Reflection Shows Router IP

Started by Adam.P, March 27, 2020, 08:15:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2020, 08:15:06 PM Last Edit: March 27, 2020, 08:18:20 PM by Adam.P
Hi,

I recently switched from a SonicWall router to an OPNsense appliance. Behind this appliance I have a multi-tenant Exchange server and a VM running Proxmox Mail Gateway spam filter. When someone in the multi-tenant Exchange server emails anyone else that the spam filter is filtering email for, obviously reflection comes into play and it works. However, the sender IP address detected by the spam filter is the OPNsense appliance's LAN IP instead of the WAN IP:

Mar 27 15:05:22 mx01 postfix/smtpd[12870]: D43C632D238: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.7.1]

With the SonicWall, the orig_client was correctly detected as the WAN IP. This is causing problems with some domains with enforced SPF.
March 28, 2020, 09:39:58 PM #1
Hi,

a little awkward, but you can achieve this using two additional rules:

- outbound NAT rule: on LAN interface, src LAN Net, dst <ip> port 25, NAT address <external service ip>
- fw rule on LAN: src address <external service ip>, dst <ip> port 25

the second rule is necessary to avoid the "force gw" part of the automatic "let out anything from firewall host itself (force gw)" floating rule.
March 30, 2020, 02:31:09 PM #2
Thank you for the quick response. I tried this but it's still showing the router's LAN IP in the email server logs.

Maybe I'm doing it incorrectly... Any other detail you can provide?
March 31, 2020, 05:09:22 PM #3
strange. please check if that traffic actually hits the fw. Or if other rules keep the packets from hitting the new rules (packet counters via "Inspect")
March 31, 2020, 09:54:38 PM #4
The traffic is going through the firewall for sure. As for specifics, I think I'm looking for clarification...

- outbound NAT rule: on LAN interface, src LAN Net, dst <ip> port 25, NAT address <external service ip>

This seemed to have too broad of a scope. I made it like this:

-outbound NAT rule: on LAN interface, src Single host or Network <internal ip/32 of exchange server>, dst <internal ip/32 of spam filter server>, translation/target <virtual public IP>

Did I do any of that incorrectly? I'd like all traffic between the two that touches the router to appear as though it is from the external IP. When I enable this rule, it makes the traffic appear as though it's coming from the actual private IP instead of the gateway, but that's still not what I need.

- fw rule on LAN: src address <external service ip>, dst <ip> port 25

I'm sorry, but this is where I really started to get confused. I don't understand this rule or why it would be needed. Also not sure which IP <external service ip> is referring to. Can you explain in a bit more detail please?

Thanks!!
April 09, 2020, 03:57:32 PM #5
sorry for late answer.

I told you to check the packet counters, but alas the GUI does not even provide that feature for NAT rules :-/ You could check them in a ssh session (pfctl -s nat -v).

I think it is worth checking if the NAT rule really applies. The rule itself looks good to me, but maybe some other rule hits first so it does not apply.

The additional fw rule is just to make sure the re-written packet will be allowed. Also it gives you opportunity to activate logging for these packets (and not for others, which might be too much).

So activate logging for the outbound NAT rule and the additional fw rule, and try find these in the Log Files.
Print
Go Up Pages1
User actions