Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: pmulroney on February 24, 2023, 07:59:54 AM
-
Hi there,
We recently changed ISPs to Aussie Broadband. Overall a better service, but we've had a few problems with the changeover.
The main one now is this - they supplied us with a NetComm NF20Mesh router, and every email that we receive to our SME server has headers that look like this:
Received: from Unknown (HELO mail-lj1-f178.google.com) (192.168.1.1)
Every single email that we receive looks similar to this. This is a problem because it thinks they are all spam. See the other headers in the email:
Authentication-Results: logicaldevelopments.com.au; auth=none; spf=softfail smtp.mailfrom=gmail.com; dkim=pass header.i=@gmail.com; dmarc=pass (p=none) d=gmail.com
Received: from Unknown (HELO mail-lj1-f178.google.com) (192.168.1.1)
by logicaldevelopments.com.au (qpsmtpd/0.96) with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Fri, 24 Feb 2023 14:34:57 +0800
X-DKIM-Authentication: domain: gmail.com, selector: 20210112, result: pass, policy: o=~, name: sender, policy_result: accept, policy: o=~, name: author, policy_result: accept, policy: , name: ADSP, policy_result: accept
Received-SPF: softfail (gmail.com ... _spf.google.com: Sender is not authorized by default to use 'pmulroney@gmail.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail.logicaldevelopments.com.au; identity=mailfrom; envelope-from="pmulroney@gmail.com"; helo=mail-lj1-f178.google.com; client-ip=192.168.1.1
Aussie Broadband say that it's our mail server. If we swap back to our rubbish iiNet Technicolour modem, the email headers start showing the correct IP addresses. They send out a loan unit and I've setup the port forwarding rules in that, and it behaves the same way.
Has anyone used the Netcomm router in their setup? Is there a magic setting in the server that I need to check, or is the ISP just "passing the buck"?
Any suggestions gratefully received!
Regards,
Paul.
-
Sounds like there's a combination of NAT,reverse NAT and port forwarding that's different between the router configs. Have a poke around in the good and bad devices (routers/modems) to see what's different.
try a traceroute from the server to an external IP using both routers and see if there is a difference.
Thinking further, adblock or something on the router. on the server do a 'host mail-lj1-f178.google.com' with both routers.
My server (port forwarded behind an openwrt gateway) reports:
host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178
[edit] and you are aware that ABB appear to use cgnat and block outgoing smtp by default unless you contact them? https://www.aussiebroadband.com.au/help-centre/internet/tech-support/port-blocking/
and here (yes, I know it refers to a vpn but the cgnat issue is mentioned https://www.purevpn.com/blog/aussie-broadband-cgnat-port-forwarding/ doesn't necessarily explain why one modem works and the other doesn't though.
-
try disabling dns proxy on the router.
-
According to the NF20MESH Port Forwarding (https://support.netcommwireless.com/api/Media/FAQ/80a6e759-a3d5-4b2a-bdf7-2c197214ec79?Product=NF20-NF20MESH%20-%20Port%20Forwarding%20Setup%20Guide.pdf) guide, there is a check box in the port forward setup for "Enable LAN Loopback".
Make sure "Lan Loopback" is disabled.
LAN Loopback would cause the router to NAT all LAN traffic with the router IP -- maybe their implementation does the same thing for incoming WAN traffic...
-
Had a look in my Technicolour TG789vac v3 and doesnt seem to have that feature "Enable LAN Loopback"
So would explain why it works Ok but new hardware doesnt.
-
Sounds like there's a combination of NAT,reverse NAT and port forwarding that's different between the router configs. Have a poke around in the good and bad devices (routers/modems) to see what's different.
try a traceroute from the server to an external IP using both routers and see if there is a difference.
Thinking further, adblock or something on the router. on the server do a 'host mail-lj1-f178.google.com' with both routers.
My server (port forwarded behind an openwrt gateway) reports:
host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178
[edit] and you are aware that ABB appear to use cgnat and block outgoing smtp by default unless you contact them? https://www.aussiebroadband.com.au/help-centre/internet/tech-support/port-blocking/
and here (yes, I know it refers to a vpn but the cgnat issue is mentioned https://www.purevpn.com/blog/aussie-broadband-cgnat-port-forwarding/ doesn't necessarily explain why one modem works and the other doesn't though.
When we setup the account, I asked for a static IP address and to turn off all port blocking. They are aware that we host our own mailserver.
The host command returns the same for both modems:
host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178
Traceroute for the broken router is below:
traceroute mail-lj1-f178.google.com
traceroute to mail-lj1-f178.google.com (209.85.208.178), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.361 ms 0.390 ms 0.420 ms
2 loop1591962000.bng.per.aussiebb.net (159.196.200.1) 2.194 ms 3.542 ms 3.577 ms
3 10.241.12.121 (10.241.12.121) 50.786 ms 50.788 ms 50.656 ms
4 HundredGigE0-0-0-12.core1.vdc01.per.aussiebb.net (202.142.143.46) 50.428 ms HundredGigE0-0-0-12.core2.vdc01.per.aussiebb.net (202.142.143.44) 50.495 ms 50.497 ms
5 * * *
6 10.241.16.177 (10.241.16.177) 50.338 ms 10.241.16.183 (10.241.16.183) 50.351 ms 10.241.16.177 (10.241.16.177) 50.302 ms
7 be32.lsr2.nextdc-s2.syd.aussiebb.net (202.142.143.54) 53.310 ms 53.314 ms 51.587 ms
8 be2.lsr2.equinix-sy4.syd.aussiebb.net (159.196.252.106) 49.870 ms 49.794 ms 49.810 ms
9 10.241.12.121 (10.241.12.121) 50.347 ms 50.308 ms 50.370 ms
10 google.equinix-sy3.syd.aussiebb.net (119.18.32.91) 50.323 ms 50.312 ms 50.286 ms
11 * * *
12 142.250.212.136 (142.250.212.136) 49.462 ms 108.170.247.49 (108.170.247.49) 49.909 ms 49.869 ms
13 108.170.247.74 (108.170.247.74) 50.685 ms 108.170.247.90 (108.170.247.90) 49.695 ms 108.170.247.67 (108.170.247.67) 50.342 ms
14 142.250.214.119 (142.250.214.119) 52.351 ms 216.239.56.31 (216.239.56.31) 50.327 ms 142.251.242.75 (142.251.242.75) 50.968 ms
15 108.170.236.104 (108.170.236.104) 186.924 ms 172.253.65.130 (172.253.65.130) 1382.923 ms 1385.432 ms
16 142.250.213.61 (142.250.213.61) 227.847 ms 142.250.213.71 (142.250.213.71) 227.475 ms *
17 142.251.65.6 (142.251.65.6) 241.958 ms 142.251.64.248 (142.251.64.248) 241.869 ms 241.641 ms
18 142.251.54.116 (142.251.54.116) 320.364 ms 142.250.225.140 (142.250.225.140) 327.205 ms 142.251.71.158 (142.251.71.158) 335.058 ms
19 142.251.51.214 (142.251.51.214) 334.959 ms 209.85.248.6 (209.85.248.6) 335.160 ms 108.170.236.40 (108.170.236.40) 335.649 ms
20 72.14.233.133 (72.14.233.133) 341.803 ms 142.250.235.91 (142.250.235.91) 343.388 ms 142.251.52.9 (142.251.52.9) 343.354 ms
21 72.14.232.76 (72.14.232.76) 343.462 ms 142.250.235.74 (142.250.235.74) 343.644 ms 142.250.233.0 (142.250.233.0) 342.363 ms
22 172.253.79.115 (172.253.79.115) 341.243 ms 108.170.233.163 (108.170.233.163) 342.620 ms 142.250.56.125 (142.250.56.125) 343.127 ms
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
-
try disabling dns proxy on the router.
Disabling the DNS proxy has no effect.
-
According to the NF20MESH Port Forwarding (https://support.netcommwireless.com/api/Media/FAQ/80a6e759-a3d5-4b2a-bdf7-2c197214ec79?Product=NF20-NF20MESH%20-%20Port%20Forwarding%20Setup%20Guide.pdf) guide, there is a check box in the port forward setup for "Enable LAN Loopback".
Make sure "Lan Loopback" is disabled.
LAN Loopback would cause the router to NAT all LAN traffic with the router IP -- maybe their implementation does the same thing for incoming WAN traffic...
Hmmm by default when you setup the port forwarding rules, this isn't enabled by default. I tried re-creating the rules with it turned on, but once you create the rule it doesn't show the Loopback setting anywhere.
I re-created the rules again, this time I made sure that LAN Loopback was not checked, and it seems to now be working. Very very weird.
It's possible that this and the disabling DNS proxy made the difference, whatever it was, it seems to be working now.
Thank you all for your help, it's much appreciated!
Thank you for your help, much appreciated.
-
try disabling dns proxy on the router.
One side-effect is that now we can't use our external server addresses internally. For example, if I want to go to https://mail.logicaldevelopments.com.au/ld_external/mantis, it complains that the certificate "example.com" is invalid (this is generated by the router). If you click "Proceed anyway", it then takes you to the external IP address with a similar error. If you click "Proceed anyway" again, it then takes you to the router login screen.
Any recommendations for a better quality router, one that won't create these kinds of headaches?
-
With the last issue, I re-created the NAT port forwarding rules for HTTPS, so that LAN Loopback was enabled. This allowed me to use the external address.
It's all very complicated ...
-
With the last issue, I re-created the NAT port forwarding rules for HTTPS, so that LAN Loopback was enabled. This allowed me to use the external address.
It's all very complicated ...
What are you on Paul, FTTN, FTTC etc..... using the voip or not?
Pick one :-) https://whirlpool.net.au/wiki/fttn_registered_modem_router
-
What are you on Paul, FTTN, FTTC etc..... using the voip or not?
Pick one :-) https://whirlpool.net.au/wiki/fttn_registered_modem_router
Fibre To The Premises.
We're using Voip, we have FreePBX setup on our internal network.
-
Worth a read - https://forums.whirlpool.net.au/archive/9246yz81
-
Worth a read - https://forums.whirlpool.net.au/archive/9246yz81
Thanks Terry! We already have wifi setup, so all I really need is a router. I've fiddled with the NetComm settings, and based on the feedback from others I think it's working now. I'm a bit afraid to poke it tbh!
If this fails, I have some Billion routers in my stack of old tech. The routing functions in those were pretty reliable from memory. Failing that, I'm looking at this one: https://www.ple.com.au/Products/643986/tp-link-er605-safestream-gigabit-multi-wan-vpn-router (https://www.ple.com.au/Products/643986/tp-link-er605-safestream-gigabit-multi-wan-vpn-router)
-
Billion was always my prefered option or anything with a Broadcom chipset..
Currently just use the iiNet supplied TG789vac v3 as also have the voip service..use an old Netgear Nighthawk for wifi and other routing jobs..iinet locks down the voip side,
Only FTTN here so until the copper is replaced pretty futile chasing anything better just yet :-)
-
Only FTTN here so until the copper is replaced pretty futile chasing anything better just yet :-)
NBN announced FTTP in our location, so I called iiNet to find out if we could upgrade, and they basically said no and referred us onto other ISPs.
I have some friends with Aussie, and they seemed to go ok, so I thought we’d give them a go. Service is good, but technical is a little difficult because we don’t fit the normal profile. If I were a residential service, it’d be a breeze!
-
Its annoying where we are as areas around us are being upgraded to FTTP, currently about 350 mtrs from the node so FTTN is all she wrote
-
Have a look at future broadband.
[edit] they'd have to be the most boring ISP i've ever used. It's just worked from day one.