Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Policy route for SMTP traffic out

HI, We have a 60b firewall with 1 WAN connection that has a block of 8 IP addresses assigned to it. The IP address being used as the gateway is : 217.155.85.254 We want to use 217.155.85.251 for sending SMTP traffic as there was a bit of a blunder with our mail relay when adding the domains, when we added them it used the IP address the current MX record pointed and automatically added it to the relays allowed list. The issue is that the MX pointed to 217.155.85.251 and our firewall is sending from 217.155.85.254, and being blocked. I' ve raised a ticket with them to add the full range of addresses but wanted to know how to work this out locally on the firewall, as I' m pretty sure it can be done and don' t like being beaten (even though you could consider asking for help being beaten ;)) I tried the following: Setup a policy route; protocol: 6 incoming interface: switch Source address / mask: 192.168.30.0/24 destination address / mask: 0.0.0.0/0.0.0.0 destination ports: from (25) to (25) force traffic to: outgoing interface: WAN1 Gateway address: 217.155.85.251 This broke SMTP out. I read in the manual that its possible to add another address in the same range as the default gateway and it should work. but no. Anyone know how to make this work?
22 REPLIES 22
Not applicable

After looking about on here a bit more would I need to add another static route via same interface with the same distance, my desired gateway IP and a different priority via cli?
ejhardin
Contributor

What you are looking for is IP Pools. Your default gateway is the .254 because it is assigned to the WAN1 interface. I assume that you don' t have multiple WAN connection. All you need is the one static route for .254. If you have a VIP policy from .251 into you network and you want to send e-mail out using the same ip create a ip pool with the .251 ip and create a rule from your internal network to the internet and check the box for dynamic ip pool and select the .251 ip pool you just created. Now the smtp traffic will show that it was sent via .251 and not the default gateway of .254.
ede_pfau
SuperUser
SuperUser

IF you use a VIP without port forwarding you get the outgoing NAT for free, without any NAT settings in the outgoing policy. You might read up on VIPs and NAT here:http://support.fortinet.com/forum/tm.asp?m=69243&appid=&p=&mpage=1&key=&language=single&tmode=&smode=&s=#69286 I suspect that you are not using a VIP yet...wonder how that is working then. Routing and policy routes have nothing to do with this at all.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jtfinley

IF you use a VIP without port forwarding you get the outgoing NAT for free, without any NAT settings in the outgoing policy.
Ede_pfau, this does not work for us. I posted something about this a cpl months ago without much attention. In our case, we have Dual WAN and started a ticket w/ Fortinet, but have yet to get time to work on it... --Joe
Not applicable

I have the incoming SMTP connection using VIP with port forwarding as not all traffic on this IP wants to go to the internal Exchange server. I' ll have a look at IP pools and get back with results, cheers :)
Not applicable

I' ve setup an IP pool with the following: Name: smtp .251 out interface: WAN1 IP Range/Subnet: 217.155.85.251-217.155.85.251 Then went to the outbound policy for the SMTP connection and the option for dynamic IP pool is greyed out. Any ideas?
ede_pfau
SuperUser
SuperUser

Did you configure a firewall address by accident, and not an IP pool? If you don' t have ippools the option is greyed out. BTW, you mention ' WAN1' in the ippool definition, and ' external' in the policy -?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Sorry for the confusion. WAN1 and WAN2 are members of the ' External' Zone because there were 2 WAN links at one point. I have configured an IP pool, but I cant add it to the ' external' zone. Also I cant use ' WAN1' for interface as its part of the external zone. Is this what the problem will be? I' ll need to make changes to all policies tonight if so after removing WAN1 from the external zone.
Maik
New Contributor II

Also I cant use ' WAN1' for interface as its part of the external zone. Is this what the problem will be?
I did not read your full post. but for this question: What is your current FortiOS Version? Upgrade your fortigate to at least V4 MR1. Before, an IP Pool is bound to an Interface (and not to a Zone). With MR1 and newer, you don' t need to specify an Interface anymore.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors