DSL Router issue

[Schotty]

Okay -- I got a DSL router here at work. I need to bring my external IP to the NIC in my gateway. So if my WAN IP address is 1.2.3.4, the NIC in the gateway has that IP (1.2.3.4) I am not interested (I dont think) in IP mapping. This is for my email gateway, and from what I see, I need to make the NIC the WAN IP and have a crossover cable to my email server. Correct me if my logic if FUBAR. I was unsuccessfully attempting to forward twice the IP and that was not going to the mail server properly.

TIA

[tolstoy]

Is the router perfoming any sort of NAT or is there a firewall between you and the router? If your mail server is behind a NATTED connection, you will need to have your nameservers point all smtp traffic to the external ip of your router or firewall (whatever your WAN ip is). Then your firewall or router will have to forward traffic from its port 25 to port 25 of your mail server. If you are not NATTING your connection, just make sure that port 25 is opened at your firewall for the destination ip of your mailserver. That should be all there is to it. I don't see what a crossover cable will do for your senario.

[Schotty]

Ya know I thought that too. I originally had our DSL modem going to the exchange/proxy server. We had it mapped to the outside IP. With the OpenBSD gateway I threw together, that doesnt work. I had it mapping to the WAN port on the gateway and then the stuff all forwarded to the exchange server. I am ready to try out a bridge to the gateway, and a second bridge to the exchange (on the crossover cabe).

I am just sick and tired of screwing with this. Hint hint -- blackICE defender is the worst POS firewall I have ever seen. AVOID IT LIKE THE BLACK PLAGUE!!!!!!

[tolstoy]

Your net setup sounds a little confusing. For instance, why do you have exchange and proxy on the same box? Is proxy just a web cache or is it perfoming some sort of firewall function? Why would you use black ice to begin with when you have M$ proxy in place already if in fact you can use proxy as a firewall? Why do you want an OpenBSD mail gateway if you already have an exchange box. I would just keep it simple and do something like the following before you have your cables strung everywhere like a plato fun factory.

This is what I would do with your existing hardware:

Code:

WAN -----> DSL Router ----> some sort of firewall (perhaps your open bsd box) -----> switch/hub (on the DMZ) ------> exchange server (on the DMZ) ---->MS proxy with its firewall capabilities turned on -----> LAN

Your nameservers should have mx records sending mail to the external NIC of your firewall, not your router. The router plugs into your bastion (or exterior) firewall. This firewall plugs into a hub or switch connected to all your DMZ boxes. Seperating the DMZ and the LAN should be your proxy server (take exchange off it) which should NAT and firewall the LAN, as well as act as a web cache for LAN clients.

Now, your router and exterior firewall should be live routable IPs. Your mail should be sent either 1) to your firewall's external ip which will then forwards it to your mailserver, if your firewall is natting, or 2) all the boxes on your DMZ should have live routable ips, but only those ports DNS, SMTP, HTTP that you want to be world accessible, should be open at the firewall. In this case your mx records would reflect the live ip of your mail server.

Your choke firewall (proxy in this senario) should drop everything bound for the lan that is not a response to a client request. If you really want to relay mail through a mail gateway, just put the gateway on the DMZ, in place of the exchange box. Have the firewall forward mail to gateway.Put your exchange box on the LAN and have the gateway relay mail to it. Do not allow the exchange server to accept mail from anything but the gateway.

[Schotty]

Okay -- you are apparently confused by the way I spoke. My setup HAD the exchange and proxy client together. I won and got my way to split the servers up and make a dedicated internet gateway/firewall. The old setup ---- well, sucked major ass. Plus with the exchange server constantly puking out -- the internet would be down half the day. Now I just have to get rid of Exchange and use qmail

So my setup is now like this

DSL-> Gateway -> Lan
DSL-> Gateway -> Exchange

I actually have two DSL pipes. My problem was getting the routing of the mail packets to work properly.

My current setup is this (without the proper nat.conf file yet)

DSL (64.109.120.121) bridged to Gateway (64.109.120.121) which is again bridged to the new NIC I dropped in. The nat.conf is telling pf to (of course bridge) but also forward only mail packets to the exchange IP.

We'll see I suppose if this method will suffice.

[tolstoy]

Yeah, I guess I misread your response. My apologies. So you have two internal nics in your BSD box? One goes to the LAN and another into your exchange box? Is this right? How come your BSD box and your DSL router have the same ip address? Where do your MX records currently point? Right now I can telnet into your exchange server using the above ip address you listed, so something must be working right.

[Schotty]

No I have four NICs actually -- two for the DSL, one for the lan, and another for the exchange server. As for being able to telnet in -- that is good, since I have been fucking around and didnt WANT to apply any chages yet

As soon as I get the changes applied I will add an addendum to the last post I will have made. I suppose that at my current rate today, that is about 1 or 2 this afternoon. Its about 10:35 now :-\

Hopefully the dual bridging will work. I had a guy helping me with the configuration in OpenBSD, and he reccomended a way -- but it was unclear as to if he wanted a bridge or a IP map. He didnt seem all that eager to help / or just poor in english , so I didn't push it after a while. I didnt want to piss off someone who obviously knew his shit. Plus the OpenBSD guys aren't the most friendly when it comes to help like this.

From what he seems to have replied -- was bring the IP to the gateway and map/bridge it to the new NIC I dropped that goes to the gateway. Then instead of using a line from the mail server <-> DSL modem , make it go from the gateway to the exchange server instead. I assume that it is mostly from a simpler logic and configuration aspect. This is alot easier to do than the 3 NIC approach.

I spent about 40 Hrs (at least) on the 3 NIC approach. I have threads here and there and everywhere regarding it -- all pointing to ditch exchange and do this and that with qmail. My boss just aint letting me go that route. Sooooooo.... it comes to this...


Thanks again for the tips. I'll update you on what the heck is up.

[tolstoy]

I would go with definately go with three NICs. One connecting the router to the gateway, one connecting the LAN and gateway and one connecting your exchange box and gateway. Unless of course you need to utilize both DSL connections.

-> exchange
/
WAN -> DSL --> gateway
\
-> LAN

I would have the gateway's external NIC NATTING all outbound connections and forwarding port 25, as mentioned earlier. I then I would build a firewall ruleset for the external NIC, as well as one for the NIC connecting the LAN to the gateway, so if anyone roots your exchange box they won't be able to get through to your LAN so easily.

[Schotty]

We do need both DSL connections so, 4 nics will be meeded. As for the network topology --

DSL __ ___ Exchange Server
\ / |
DSL ---Gateway------LAN


Its weird, but works. My Ideal Setup would be this:

DSL __ ___ Server Subnet
\ /
DSL ---Gateway------LAN Subnet
\
----- Outward Visiable Subnet

The gateway is always setup with a firewall. Now, I have no news to update you with as to how it is going, since at 11 am Wednesday, we noticed that no new masil was arriving and the DSL pipe was dead...

[Schotty]

Okay -- I am baffled. Here is my nat.conf file. Minor changes as far as layout. However I am getting the following error :

Code:

$ sudo pfctl -N /etc/nat.conf
/etc/nat.conf:0: syntax error
pfctl: syntax error in file: nat rules not loaded
$

How can a file that starts at a line 1, have a line 0 error
??? ??? ??? ??? ???
I am not professing to be a god at this, but what the hell is wrong here?



/etc/nat.conf contents

Code:

#Name the adapters to the above specifications
MCLEOD="xl0"
EXCHANGE="ne1"
SBC="ne3"
LAN="ne4"

map $SBC 192.168.254.2/32 -> 64.109.120.121/32 proxy port 21 ftp/tcp
map $SBC 192.168.254.2/32 -> 64.109.120.121/32 protmap tcp/udp 40000:60000
map $SBC 192.168.254.2/32 -> 64.109.120.121/32

# Redirect WAN ports for mail to LAN side
rdr on $SBC from any to 64.109.120.121/32 port 25 -> 192.168.2.2 port 25
rdr on $SBC from any to 64.109.120.121/32 port 110 -> 192.168.2.2 port 110
rdr on $SBC from any to 64.109.120.121/32 port 143 -> 192.168.2.2 port 143
rdr on $SBC from any to 64.109.120.121/32 port 220 -> 192.168.2.2 port 220
rdr on $SBC from any to 64.109.120.121/32 port 585 -> 192.168.2.2 port 585
rdr on $SBC from any to 64.109.120.121/32 port 993 -> 192.168.2.2 port 993
rdr on $SBC from any to 64.109.120.121/32 port 995 -> 192.168.2.2 port 995
rdr on $SBC from any to 64.109.120.121/32 port 22 -> 192.168.2.2 port 22

# NAT Rules
# Use the MCLEOD DSL pipe for LAN internet connectivity
nat on $MCLEOD from $LAN to any -> $MCLEOD

# Use the SBC DSL pipe for LAN internet connectivity
# nat on $SC from $LAN to anu -> $SBC