Install the best packet sniffer (and free) on your laptop
From: Eric Shorkey [mailto:eshorkey at commonpointservices dot com]
Sent: Tuesday, March 23, 2004 6:23 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] smtp delay over 2 firewalls with one bridging
This is an interesting setup, hopefully someone out there can recreate it and
tell me if I'm a loon or not.
Here is the problem:
I'm experiencing significant connection delays when contacting port 25 of my
mailserver. The connection seems to always go through, it just takes about 20
seconds before the connection is established.
I have 5 public ip addresses (it's a /29 ip block). Due to some software I
run on most of these ip addresses, I have to firewall #1 in bridging mode
between the wan and the lan. Firewall #1 uses one of those public ip
addresses for it's WAN port as well, since it insists on having an ip
The interesting thing is firewall #2. It is using another of those 5 ip
addresses on it's wan port. Both of these firewalls' WAN ports are connected
to a hub, and that hub is also plugged into my internet provider's equipment.
These 2 firewalls are protecting the same network, it's purely set up this
way because m0n0wall won't route out a bridged interface.
My mailserver has multiple network cards, and it's default route is to push
out to the public router for internet traffic. One of the network cards is an
internet card, and another is for the secured network only.
When connecting to my mailserver using only internal ip addresses, everything
runs nice and fast. No delays at all. Only when I'm connecting to the
mailserver using the public ip address do I experience the delay.
I've tried using proxy arp to force the firewall to publish the ip on the wan
card of firewall #1, but that didn't help. (I didn't expect it to, I was
grasping at straws.) I'd think it's an arp problem, but it only does this on
port 25, so it's very strange. It couldn't really be a dns related issue
either. The reverse lookup for ip addresses on the mailserver is very fast,
so it's not like the smtp server is waiting for dns. I've even tried setting
up rules to specifically block packets destine for firewall #2's ip address
from finding their way into the bridged interface on firewall#1. Doesn't
help. I've reset the state on both firewalls, that didn't help either.
So, I'm kind of at a loss on this one. The setup should work, and it's sane,
but I may end up having to change my network design a little to help m0n0wall
cope with it. It works for now, the delay is just a little annoying. Figured
I'd bounce this one off the mailing list to see what people have to say about