Community discussions

MikroTik App
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Incoming Port 25 blocked - Mikrotik compatible service ?

Thu Nov 04, 2010 1:38 am

Is there any service provider out there that sells a service whereby a public IPv4 address is assigned at the tail end of a RouterOS compatible tunnel (IPv4, GRE, EoIP ?), so that I can get incoming traffic over Port 25 over my cable modem connection ?

F.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Thu Nov 04, 2010 1:39 am

portableip.com
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Thu Nov 04, 2010 1:26 pm

I've got my PPPTP tunnel up and running, its pinging inbound.

However DST-NAT to my NATTed home SMTP server is not spitting packets out.

Do you need a corresponding SRC-NAT rule ?

I just want Port 25 traffic out of my SMTP server to go back out of the PPTP interface...

F.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Thu Nov 04, 2010 6:23 pm

If your not routing all traffic thru the tunnel, you will need some policy routing to specify all packets / connections coming into the tunnel interface should leave the tunnel interface as well. Let me know if you need an example.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 3:00 am

Sure, I'll take you up on an example.

My PortableIP tunnel is only very low speed, so I only want the SMTP traffic to go through it.

So if you assume my LAN SMTP server is at 192.168.1.252 port 25 and my PortableIP public IP is x.y.z.w what would be the policy route ?

F.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 5:01 am

See these posts to get you started.

http://forum.mikrotik.com/viewtopic.php ... ip#p106528
http://forum.mikrotik.com/viewtopic.php?p=78216#p78216

First is to make sure anything coming in the tunnel goes back out the tunnel. For this you just mark every single connection coming in-interface=tunnel. Mark packets based on the connection mark, then mark routing. You create a new routing table with a default route of the tunnel (you can use the ip or gateway interface since its ppp).

I will see if I can come up with an exact ruleset for you and post it in a bit.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 6:44 am

Still very much confused after 2 hours of trying to get this to work.

I get it on the inbound, its the bit about making sure that traffic from my inside LAN SMTP server follows the path of the tunnel that I do not get.

F.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 7:12 am

do you need to send outbound using the tunnel as well? if so, just add a mangle rule in the forward chain specifying in-interface=yourlan and src-address=yourmailip and dst-port=25 and mark the connection using the same connection name as the inbound stuff. if its not working paste the relevant entries you have from mangle & ip route and I will help you make it work.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 1:29 pm

This is my mangle:

0 chain=input action=mark-connection new-connection-mark=portable-ip-inbound passthrough=yes
dst-address=x.x.x.x in-interface=PortableIP-x-x-x-x

1 chain=output action=mark-routing new-routing-mark=portable-ip-routing passthrough=yes

2 chain=prerouting action=mark-connection new-connection-mark=portable-ip-connection passthrough=yes
in-interface=PortableIP-x.x.x.x

3 chain=prerouting action=mark-packet new-packet-mark=portable-ip-packet passthrough=yes
connection-mark=portable-ip-connection

4 chain=prerouting action=mark-routing new-routing-mark=out-portable-ip passthrough=yes
packet-mark=portable-ip-packet

5 chain=forward action=passthrough protocol=tcp src-address=192.168.3.252 routing-mark=portable-ip-routing
in-interface=BrisenetLAN dst-port=25

F.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 1:30 pm

The question here is do I need DST-NAT at all if I mangle ?

i.e. from the Tunnel Public IP to the LAN SMTP server

F.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Fri Nov 05, 2010 5:32 pm

yes, you need dst-nat to translate the public ip to the private ip. also, rule 1 below needs to specify connection-mark so that you arent marking every single packet on the output chain with the portableip mark. other than that it looks okay, is it working as expected? you will need src-nat and dst-nat if you are using private ip on the inside.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Sat Nov 06, 2010 1:34 pm

I think part of my confusion is that I do not understand what to use as the gateway for an L2TP tunnel.

For instance, when I was provided the information from PortableIP, I was told what IP address Portable IP would assign, and was told what is the VPN server to use.

Is the VPN server the gateway ? The VPN server was provided to me as a FQDN, but RouterOS does not want to see a default gateway as an FQDN.

Is the Interface of the L2TP tunnel with its address the gateway ?

And what would the route look like, it would be based on the connection tracked ?

Finally, I also have difficulty in relating the DST-NAT entry to the SRC-NAT entry.

Also, if I specify the interface of the L2TP tunnel in the DST-NAT, it does not work. If I do not, and I simply swing whatever comes in on Port 25 to a my Mail Server IP on the LAN, then it works.

Also, do I need an explicit Filter entry to accept inbound traffic for the L2TP interface destined to that IP ?

F.
 
fmenard123
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 02, 2008 6:43 am

Re: Incoming Port 25 blocked - Mikrotik compatible service ?

Mon Nov 08, 2010 12:03 am

Reply to self:

I've finally got it working. In the end, in the mangle rules I scrapped totally everything I had done so far and only kept one line:

add action=mark-routing chain=prerouting comment=\
"This rule works and is tied to the policy route in ip routes" disabled=\
no new-routing-mark=out-portable-ip passthrough=yes src-address=\
192.168.4.76

/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"DSTNAT of everything inbound on 204.16.x.x to 192.168.4.76" disabled=\
no dst-address=204.16.x.x to-addresses=192.168.4.76
add action=masquerade chain=srcnat comment="SRCNAT back 192.168.4.x out to Por\
table-IP Masquerade - TEST IF CRITICAL" disabled=no out-interface=\
PortableIP-204-16-x-x src-address=192.168.4.0/24
add action=masquerade chain=srcnat comment=\
"SRCNAT back out to Cable Modem for 192.168.3.X Masquerade" disabled=no \
out-interface=wan1 src-address=192.168.3.0/24

/ip route
add comment="This rule works" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=PortableIP-204-16-x-x routing-mark=out-portable-ip scope=30 \
target-scope=10

In the end everything related to connection marking, packet marking for both cable modem and for portable-ip L2TP interfaces ended up not working through SRCNAT from my Mail Server to my L2TP tunnel Interface IP. Only Routing-Mark ended up working.

I'm looking for documentation on this and cannot find any.

Could there be a better config ? What would be the purpose of packet and connection marking ?

I do not care ... mail gets in after one week up in the air. Man it feels good.
I'm bypassing port 25 being blocked inbound on my cable modem by getting SMTP to come over L2TP from PortableIP.com.

F.

Who is online

Users browsing this forum: GWarrior5595 and 12 guests