Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » problem with access from internet
  •  
alef

Messages: 4
Karma: 0
Send a private message to this user
I have several public addresses and one of them is my mail-server. Now, I configured rules for KFW so that it should pass any SMTP request sent from "external" interface to specific host like this:

source: external connection (internet)
dest: 217.xxx.xxx.193
service: smtp
action: pass

the thing does not passing smtp packets. what's tha matter please help.

thanks
  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
You need to set destination mapping to the internal ip address for that rule.

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
alef

Messages: 4
Karma: 0
Send a private message to this user
to Kerio_ktrumbull: could you please put down the specific rule?

is there any difference using a real or fake IP for the mailserver in LAN? I am using a real one which is exactly mailserver MX and is different from firewall IP but in same network as firewall's LAN connected interface.



[Updated on: Mon, 22 May 2006 20:00]

  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
source: external connection (internet)
dest: 217.xxx.xxx.193
service: smtp
action: pass
translation: translate to the internal IP address of your mail server

http://www.kerio.com/manual/kwf/en/ch06s04.html#d0e7073

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
alef

Messages: 4
Karma: 0
Send a private message to this user
i tried to apply that rule - it doesnt help at all. i dont understand why should i use translation - i have real IP on firewall and real IP on mailserver (different machines) so i thought that the rule should just pass SMTP packets - the rest is done by router(s).

am i wrong?

should be, because this way things are not any better Sad
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You can have public IP addresses for your firewall and mailserver, of course, but for them to be actually publicly reachable, they need to be 'directly' connected to your ISP internet connection. You can't simply put your mailserver behind a router and then expect it still to be publicly reachable. Your ISP's routing tables wouldn;t be correct anymore.

So either don't put your mailserver behind the router but 'next' to it (network wise), or don't use the public IP address on the mailserver, but on the firewall and then map the connection through.
  •  
alef

Messages: 4
Karma: 0
Send a private message to this user
my network structure is as follows:

network 1
217.113.9.192/255.255.255.248
gateway 217.113.9.198

network 2
172.16.0.0/255.255.255.0
gateway 172.16.0.1

my connection to ISP: outbound interface is 217.113.25.209 while inbound is 217.113.9.198 so it sits with one leg in ISP network and second in my 'network 1'.

mailserver address is 217.113.9.193 so it's also in 'network 1' and it is registered both in my DNS and in ISP's.

i dont quite understand what you mean by 'next' to firewall. for me mailserver is sitting close enough.
  •  
frankxs

Messages: 85
Karma: 0
Send a private message to this user
Not sure I fully understand your network setup, but thought I'd throw out one bit in case it applies.

Many (most) DSL routers come with only one WAN UTP connection and often have multiple LAN UTP connections (if they have a built-in switch). Or sometimes, no connections other than the WAN connection itself. In order to place your public IP machines directly on the Internet you would have to run a switch off of the WAN Interface. Some folks connect these public IP machines to the LAN UTP connections. That won't work.

For most people, best bet is to assign all public IPs to the KWF NIC and map to private IPs behind the firewall.

Just food for thought.

-Frank

[Updated on: Tue, 23 May 2006 15:40]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
alef wrote on Tue, 23 May 2006 14:39


i dont quite understand what you mean by 'next' to firewall. for me mailserver is sitting close enough.

I mean 'next' to it in the network topology...

The mailserver should be capable of reaching your ISP's gateway directly without having to go through your firewall (just as the firewall itself can). Or, simply put: your firewall and mailserver should be plugged into the same swith/hub. In this respect the mailserver then sits 'next' to your firewall and not 'behind' it.
Previous Topic: Block Upnp
Next Topic: Do Integrated McAfee + external antivirus work together?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 19:00:11 CET 2017

Total time taken to generate the page: 0.00512 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.