Router not forwarding SMTP packets

I have tried telnet using port 25 (internal and external), the logs show the SMTP traffic hitting the router and the firewall rule being applied. the 220 banner doesnt appear, just recive a timeout error message.

There are no other settings that I can change on the router. The only option relating to port forwarding has been set. There is a custom services option page but as SMTP has already been defined as a service I cannot add a rule there.

I've tried rebooting the router.

Follow the article here: http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/eMule.htm

NOTE that sometimes there is a section for port forwarding and a section for firewall rules where BOTH MUST BE CONFIGURED.

Shaun

I have attached screenshots of the current configuration, the second shot shows the message you get if you try and define another service on port 25.

SMTP is already defined as a service in the router. private ip address 200.200.100.190 is our Sonicwall email security box.




 

the first screenshot was the wrong one, please see attached:

Do you think there could be a fault with the router?, or the isp is blocking some traffic perhaps...although smtp traffic seems to reach the router so i guess thats not the case

The Sonicwall's gateway needs to point to the Netgear Router.

87.127.3.49 is not a valid Private IP range address, which could be a problem.  The default range for the Netgear is 192.168.0.x.

200.200.100.190 is not in a valid Private IP range either.  You could get the situation where DNS sends traffic for these non-private IP's out to the Internet, rather than directed locally.

200.200.100.190 is a valid class C private ip address which we usa on our internal network. A valid Class C can be in the range: 192.0.1.1 to 223.255.254.254. It might be a slightly unusal address as most companys tend to use 192.168.X.X buts its still fine.

The sonicwall box is not a gateway as such it is a email spam filtering box, and SMTP traffic needs to be forwarded to this not the other way round, the sonicwall box then forwards clean email onto the email server.

Im aware 87.127.3.49  is not a private IP address, this is the public IP address of a firewall but as i said that second screenshot that i poseted was incorrect and is not how the router is currently configured.

See valid IP Address ranges here: http://www.computerhope.com/jargon/i/ip.htm

>200.200.100.190 is a valid class C private ip address

http://wq.apnic.net/apnic-bin/whois.pl
I tapped that number into the above link and got this output:-



% APNIC found the following authoritative answer from: whois.lacnic.net

% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2009-10-30 07:42:52 (BRST -02:00)

inetnum:     200.128/9
status:      allocated
owner:       Comite Gestor da Internet no Brasil
ownerid:     BR-CGIN-LACNIC
responsible: Frederico A C Neves
address:     Av. das Naýýes Unidas, 11541, 7ý andar
address:     04578-000 - Sýo Paulo - SP
country:     BR
phone:       +55 11 9119-0304 []
owner-c:     CGB
tech-c:      CGB
abuse-c:     CGB
inetrev:     200.128/9
nserver:     A.DNS.BR  
nsstat:      20091027 AA
nslastaa:    20091027
nserver:     B.DNS.BR  
nsstat:      20091027 AA
nslastaa:    20091027
nserver:     C.DNS.BR  
nsstat:      20091027 AA
nslastaa:    20091027
nserver:     D.DNS.BR  
nsstat:      20091027 AA
nslastaa:    20091027
nserver:     F.DNS.BR  
nsstat:      20091027 AA
nslastaa:    20091027
remarks:     These addresses have been further assigned to Brazilian users.
remarks:     Contact information can be found at the WHOIS server located
remarks:     at whois.registro.br or at http://whois.registro.br
created:     19950104
changed:     20020902

nic-hdl:     CGB
person:      Comite Gestor da Internet no Brasil
e-mail:      blkadm@NIC.BR
address:     Av. das Naýýes Unidas, 11541, 7ý andar
address:     04578-000 - Sýo Paulo - SP
country:     BR
phone:       +55 19 9119-0304 []
created:     20020902
changed:     20061004

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

That may be the case but our priavte IP address is behind a firewall/NAT which cannot be seen to the outside world and will not be routed on the internet so is doesnt matter if that address is in use on the public internet.

Is there a reason why you have to use the IP structure?

It would be interesting to see what happens if you tried using a 192.168 or 172.16 or 10.0 etc etc

Shaun

the IP structure has been used on the internal network for a number of years and hasnt caused issues before.

moorhouselondon: you just made an very interesting point...we have another internt connection (our main internet connection) which is forwarding SMTP packets onto our sonicwall email spam box (200.200.100.190) fine which likely proves that our ip address structure is not the problem. What i'm trying to achieve is a level of fault tolerence so that if our first internet connection fails then email is routed through our second internet connection. but the 2 routers for the two different internet connections (different ISP's) of course have different gateway address's....sorry i guess i should of explained a bit better in my orginal question.

SMTP uses TCP, which is a three way handshake protocol (a connection). This means that the server will need to have the DG set to the router.

Shaun

Yes, in fact resilience was how I stumbled upon this gotcha.  That's why I thought I would add my thoughts to this thread.  With a pc, it's easy, stick a net card in, but my brain's not in network topology mode this morning, so no quick answer from me on the sonicwall - unless you can do a diagram outlining where the sonicwall sits in relation to everything else.

Heres a quick diagram of our of where the sonicwall box is on our network:

do you think we would need to setup a computer with 2 Nic cards, one that listens on the private IP address of gateway 1 (router1) and the other nic listens on gateway 2 (router 2)?.

Looking at the settings on the sonicwall box theres an Network Architecture page....currently its set to  All in One (recommended for most deployments) but theres the option of setting it to: Split (for multi-datacenter deployments) maybe that might help although i think its meant to be if you have more than one sonicwall box. I think the sonicwall box only has one network card.

see digram of sonicwalls suggest split setup:

>do you think we would need to setup a computer with 2 Nic cards, one that listens on the private IP address of gateway 1 (router1) and the other nic listens on gateway 2 (router 2)?.

That would work I am pretty certain.  Unless Shaun has a better idea...

we already have 2 mx records setup....1 which goes through our main internet connection and one which goes through the second internet connection.

To enable all SMTP traffic to be directed to the sonicwall do you think SMTP traffic should be forwarded on from the 2 routers onto a computer with 2 nics and then the computer forwards the traffic onto the sonicwall box, would the computer need to have any smtp software installed to handle the traffic?

how can we ensure SMTP traffic from outside to in uses the same gateway if we have 2 internet connections with diferent public ip addreses (using different ISP) any suggestions would be great

>how can we ensure SMTP traffic from outside to in uses the same gateway if we have 2 internet connections with diferent public ip addreses (using different ISP) any suggestions would be great

The NIC's will have the Default Gateways pointing to the two different routers.  It doesn't matter that the ISP's are the same or different, because that only has an effect on the Public side of the router.  It is the MX record that does the routing for you.

>To enable all SMTP traffic to be directed to the sonicwall do you think SMTP traffic should be forwarded on from the 2 routers onto a computer with 2 nics and then the computer forwards the traffic onto the sonicwall box, would the computer need to have any smtp software installed to handle the traffic?

Thinking about it, there's still a problem here.  I think rather than have a pc which has two NIC's it would be easier to have two Sonicwalls, or configure the one Sonicwall for two gateways if that is a possibility.

i dont think its possbile to configure two gateways on the sonicwall box and dont really want to purchase another sonicwall box unless thats the only way. I guess other compnaies must have a method of providing a level of fault tolerence for email delivery.

so you think even useing a pc with 2 nic will still have issues?

Yes because SMTP traffic comes in on one NIC which points to its corresponding Gateway.  SMTP traffic comes in on the other NIC which points to its corresponding Gateway.  

Perhaps what's needed is a third NIC which points to the Sonicwall, with the Soniwall listening to traffic from that third NIC.  

Presumably a Proxy needs to route traffic from NIC1 to NIC3, and from NIC2 to NIC3.

Something like Mailgate should do the trick, but there are Shareware equivalents which will work.

Ok, to clarify do you mean perhaps setting up a computer with 3 nics, and this pc needs to have static public addreses?  and an MX record is point to the public ip address of this computer, the computer then forwards traffic from NIC 1 to NiC 3 and from NIC 2 to Nic 3?

if you could please clarify your suggested setup that might do the trick that would be great.

MX1 points to Public IP of NAT Router1
MX2 points to Public IP of NAT Router2

NAT Router1 -> pc NIC1 (static IP)
NAT Router2 -> pc NIC2 (static IP)

Proxy Gateway software in the pc routes pc NIC1 -> pc NIC3; and pc NIC2 -> pc NIC3

pc NIC3 (static IP)-> Sonicwall

ok thanks for this info thats a great help,

i guess the below are both static private (internal) IP addreses?
NAT Router1 -> pc NIC1 (static IP)
NAT Router2 -> pc NIC2 (static IP)

would you suggest mailgate for the proxy gateway software....this software: http://www.mailgate.com/  ?

>i guess the below are both static private (internal) IP addreses?
Yes

Mailgate is a bit pricey.  I'm sure it can be done with something Open Source, reliability is obviously important.

We have a Sonicwall TZ190 firwall which looks like it has another port labeld which can be used as another WAN port, maybe if our second internet connection is connected through this it can load balance between the 2 interent connections and route SMTP traffic through the second internet connection when the main internet connections is down. I guess this is a similar idea to what larger companies use, or some kind of hardware box that proxy's traffic from different internet conections.

http://www.smallnetbuilder.com/content/view/30099/109/

There seems to be some conflict in this review as to whether the device has two WAN ports, or one WAN port and an OPT port which is not used on this model.

Thanks for all your help. now have a better understanding of how SMTP traffic is handled.