RE: [m0n0wall] Sending Email from m0n0 lan to m0n0 lan

From:	Tim Brewer <T dot Brewer at beth dot school dot nz>
To:	m0n0wall at lists dot m0n0 dot ch, 'Robert Rich' <rrich at gstisecurity dot com>
Subject:	RE: [m0n0wall] Sending Email from m0n0 lan to m0n0 lan - sort of
Date:	Fri, 29 Jul 2005 13:33:22 +1200

Hi Robert,
Part 1: Have set static routes 

Part 2:  Sorry, this was a typo. m0n02 should be 192.168.11.1 
 
Part 3: I'm inclined to agree.
 
Part 4: I ran telnet from LAN2 to SMEB and ran the netstat -an. The
ESTABLISHED for the connection showed the External IP of m0n02.
 
I set up a route from LAN2 to SMEB and a route from SMEB to LAN2, both using
m0n02 as the gateway, then tried telnet again. Same results  :(
 
When trying to telnet from SMEB to an email server on LAN2 (either Exchange
or a test Mercury Mail pc), the connection times out. In m0n02's firewall
log, it shows allowed AND denied connections between the ip's of the 2 pc's
on port 25.
Allowed    -    192.168     Pt 1934 	to 10.0 	Pt 25
Allowed    -    10.0            Pt 25 	to 192.168 	Pt 1934
Allowed    -    192.168     Pt 1934 	to 10.0 	Pt 25
Denied     -    10.0	       Pt 25 	to 192.168 	Pt 1934
Then times out.
 I cannot figure out why it is denying the same thing that was allowed split
seconds earlier - but believe it is the problem.

Thanks
________________________________

From: Robert Rich [mailto:rrich at gstisecurity dot com] 
Sent: Friday, 29 July 2005 8:50 a.m.
To: Tim Brewer; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Sending Email from m0n0 lan to m0n0 lan - sort of


Tim,
 
Based on the diagram you put in the original email, it looks like there
could be a routing issue between SMEB and Exchange.  If SMEB is on the
192.168.x.x (192.168.11.50, right?) network with a default gateway of the
Internet router, then you'll need a static route or use NAT and tell m0n0 to
proxy arp for whatever address you want to use for Exchange. 
 
Also, on the list of IP addresses, it looks like m0n02 and SMEA are using
the same address (192.168.11.10)  
 
Regarding the change in error message, since it's failing during a DNS
request, i would think that you aren't necessarily 'past' the connection
problem.  CNAME lookups would likely happen before the connection is even
attempted. 
 
If the telnet from LAN2 to SMEB is working, run a 'netstat -an' or
equivalent on the SMEB box _while the connection is still up_ and look for
the 'ESTABLISHED' connection to port 25.  If the source IP shows up as the
real LAN ip of the PC on LAN2, then routing isn't an issue.  If it has been
translated to the m0n02 interface address, then try adding a route to SMEB
that points 10.0.0.0/255.0.0.0 to m0n02's WAN interface.
 

#####################################################################################
This E-mail has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################