NethServer Version: 7
Module: reenvio de puertos
At the moment I have problems for the exit of the packages of the mail server that is in the dmz of my network.
All the packets from this server go out through the public ip of the proxy for the Internet, they must go out with the public ip that is assigned to the mail to the domain, this ip is configured as an alias ip in the red interface.
The mail servers when receiving the packages, they ban me, since the packages come with another public IP.
What information can you provide me to provide the solution.
Sincerely,
Paul Criollo.
Peru
Does your ISP connection have more than 1 public IP?
Sorry, yes you have.
Do you have a CPE (router) provided by the ISP? Do you know how it’s configured?
162/5000
Currently I have six public ips, one for the proxy’s Internet output, one for the port forwarding of the mail server and the others are free.
The provider configured us a Cisco router, we have a symmetrical line, our link is with fiber optics.
Maybe a couple of routes should be added to NethServer for the correct instradation about input and output of packages, but my experience is only with Zyxel devices and a NAT…
Hi
I do have experience with multiple IPs… In your case, it would be VERY difficult.
Reason?
A Proxy In / Out needs to be a “default route”, as it needs to be able to access ALL of the Internet, only possible with a “default route”.
The same goes for mail. This also needs to be a “default route”.
As both services are running on the same NethServer, this is practically impossible. The GUI (Both) can’t really handle this kind of situation. It’s not as though you want to use each IP as a different provider, as in a form of Provider Failover…
The easiest solution would be to setup another NethServer as Proxy. This can easily be a virtualized NethServer. Here you would set the Gateway to the IP intended for the Proxy. (Gateway is the same as “default gateway”). The other NethServer, where the Mailserver is, would use the IP intended for mail as Default Gateway.
This will work, and save you a LOT of headaches.
It also solves a lot of problems with Intrusion Detection and other stuff, all of these services were intended for a server with a simple “default gateway”, maybe a few routes.
You “might” be able to “rape” the firewall, working with a load of CLI, but still I don’t think you can split up the routing by type of traffic… But you can spend days working on it - without getting a satisfactory, stable result…
My 2 cents
Andy
I could see that configuration in Palo Alto and Fortinet, but I don’t know how it’s done in Nethserver 7. @@@
Static Routes on NethGUI
https://docs.nethserver.org/en/v7/base_system.html#static-routes
FIrewall and gateway on Cockpit
concepts
https://docs.nethserver.org/en/v7/firewall.html#firewall-section
application
https://docs.nethserver.org/en/v7/firewall2.html#firewall-new-section
I don’t know if these docs will help you, i did not look for Static Routes because usually i do not have more than 1 public IP.
Fortinet and Palo Alto don’t usually run mail services (AFAIK, they both CAN do Proxy, depending on model…)
-> The Problem is all three: Firewall, Proxy and Mail on the same hardware.
Fortinet and Palo Alto are professional Firewalls (A mite overpriced, IMHO…), like Cisco. They CAN do this kind of splitting.
Static Routes are more if you have several internal networks. Any static rule for any Network further unnamed (0.0.0.0) is called a default gateway. And there can only be one.
My 2 cents
Andy
I think there is an error in my explanation.
I use the netserver as a perimeter firewall, https proxy, web filter, openvpn lan to lan and roadwarrior.
I have the interfaces for: External, Internal, Dmz and Guests, four physical interfaces.
In the red External interface, I have a main public IP that gives me output to the Internet of all my internal networks, there in that card I have the other public IPs configured in aliases.
My mail server is on a Centos with Zimbra, this team uses ips from the dmz segment.
The only failure is when the packets go out from my mail server, they go with the header IP, the main public IP and it does not carry the assigned published IP.
It is because the mail servers ban me and put me on black lists.
The explanation of your Network topology is sufficient, thanks. I understand the situation better, hope my advise is also “better”. 
OK, mail is seperated…
Still, NethServer as such still has only one default gateway (Your “main public IP”).
The other public IPs on your NethServer are only aliases.
What you could try is to either:
A) Configure the mail IP as a 1:1 NAT, not the usual 1:many NAT commonly used (What your NethServer is using now…). The Mail-IP would be mapped directly to the mail server’s IP in the DMZ (Your Centos/Zimbra).
B) Set the IP and matching FQDN as outgoing in the config of Zimbra (helo). A mail server “announces” itself with the helo to another mailserver (SMTP Protocoll). Now, if the IP or name don’t match with the “real” sending IP, the recieving mailservers think “This guy is spoofing a legit IP, must be spam, we’ll block this guy…”.
See eg here:
You could also try implementing both…
Hope this helps!
My 2 cents
Andy
1 Like
I already change everything to nat 1: 1, I consult, I must open ports of all my mail server in the nethserver