I have a new issue (seems to have started this morning).
I have 2 WANs in Primary / Backup mode, ppp0 ppp0:200 and ppp1
I have a mail server on 1 of my LANS and it always sent using ppp0:200 this worked fine, now it sends using ppp0 and this is causing me issues (spf related)
How can i make a route that a specific ip on the lan should always use ppp0:200?
Note that ppp0:200 is not defined as a virtual route, its generated from 1-to-1 NAT
Many thanks
I have 2 WANs in Primary / Backup mode, ppp0 ppp0:200 and ppp1
I have a mail server on 1 of my LANS and it always sent using ppp0:200 this worked fine, now it sends using ppp0 and this is causing me issues (spf related)
How can i make a route that a specific ip on the lan should always use ppp0:200?
Note that ppp0:200 is not defined as a virtual route, its generated from 1-to-1 NAT
Many thanks
In Multi-WAN
Share this post:
Responses (12)
-
Accepted Answer
Nick Howitt wrote:
In /usr/clearos/apps/firewall/deploy, please can you try uncommenting (remove the "--") line 2268 and 2269 so they read:iptables("nat",
string.format("-A POSTROUTING -s %s -j SNAT --to %s", toip, r_addr))
You are only referring to the file "firewall.lua". correct? (you specified only the dir)
If it fixes it, please post back and I'll push through an urgent patch.
it FIXED it!!!!!
thank you so much -
Accepted Answer
Can you use the 1-to-1 NAT app and do a Destination Port rule where the destination port is 25?
Can you create an spf rule which allows all your interfaces? The only thing is that all should then have a reverse DNS record.
Out of interest, how did you set up your ppp0:200 VLAN as it is not a usual identifier? -
Accepted Answer
Thanks for your response
1. Destination Port rule? do you mean a incoming rule? how will that help?
2. I added all the ip's to current spf records (i dont have reverse dns), problem is its taking long for many ISP's to populate... meanwhile 100's of sent emails are getting rejected. (I updated the SPF records ~4 hours ago, so far hotmail works, gmail still showing spf fail)
3. ppp0:200 is auto generated after adding 1-to-1 NAT rules with that ip (for example NAT_TWS_PRI_HTTPS_443||0x10000080|6|x.x.x.x|443|ppp0_192.168.20.22 \)
I really need a way to make all traffic from a specific lan ip use ppp0:200, i never had such a route and can not figure out what recently changed that it stopped using this iface -
Accepted Answer
I misread and thought ppp0:200 was a VLAN not a virtual IP. Also I meant the MultiWAN app and not the 1-to-1 NAT app. All in all not a good response of mine first time! Lets try again.
I thought with the 1-to-1 NAT app it automatically added the rules but I was never 100% certain - there is one spcific rule I don't like. I'd love to get those rules rewritten but I can't get any traction.
What is the output of
I thought the right rules were there to SNAT outgoing packets. Perhaps try restarting the firewall.iptables -nvL -t nat
Are you doing 1-to-1 NAT on the all traffic on the ppp0:200 IP or just specic ports and protocols. If you are doing it for specific ports and protocols, can you try doing it for all traffic? -
Accepted Answer
The output of iptables -nvL -t nat https://termbin.com/e84y I replaced my wan ip with xx.xx.xx, 26.26.26.0/24 is a vlan i use (I know it doesn't conform to standards, have not yet gotten around to change it.. it's been working fine for 7 years)
I did not restart the firewall directly but i did restart the OS several times. -
Accepted Answer
What is the LAN IP affected? 26.26.26.30? if so, you appear to be missing a bunch of rules which SNAT 26.26.26.30 back to your WAN IP.
In /usr/clearos/apps/firewall/deploy, please can you try uncommenting (remove the "--") line 2268 and 2269 so they read:
I don't think they should have really been in the ICMP section and should not have been commented out.iptables("nat",
string.format("-A POSTROUTING -s %s -j SNAT --to %s", toip, r_addr))
Then restart the firewall with a "systemctl firewall restart" and see if it fixes it.
If it fixes it, please post back and I'll push through an urgent patch. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote: when the firewall restarts which can be weeks later.
I guess that was this morning when I restarted the OS after trouble shooting DNS issue
(Turns out I banned the DNS IP's of opendns, google and cloudflare's (fail2ban portprobing, no clue how/why those DNS servers would try to ESTABLISH a NEW connection to a closed port on my WAN, I am clueless))
How soon would the patch be pushed?
Once again many thanks -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Sruli Saurymper wrote:
The output of iptables -nvL -t nat https://termbin.com/e84y I replaced my wan ip with xx.xx.xx, 26.26.26.0/24 is a vlan i use (I know it doesn't conform to standards, have not yet gotten around to change it.. it's been working fine for 7 years)
I did not restart the firewall directly but i did restart the OS several times.
Recently I also encountered this problem and tried a few ways but it still doesn't work
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »