Sp1er
September 2, 2023, 9:35am
1
Hello everyone Sorry for my English.
There was such a problem, I had to move the mail server to the local network. The problem is that I can’t access an external IP address on port 25 from my subnet. It seems to have set up Hairpin correctly, but I can’t figure out why it doesn’t work.
admin@vyos# show nat destination rule 110
description Hairpin_SMTP_25_Port
destination {
address WAN_IP
port 25
}
inbound-interface eth0.302
protocol tcp
translation {
address 10.32.0.99
port 25
}
admin@vyos# show nat source rule 110
destination {
address 10.32.0.99
port 25
}
outbound-interface eth0.302
protocol tcp
source {
address 10.32.0.0/24
}
translation {
address masquerade
}
Inbound and outbound interface tried in “any”
Apachez
September 2, 2023, 9:56am
2
I assume you are using VyOS 1.3.x ?
You need to setup 3 rules:
Stuff arriving to WAN interface dstip:dstport is DNAT to the internal IP.
Stuff arriving to LAN interface dstip:dstport is DNAT to the internal IP.
Stuff leaving LAN interface dstip:dstport is SNAT to the LAN interface IP.
Se example at NAT — VyOS 1.3.x (equuleus) documentation
For 1.4-rolling: NAT44 — VyOS 1.4.x (sagitta) documentation
1 Like
Sp1er
September 2, 2023, 10:14am
4
I tried it, but not work
Спойлер
[edit]
admin@vyos# show nat destination rule 110
description Hairpin_SMTP_25_Port
destination {
address WAN_IP
port 25
}
inbound-interface eth1.900
protocol tcp
translation {
address 10.32.0.99
port 25
}
[edit]
admin@vyos# show nat destination rule 111
description “Nat Reflection Inside”
destination {
port 25
}
inbound-interface eth0.302
protocol tcp
translation {
address 10.32.0.99
port 25
}
[edit]
admin@vyos# show nat source rule 110
destination {
address 10.32.0.0/24
}
outbound-interface eth0.302
protocol tcp
source {
address 10.32.0.0/24
}
translation {
address masquerade
}
telnet: Unable to connect to remote host: Connection timed out
Vif 0.302:
vif 302 {
description “VM New Domain”
vrrp {
vrrp-group 1 {
advertise-interval 1
hello-source-address 10.250.250.1
preempt true
priority 10
sync-group istrouter
virtual-address 10.32.0.1/24
}
}
}
Apachez
September 2, 2023, 10:20am
5
Uhh… thats really old (1.0.2 from what it seems year 2014)… you should consider upgrading to 1.3.3 LTS or 1.4-rolling.
Sp1er
September 2, 2023, 10:23am
6
after the update, some systems may not work correctly. This vyos got to me in 2016 by inheritance from the last admin
16again
September 3, 2023, 3:21pm
7
3 Stuff leaving LAN interface dstip:dstport is SNAT to the LAN interface IP.
Make sure this rule is only active for source IP addresses in LAN range 10.32.0.0/24
Otherwise, all SMTP connections will be source natted, which could break SPF
Alternatively, use split DNS, so internal hosts can use external name, which points to 10.32.0.99