw fwd rules to force the outgoing packets to route via
the SOHO:
( Internet )
1.2.3.4/24 FBIII SOHO 12.1.2.3/32 (external)
| | 192.168.111.1/24 (internal)
| |
+--+--+--+---+
|
BSD
The BSD machine would have three IPs:
1.2.3.10 (mx1.host.com, primary incoming mail)
1.2.3.11 (mail.host.com, outgoing mail)
192.168.111.2 (secondary incoming mail)
mx2.host.com would be set to 12.1.2.3 and the SOHO would be told to
forward port 25 to 192.168.111.2. If you add this ipfw rule to BSD:
fwd 192.168.111.1 ip from 192.168.111.2 to any
, that should be enough to force all (and only) the DSL mail traffic
through the SOHO.
--
Dan Nelson
dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050414185911.GI4842>