[ previous ] [ next ] [ threads ]
 From:  "Eric Shorkey" <eshorkey at commonpointservices dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  smtp delay over 2 firewalls with one bridging
 Date:  Tue, 23 Mar 2004 06:22:42 -0500
This is an interesting setup, hopefully someone out there can recreate it and tell me if I'm a loon
or not.

Here is the problem:
I'm experiencing significant connection delays when contacting port 25 of my mailserver. The
connection seems to always go through, it just takes about 20 seconds before the connection is

The setup:
I have 5 public ip addresses (it's a /29 ip block). Due to some software I run on most of these ip
addresses, I have to firewall #1 in bridging mode between the wan and the lan. Firewall #1 uses one
of those public ip addresses for it's WAN port as well, since it insists on having an ip address. 

The interesting thing is firewall #2. It is using another of those 5 ip addresses on it's wan port.
Both of these firewalls' WAN ports are connected to a hub, and that hub is also plugged into my
internet provider's equipment. These 2 firewalls are protecting the same network, it's purely set up
this way because m0n0wall won't route out a bridged interface.

My mailserver has multiple network cards, and it's default route is to push out to the public router
for internet traffic. One of the network cards is an internet card, and another is for the secured
network only.

The twist:
When connecting to my mailserver using only internal ip addresses, everything runs nice and fast. No
delays at all. Only when I'm connecting to the mailserver using the public ip address do I
experience the delay.

I've tried using proxy arp to force the firewall to publish the ip on the wan card of firewall #1,
but that didn't help. (I didn't expect it to, I was grasping at straws.) I'd think it's an arp
problem, but it only does this on port 25, so it's very strange. It couldn't really be a dns related
issue either. The reverse lookup for ip addresses on the mailserver is very fast, so it's not like
the smtp server is waiting for dns. I've even tried setting up rules to specifically block packets
destine for firewall #2's ip address from finding their way into the bridged interface on
firewall#1. Doesn't help. I've reset the state on both firewalls, that didn't help either.

So, I'm kind of at a loss on this one. The setup should work, and it's sane, but I may end up having
to change my network design a little to help m0n0wall cope with it. It works for now, the delay is
just a little annoying. Figured I'd bounce this one off the mailing list to see what people have to
say about it.