Contributor

Question

Policy route for SMTP traffic out

Forum|Forum|15 years ago
January 24, 2011
17 replies
12401 views

HI, We have a 60b firewall with 1 WAN connection that has a block of 8 IP addresses assigned to it. The IP address being used as the gateway is : 217.155.85.254 We want to use 217.155.85.251 for sending SMTP traffic as there was a bit of a blunder with our mail relay when adding the domains, when we added them it used the IP address the current MX record pointed and automatically added it to the relays allowed list. The issue is that the MX pointed to 217.155.85.251 and our firewall is sending from 217.155.85.254, and being blocked. I' ve raised a ticket with them to add the full range of addresses but wanted to know how to work this out locally on the firewall, as I' m pretty sure it can be done and don' t like being beaten (even though you could consider asking for help being beaten ;)) I tried the following: Setup a policy route; protocol: 6 incoming interface: switch Source address / mask: 192.168.30.0/24 destination address / mask: 0.0.0.0/0.0.0.0 destination ports: from (25) to (25) force traffic to: outgoing interface: WAN1 Gateway address: 217.155.85.251 This broke SMTP out. I read in the manual that its possible to add another address in the same range as the default gateway and it should work. but no. Anyone know how to make this work?

A

Anonymous_UserAuthor

Contributor

After looking about on here a bit more would I need to add another static route via same interface with the same distance, my desired gateway IP and a different priority via cli?

ejhardin

New Member

What you are looking for is IP Pools. Your default gateway is the .254 because it is assigned to the WAN1 interface. I assume that you don' t have multiple WAN connection. All you need is the one static route for .254. If you have a VIP policy from .251 into you network and you want to send e-mail out using the same ip create a ip pool with the .251 ip and create a rule from your internal network to the internet and check the box for dynamic ip pool and select the .251 ip pool you just created. Now the smtp traffic will show that it was sent via .251 and not the default gateway of .254.

ede_pfau

SuperUser

IF you use a VIP without port forwarding you get the outgoing NAT for free, without any NAT settings in the outgoing policy. You might read up on VIPs and NAT here:http://support.fortinet.com/forum/tm.asp?m=69243&appid=&p=&mpage=1&key=&language=single&tmode=&smode=&s=#69286 I suspect that you are not using a VIP yet...wonder how that is working then. Routing and policy routes have nothing to do with this at all.

jtfinley

New Member

IF you use a VIP without port forwarding you get the outgoing NAT for free, without any NAT settings in the outgoing policy.

Ede_pfau, this does not work for us. I posted something about this a cpl months ago without much attention. In our case, we have Dual WAN and started a ticket w/ Fortinet, but have yet to get time to work on it... --Joe

A

Anonymous_UserAuthor

Contributor

I have the incoming SMTP connection using VIP with port forwarding as not all traffic on this IP wants to go to the internal Exchange server. I' ll have a look at IP pools and get back with results, cheers :)

A

Anonymous_UserAuthor

Contributor

I' ve setup an IP pool with the following: Name: smtp .251 out interface: WAN1 IP Range/Subnet: 217.155.85.251-217.155.85.251 Then went to the outbound policy for the SMTP connection and the option for dynamic IP pool is greyed out. Any ideas?

ede_pfau

SuperUser

Did you configure a firewall address by accident, and not an IP pool? If you don' t have ippools the option is greyed out. BTW, you mention ' WAN1' in the ippool definition, and ' external' in the policy -?

A

Anonymous_UserAuthor

Contributor

Sorry for the confusion. WAN1 and WAN2 are members of the ' External' Zone because there were 2 WAN links at one point. I have configured an IP pool, but I cant add it to the ' external' zone. Also I cant use ' WAN1' for interface as its part of the external zone. Is this what the problem will be? I' ll need to make changes to all policies tonight if so after removing WAN1 from the external zone.

Maik

New Member

Also I cant use ' WAN1' for interface as its part of the external zone. Is this what the problem will be?

I did not read your full post. but for this question: What is your current FortiOS Version? Upgrade your fortigate to at least V4 MR1. Before, an IP Pool is bound to an Interface (and not to a Zone). With MR1 and newer, you don' t need to specify an Interface anymore.

ede_pfau

SuperUser

did you configure the ippool on the zone then, or on the interface ' wan1' ?

A

Anonymous_UserAuthor

Contributor

The zone isnt available when adding the ip pool

Maik

New Member

compare FortiOS Versions. I remember in V3 IPPools were a no go for me to use Zones for External Interfaces.

ede_pfau

SuperUser

So that answers this. Like you said, delete the zone and use the interface instead. Alternatively, upgrade to 4.00MR1 patch 8...but this possibly brings along side effects. The zone isn' t used anymore anyway. just my 2 cents.

Maik

New Member

The zone isn' t used anymore anyway.

why not? I like zones :)

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded