Topic: Allow second Incoming SMTP (and SSH) on WAN side of a Server-gateway

[brianr]

Firstly I understand very little about iptables (but could learn), normally I would not go anywhere near such an esoteric subject, leaving it to the devs here who do such a good job

However I have customer with an SMEServer running in Server Gateway mode.  We constantly have problems wit the ADSL 'cos they are 6.5Km from the exchange, so we want to use 2 ADSL lines, one of which acts as fall over backup to the other (through smarts in the zyxel router). I have connected both routers to the  WAN subnet (in board of the routers), and the fall over works well as the failing router passes the traffic onto the backup router when its line goes down.  However incoming email does not get re-routed, so I would like to be able to add an extra MX Record to the email domain so that the email is delivered to the second router if the first fails to respond. 

Of course this fails, I presume because the Iptables in the server will only accept SMTP from the "primary" router (the gateway Ip).

I presume therefore that it needs an extra line in the Iptables setup to allow it in.  Am I correct, and can someone help with the task?

Here is the Iptables log line relating to an SMTP attempt via the backup router (at least I think that is what it is).

2009-08-20 00:00:37.780568500 Aug 20 00:00:37 uretekserver denylog: IN=eth1 OUT= MAC=00:06:4f:4f:00:fc:00:04:ed:23:52:67:08:00  SRC=xxx.xxx.xxx.xxx DST=10.0.0.99 LEN=40 TOS=00 PREC=0x00 TTL=244 ID=65259 CE PROTO=TCP SPT=14855 DPT=25 SEQ=1206851624 ACK=0 WINDOW=5840 RST URGP=0

(actuall Ip address obscured).

10.0.0.99 is the WAN NIC on the server, the backup router is on 10.0.0.3

(added later) and the primary router is on 10.0.0.2

Any help/comments would be greatly appreciated.

[mmccarn]

I'm not sure your issue is so much an iptables problem as a routing problem - if your primary connection fails, and you get incoming traffic through the second router, your SME probably "replies" to the primary router anyway (since it's the default gateway), which then doesn't know what to do with the packets.  To fix this with iptables, I think you would either need a rule to change the routing for any traffic that had been passed through 10.0.0.3 - which I've never seen, or you would have to configure a second WAN ip on your SME designed to talk to the secondary router.

I can see 4 ways to solve the problem:

1) Modify your primary router to use the secondary router as its gateway if its internet connection is down (this may be possible on some routers, but I don't know any specifics about how to do it).

2) Write a script to run on your SME that verifies the primary internet connection, then changes the default gateway in the event of a failure.  That is, try to connect to some off-site host, and change the default gateway on failure.

Note that in both of the above situations, your backup MX record will fail for all connections unless/until your SME server "fails over" to the backup internet connection.

3) (The easiest solution) Purchase and install a Xincom (or other) dual WAN router between your two ADSL connections and your SME server (note that this solution becomes tricky-but-not-impossible if you're using any sort of VoIP on your LAN)

4) Setup another SME on the secondary internet connection, configured to use the first SME as an "Internal" mail server.  The proxying capabilities effectively "re source" the incoming email streams, so email works OK.  (While you're at it, make the second SME an Affa backup of the first SME...)

This last option still leaves you with a problem sending emails and browsing the internet if your primary WAN fails, but at least email will continue to come in...

To resolve these last two problems you would still need a script (as in option 2 above) or a manual procedure that either changes the default gateway, or configures "upstream" SMTP and HTTP proxies to pass through the secondary SME server -- but at least you could SSH into the secondary SME, then get to the Primary to make the required changes from off-site...

[brianr]

1) Modify your primary router to use the secondary router as its gateway if its internet connection is down (this may be possible on some routers, but I don't know any specifics about how to do it).

This is what i am using, it is a "Backup" mode in the primary router, whereby you can specify that if the primary router discovers that it can no longer access the internet it then just forwards all requests to the backup router.  This works very well for outgoing internet use.

But the problem is that although i have the relevant SMTP port forwarded to the SMEServer in the backup router, any SMTP passed through is apparently being rejected by the SMEServer, I presume by the iptables rules.

Your idea about a second SMEServer on the backup router, will stop the above working I think. 

I am trying to remain in server-gateway mode if I can. I think (and i have some evidence at another site) that if I run in server mode, then hanging two internet routers on the same subnet as the LAN WILL allow the backup router to present SMTP to the SMEServer sucessfully.  However the advantages of Server-gateway (firewall, proxy,etc) are keeping me from that solution just now.

[smeghead]

Some routers only provide limited failover support.

I have used dual & quad wan routers from Netgear & TPLink with success.  As all routing is internal to the one router it is very easy to set up; no changes to the SME required.

The clients public DNS records have mail.<domain> existing on 2 distinct IP addresses & then they are listed in order of pref for mx duties.

Works very well.

[brianr]

I have used dual & quad wan routers from Netgear & TPLink with success.  As all routing is internal to the one router it is very easy to set up; no changes to the SME required.

Yes, that would be the best solution, but i have been unable to find netgear or tplink Twin routers on any UK based reseller site so far.  Can you give me model number or link?

[mmccarn]

I presume by the iptables rules.

I don't think the problem is the iptables rules.

The incoming traffic is still addressed to the WAN IP of the SME, so won't be denied on that account, and I can't find any rules that restrict inbound traffic to only those that have passed through the default gateway...

Your idea about a second SMEServer on the backup router, will stop the above working I think.

I don't think so.  Here's what I'm picturing:

ISP1                  ISP2
  |                     |
Zyxel1----failover--->Zyxel2
  |                     |
  |                     |
 SME1<--Internal Mail--SME2
  |
 LAN

With configuration options like this:

Zyxel1:
* WAN: w.x.y.z
* LAN: 10.0.0.2
* Failover route to 10.0.0.3
(no changes from current config)

Zyxel2:
* WAN: a.b.c.d
* LAN: 10.0.0.3
* DMZ host -> 10.0.0.98 (SME2), or SMTP+SSH -> 10.0.0.98

SME1:
* Server/Gateway
* WAN: 10.0.0.99
* LAN: j.k.l.1
(no changes from current config)

SME2:
* Server/Gateway
* WAN: 10.0.0.98
* GW: 10.0.0.3
* LAN: j.k.l.2
* config setprop DelegateMailServer j.k.l.1 (LAN IP of SME1)
* ssh accepts connections

I use a similar config, but with an internal Exchange server, at one site.  The only question I have about this config is if/whether a SME in server/gateway (SME1) will accept inbound email on the LAN interface - but I can think of no reason that it would not.

[brianr]

mmccarn, yes, actually that is very neat, except that it requires another SMEServer which instantly adds a significant cost and potential failure point to the network.

Actually we do have plans to virtualise another server (based on Centos5), and run Win2k plus SMEServer Affa backup VMs locally and then this could be accommodated, however that plan is a few months away.

I appreciate your efforts, and will present your solution to the customer.

[brianr]

I don't think the problem is the iptables rules.

The incoming traffic is still addressed to the WAN IP of the SME, so won't be denied on that account, and I can't find any rules that restrict inbound traffic to only those that have passed through the default gateway...

Then why does my current setup fail to deliver the incoming SMTP from the backup router to the server?

The iptables log fragment I first posted appears in the logs whenever an SMTP attempt is made, whereas SMTP from the primary router does not elicit such an entry.  At least, given my current state of understanding, that is what I am assuming is happening.

[mmccarn]

Yes, I see what you mean.

Perhaps I should have said that I don't think there is any particular SME firewall rule that is designed to deny your desired config. 

Instead, I think you're seeing a by-product of the overall routing situation -   possibly the Zyxel "failover" mode performs NAT, effectively re-sourcing the packets from 10.0.0.2 - giving you a TCP conversation that doesn't work, something like this:
- hello 10.0.0.99, I'm 10.0.0.3!
- Glad to meet you 10.0.0.3, I'm 10.0.0.2! (SME1 reply goes to Zyxel1 and is NATed due to "failover" mode?)
- Huh?

I agree that it seems that there should be some way to get it to work from the SME, and that such a way would involve iptables (since iptables seems to be capable of almost anything).

My feeling is that correcting this in iptables is much more complicated than finding and modifying a single existing SME template fragment (which is about all the iptables programming I know how to do)...

Another option that just occurred to me - if the problem is related to fragmentation in the TCP handshaking,  you may be able to fix the issue like this:
* add a route in router2 for the WAN IP of Zyxel1 through the LAN IP of Zyxel1, along the lines of route add w.x.y.z mask 255.255.255.255 10.0.0.2
* forward SMTP from router2 to the WAN IP (w.x.y.z) of Zyxel1
* Hope that Zyxel1 performs "reflexive forwarding" - that is, hope that traffic originating on the LAN addressed to the router's WAN ip is then run through the router's routing table and sent back to the designated LAN interface (I've seen this on Sonicwall and Smoothwall routers, but not in Linksys, Netgear, or DLink routers).  This is easy to test - just telnet w.x.y.z 25 from a LAN workstation - if you get the SME smtp greeting, the router is doing reflexive forwarding.

[mercyh]

Brianr,

Would this router do what you need?

http://www.cisco.com/en/US/products/ps9925/index.html

I purchase mine from Newegg. USD $157.00

I have several running in my small business locations. It does have a second WAN port for failover and load balancing or it can be used as a DMZ port. I do not run the second WAN connection in my setting but it seems that the internal gateway address would remain the same no matter which WAN port is used.

In reading the different kb articles and postings on this unit the only problem people seem to have is if they have an https: connection running and the router moves their connection over to the other WAN port, they lose their https validation as their WAN IP address changes and the secure connection is broken.

[CharlieBrady]

Perhaps I should have said that I don't think there is any particular SME firewall rule that is designed to deny your desired config. 

Instead, I think you're seeing a by-product of the overall routing situation

I agree. Note the RST in the log.

[smeghead]

I have these Dual WAN:

http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS336G.aspx

and these Quad WAN:

http://www.tp-link.com/products/product_des.asp?id=11

currently in use for several clients.

Both require an ADSL modem or router infront to terminate an ADSL connection.

At one site the TPLink is used with a pair of Netgear DG834's in front to handle initial firewall/port forwarding stuff (I could put the DG834's into DMZ mode & do it all in the TPLink but this way is more flexible for me) & then the TPLink is used for failover & link aggregation; the other 2 ports are for future expansion.

HTH

Yes, that would be the best solution, but i have been unable to find netgear or tplink Twin routers on any UK based reseller site so far.  Can you give me model number or link?