Solved

SMTP Port Forwarding Problem

Posted on 2006-06-16
27
1,086 Views
Last Modified: 2008-01-09
I have a Dell Poweredge SC430 server connected to a Netgear DG834 router via a Embedded Gigabit Ethernet Controller (Broadcom).  I'm trying to get SMTP port forwarding to work, so far without success.  The router's firewall rules are set correctly with inbound smtp (port 25) being routed to the server ip address and everything allowed on the outbound.

When an external site attempts to open the SMTP socket it gets no response.  I've run Netmon traces both on this system and also on another system and also on another working system.  This is what I see:

-> = inbound to server, <- = outbound from server

Working system:
-> (no data)
<- (no data)
-> (no data)
<- 220 domain.co.uk ....
then continues to successful conclusion

Failing system:
-> (no data)
<- (no data)
pause
-> (no data)
<- (no data)
pause
-> (no data)
<- (no data)
In this case the responses from the server show the following in the trace:
IP: Checksum = 0 (0x0) (Error)

I hope that gives enough to go on.  If not then I can post links to the Netmon trace files.

0
Comment
Question by:johnalphaone
  • 13
  • 6
  • 6
  • +1
27 Comments
 
LVL 7

Accepted Solution

by:
aseusainc earned 500 total points
ID: 16920232
You sure your ISP is not blocking port 25?
0
 

Author Comment

by:johnalphaone
ID: 16920501
No, the TCP packet reaches the router and the server.  
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16920623
If you telnet to the SMTP server on port 25 from another machine on the same LAN, everything works 100%?

If so, it sounds to me either the port forward is hosed (try deleting and recreatiing the rule on the NetGear), or possibly the NetGear router is hosed.  Try factory resetting it, and reconfigure it from scratch.  Also make sure it has the latest firmware.
0
 

Author Comment

by:johnalphaone
ID: 16920764
The inbound port forwarding is working ok.  The request shows in the trace and is exactly equivalent to the trace on the system that works.  It's the response to this request that doesn't traverse the router, presumably because if the ip checksum error.  

From other research I'm starting to think this is a checksum offload issue.  Anyone got any experience with that?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16920991
Are you sure, your ACL on routers are correct.

Should your Server is sending packets with incorrect checksum, it won't be accessible from within the network.

Make sure you have applied ACL on one interface only of your router.

If not then you need to allow packets in both direction.
0
 

Author Comment

by:johnalphaone
ID: 16921158
It's a very simple ADSL broadband router.  There is no ACL.

The netmon trace shows ip checksum = 0 on all ip packets from the server network adapter.  It doesn't appear to be causing any problems for other devices within the local network.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16922051
Checksum should not be 0.

Are you taking netmon trace on the server itself.

0
 
LVL 30

Expert Comment

by:ded9
ID: 16922233
You need to give permission to port 25 that is being blocked by windows xp firewall or any other firewall you  have on your system. Thats it
Reps
0
 

Author Comment

by:johnalphaone
ID: 16924546
The netmon trace is on the server.  It's SBS2003, no firewall.
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16924649
Using multiple IPs on this NIC?
0
 
LVL 30

Expert Comment

by:ded9
ID: 16924790
Check this site for all your problems
www.portforward.com
Surely your problem will get resolved witin no time.

Reps
If you liked the above solution please appreciate my work by providing points
Thank you
0
 

Author Comment

by:johnalphaone
ID: 16925869
aseusainc , single IP on this NIC.

Reps, for the moment I'm working on the assumption that the ip checksum issue is the reason for the response not traversing the router, so I'd recommend you focus your efforts there if you want the points.

Here's a sample frame:
No.     Time        Source                Destination           Protocol Info
     80 4.680664    192.168.0.100         194.116.174.122       TCP      smtp > 50754 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

Frame 80 (78 bytes on wire, 78 bytes captured)
Ethernet II, Src: 00:13:72:09:e1:3f, Dst: 00:0f:b5:cb:53:ea
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 194.116.174.122 (194.116.174.122)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 64
    Identification: 0xfcaf (64687)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x0c0d)
    Source: 192.168.0.100 (192.168.0.100)
    Destination: 194.116.174.122 (194.116.174.122)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 50754 (50754), Seq: 0, Ack: 1, Len: 0
    Source port: smtp (25)
    Destination port: 50754 (50754)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 44 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 16384
    Checksum: 0xed79 (correct)
    Options: (24 bytes)
    SEQ/ACK analysis

0000  00 0f b5 cb 53 ea 00 13 72 09 e1 3f 08 00 45 00   ....S...r..?..E.
0010  00 40 fc af 00 00 80 06 00 00 c0 a8 00 64 c2 74   .@...........d.t
0020  ae 7a 00 19 c6 42 8d ab da ab bd 42 ea 85 b0 12   .z...B.....B....
0030  40 00 ed 79 00 00 02 04 05 b4 01 03 03 00 01 01   @..y............
0040  08 0a 00 00 00 00 00 00 00 00 01 01 04 02         ..............
0
 
LVL 30

Expert Comment

by:ded9
ID: 16926059
In your network connection right the connection got to tcp/ip properties enter the static ip , subnet mask, and default gateway and reboot computer.
Also put your router in DMZ mode and check whether now smpt socket gets a response. Also u can check this setting from a computer which is from an external network.

Reps
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:johnalphaone
ID: 16926195
Static ip , subnet mask, and default gateway are all set correctly and the server has been rebooted during the course of this investigation.  I don't want to use DMZ mode as that will require configuring a firewall on the server.
0
 

Author Comment

by:johnalphaone
ID: 16926218
Ok, from other research it appears that checksum offload can cause checksums to appear incorrect in network traces.  So that's a red herring.  

To reiterate, inbound port forwarding is workingcorrectly on the DG834 and this frame arrives:

No.     Time        Source                Destination           Protocol Info
     79 4.680664    194.116.174.122       192.168.0.100         TCP      50754 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1360 TSV=1841013042 TSER=0 WS=7

Frame 79 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: 00:0f:b5:cb:53:ea, Dst: 00:13:72:09:e1:3f
Internet Protocol, Src Addr: 194.116.174.122 (194.116.174.122), Dst Addr: 192.168.0.100 (192.168.0.100)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0x4bb6 (19382)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 54
    Protocol: TCP (0x06)
    Header checksum: 0xc70a (correct)
    Source: 194.116.174.122 (194.116.174.122)
    Destination: 192.168.0.100 (192.168.0.100)
Transmission Control Protocol, Src Port: 50754 (50754), Dst Port: smtp (25), Seq: 0, Ack: 0, Len: 0
    Source port: 50754 (50754)
    Destination port: smtp (25)
    Sequence number: 0    (relative sequence number)
    Header length: 40 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 5840
    Checksum: 0x8287 (correct)
    Options: (20 bytes)
        Maximum segment size: 1360 bytes
        SACK permitted
        Time stamp: tsval 1841013042, tsecr 0
        NOP
        Window scale: 7 (multiply by 128)


The server responds with the following frame, but this does not traverse the router:

No.     Time        Source                Destination           Protocol Info
     80 4.680664    192.168.0.100         194.116.174.122       TCP      smtp > 50754 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

Frame 80 (78 bytes on wire, 78 bytes captured)
Ethernet II, Src: 00:13:72:09:e1:3f, Dst: 00:0f:b5:cb:53:ea
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 194.116.174.122 (194.116.174.122)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 64
    Identification: 0xfcaf (64687)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x0c0d)
    Source: 192.168.0.100 (192.168.0.100)
    Destination: 194.116.174.122 (194.116.174.122)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 50754 (50754), Seq: 0, Ack: 1, Len: 0
    Source port: smtp (25)
    Destination port: 50754 (50754)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 44 bytes
    Flags: 0x0012 (SYN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xed79 (correct)
    Options: (24 bytes)
        Maximum segment size: 1460 bytes
        NOP
        Window scale: 0 (multiply by 1)
        NOP
        NOP
        Time stamp: tsval 0, tsecr 0
        NOP
        NOP
        SACK permitted
    SEQ/ACK analysis

This starts to look to me like a router firmware issue.  Anyone have any other thoughts?
0
 
LVL 30

Expert Comment

by:ded9
ID: 16926312
have u tried DMZ
0
 

Author Comment

by:johnalphaone
ID: 16926336
I've already answered that.  I don't want to use DMZ mode as that will require configuring a firewall on the server.
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16926367
Lets back up and check the EASY things so as to determine WHERE the problem is.  I asked this earlier, but didn't see a reply:


If you telnet to the SMTP server on port 25 from another machine on the same LAN, everything works 100%?

If so, it sounds to me either the port forward is hosed (try deleting and recreatiing the rule on the NetGear), or possibly the NetGear router is hosed.  Try factory resetting it, and reconfigure it from scratch.  Also make sure it has the latest firmware.
0
 

Author Comment

by:johnalphaone
ID: 16926373
>> If you telnet to the SMTP server on port 25 from another machine on the same LAN, everything works 100%?
Yes

>> Try factory resetting it, and reconfigure it from scratch.  Also make sure it has the latest firmware.
I will try that when I get the opportunity at the client site.  However it's a newly purchased and freshly configured router, so it would be surprising if that made a difference.
0
 
LVL 30

Expert Comment

by:ded9
ID: 16926376
sure this is windows xp firewall issue as it blocking some specific ports.Allow ports in windows xp firewall .
Also try restoring your modem to factory setting and then portforward the specific port

try it
0
 

Author Comment

by:johnalphaone
ID: 16926510
ded9, windows xp isn't even involved here.  The server is running SBS 2003 with no firewall.  There is no modem, it's an ADSL router.  All of this has been answered before.
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16926612
The fact that you were able to telnet to an SMTP session from another PC on the same subnet lets us rule out the server, windows firewall, etc.  The only other possibility here would be a subnet restriction on the SMTP service.  Otherwise, the router is more than likely your culprit.

>>However it's a newly purchased and freshly configured router, so it would be surprising if that made a difference.

I use these $100 consumer level routers all the time in the field, NOTHING surprises me.  They do the oddest things for absolutely NO reason at all.  I feel your pain!  Guess we'll wait until you are able to check the firmware and do a factory reset/reconfigure to see where this goes...
0
 

Author Comment

by:johnalphaone
ID: 16926623
Thanks.  I've got another router which is known to work so if the reset doesn't solve it I'll swap that in.  That should finally finger the culprit.   I'll report back on Monday.
0
 
LVL 30

Expert Comment

by:ded9
ID: 16926624
there must a restore factory default setting in a router try it
0
 

Author Comment

by:johnalphaone
ID: 16949378
I haven't forgotten this, but it looks like it's now going to be the weekend before I get a chance to reset and swap out the router.
0
 

Author Comment

by:johnalphaone
ID: 16983681
At the weekend I brought the server and router to my own premises.  SMTP inbound all worked correctly.  Turns out that the ISP is blocking SMTP as suggested in the very first response from aseusainc.  Bizarrely the blocking only seems to affect the outbound response not the inbound request!

Thanks to all.
0
 
LVL 7

Expert Comment

by:aseusainc
ID: 16983706
Glad you got it figured out :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now