Skip to main content
krusty
krusty
New Member
October 24, 2017
Question

Block outbound email traffic using policy routes

  • October 24, 2017
  • 1 reply
  • 3553 views

Hi,

 

I currently have a dual wan configuration with policy routes directing outbound traffic from 3 servers over wan1 (static public ip) and all other traffic load balanced over wan1 and wan2 (dynamic public ip).

 

The problem I have is if wan 1 drops then all traffic is directed over wan 2 and this is causing email to be dropped due to the dynamic public ip being blacklisted.

 

Is there a way to drop email traffic from the server going via wan 2? I can't use a standard policy as both wan interfaces are within the same zone.

 

Thanks

 

 

    1 reply

    emnoc
    emnoc
    New Member
    October 24, 2017

     

    The problem I have is if wan 1 drops then all traffic is directed over wan 2 and this is causing email to be dropped due to the dynamic public ip being blacklisted.

     

     

    You could  try this ,

     

    1: configure a  loopback interface with some bogus address

     

    2: config  a PBR with the src being the mail server or whatever

     

    3:  set output device to be the loopback

     

     

    e.g

     

    config system interface

        edit "lo0"

            set vdom "root"

            set ip 169.254.1.1 255.255.255.255

            set type loopback

            set snmp-index 999

        next

    end

     

    config router policy

        edit 1

            set input-device "port1"

            set src "1.1.1.1/32"

            set output-device "lo0"

        next

    end

     

    Or  that might be to extreme,you could just disallow it via a FWPOLICY ;)

     

    A firewall policy comes  next after the route lookup

     

     

     

    config  firewall policy 

     

    edit 0 

         set srcintf < interface where mail server set>

         set dstintf  wan2

         set  srcaddr < my  server1 > < my  server2 > < my  server3 >

         set  dstaddr all

         set service SMTP

         set action deny

         set  comment " drop mail from wan2 since wan2 is blacklisted due to be on a RBL blah blah blah"

         set schedule  always

    end

     

      

    krusty
    krustyAuthor
    New Member
    October 24, 2017

    emnoc wrote:

     

    You could  try this ,

     

    1: configure a  loopback interface with some bogus address

     

    2: config  a PBR with the src being the mail server or whatever

     

    3:  set output device to be the loopback

     

     

    e.g

     

    config system interface

        edit "lo0"

            set vdom "root"

            set ip 169.254.1.1 255.255.255.255

            set type loopback

            set snmp-index 999

        next

    end

     

    config router policy

        edit 1

            set input-device "port1"

            set src "1.1.1.1/32"

            set output-device "lo0"

        next

    end

     

    Or  that might be to extreme,you could just disallow it via a FWPOLICY ;)

     

    I can't easily modify the policy rules as it is configured to use zones.

     

    If I add the suggested policy route under the current policy routes it will only take effect if the wan1 interface (link health monitor) is down?

     

    Terms & ConditionsAccessibility statement