Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
krusty
New Contributor

Block outbound email traffic using policy routes

Hi,

 

I currently have a dual wan configuration with policy routes directing outbound traffic from 3 servers over wan1 (static public ip) and all other traffic load balanced over wan1 and wan2 (dynamic public ip).

 

The problem I have is if wan 1 drops then all traffic is directed over wan 2 and this is causing email to be dropped due to the dynamic public ip being blacklisted.

 

Is there a way to drop email traffic from the server going via wan 2? I can't use a standard policy as both wan interfaces are within the same zone.

 

Thanks

 

 

2 REPLIES 2
emnoc
Esteemed Contributor III

 

The problem I have is if wan 1 drops then all traffic is directed over wan 2 and this is causing email to be dropped due to the dynamic public ip being blacklisted.

 

 

You could  try this ,

 

1: configure a  loopback interface with some bogus address

 

2: config  a PBR with the src being the mail server or whatever

 

3:  set output device to be the loopback

 

 

e.g

 

config system interface

    edit "lo0"

        set vdom "root"

        set ip 169.254.1.1 255.255.255.255

        set type loopback

        set snmp-index 999

    next

end

 

config router policy

    edit 1

        set input-device "port1"

        set src "1.1.1.1/32"

        set output-device "lo0"

    next

end

 

Or  that might be to extreme,you could just disallow it via a FWPOLICY ;)

 

A firewall policy comes  next after the route lookup

 

 

 

config  firewall policy 

 

edit 0 

     set srcintf < interface where mail server set>

     set dstintf  wan2

     set  srcaddr < my  server1 > < my  server2 > < my  server3 >

     set  dstaddr all

     set service SMTP

     set action deny

     set  comment " drop mail from wan2 since wan2 is blacklisted due to be on a RBL blah blah blah"

     set schedule  always

end

 

  

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
krusty
New Contributor

emnoc wrote:

 

You could  try this ,

 

1: configure a  loopback interface with some bogus address

 

2: config  a PBR with the src being the mail server or whatever

 

3:  set output device to be the loopback

 

 

e.g

 

config system interface

    edit "lo0"

        set vdom "root"

        set ip 169.254.1.1 255.255.255.255

        set type loopback

        set snmp-index 999

    next

end

 

config router policy

    edit 1

        set input-device "port1"

        set src "1.1.1.1/32"

        set output-device "lo0"

    next

end

 

Or  that might be to extreme,you could just disallow it via a FWPOLICY ;)

 

I can't easily modify the policy rules as it is configured to use zones.

 

If I add the suggested policy route under the current policy routes it will only take effect if the wan1 interface (link health monitor) is down?

 

Labels
Top Kudoed Authors