Community discussions

MikroTik App
  4. RouterOS
  5. General

Two mailservers behind one routerboard with two public IPs

Post Reply
 
crazyleg
just joined
Topic Author
Posts: 9
Joined: Sat Jul 10, 2010 6:56 pm

Two mailservers behind one routerboard with two public IPs

Fri Aug 29, 2014 2:31 pm

I do have a RB1200 with two public IP addresses on the WAN interface XX.YY.ZZ.110 and XX.YY.ZZ.235 (same /24 subnet). I use src-nat to map outgoing connections to the right public IP. (And dst-nat to map incomming public IP connections to the correct local IP).

Image

server 1:
public IP: XX.YY.ZZ.110 local IP: 192.168.18.20

server 2:
public IP: XX.YY.ZZ.235 local IP: 192.168.18.10

The probles is that connections from server to server (email, telnet etc.) get: Connection refused, and users are not able to send email to each other (server to server). Should this not work?



/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN

/ip address
add address=192.168.18.1/24 interface=ether2-LAN network=192.168.18.0
add address=XX.YY.ZZ.235/24 interface=ether1-WAN network=XX.YY.ZZ.0
add address=XX.YY.ZZ.110/24 interface=ether1-WAN network=XX.YY.ZZ.0

/ip firewall filter
add action=drop chain=input comment="Drop input WAN-IP src-add" disabled=yes in-interface=ether1-WAN src-address=XX.YY.ZZ.235
add action=drop chain=input comment="Drop input invalid connections" connection-state=invalid in-interface=ether1-WAN
add action=drop chain=forward comment="Drop forward invalid connections" connection-state=invalid in-interface=ether1-WAN
add chain=input comment="Accept Winbox" dst-port=8291 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd FTP" dst-port=21 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd SSH" dst-port=22 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd SMTP" dst-port=25 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd HTTP" dst-port=80 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd HTTPS" dst-port=443 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd POP" dst-port=110 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd IMAP" dst-port=143 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd IMAP SSL" dst-port=993 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd SNMP" dst-port=161 in-interface=ether1-WAN protocol=udp
add chain=forward comment="Accept fwd SMTP submission" dst-port=587 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd SMTP SSL" dst-port=465 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd ISPConfig control panel" dst-port=8080 in-interface=ether1-WAN protocol=tcp
add chain=forward comment="Accept fwd Sieve" dst-port=4190 protocol=tcp
add chain=input comment="Accept fwd ICMP" in-interface=ether1-WAN protocol=icmp
add chain=input comment="Accept input established connections" connection-state=established
add chain=input comment="Accept input related connections" connection-state=related
add chain=forward comment="Accept fwd established connections" connection-state=established limit=100,500
add chain=forward comment="Accept fwd related connections" connection-state=related
add action=log chain=input disabled=yes in-interface=ether1-WAN log-prefix=drop_
add action=drop chain=input in-interface=ether1-WAN

/ip firewall nat
add action=src-nat chain=srcnat comment="srcnat XX.YY.ZZ.235 server 2" out-interface=ether1-WAN src-address=192.168.18.10 to-addresses=XX.YY.ZZ.235
add action=src-nat chain=srcnat comment="srcnat XX.YY.ZZ.110 server 1" out-interface=ether1-WAN src-address=192.168.18.20 to-addresses=XX.YY.ZZ.110
add action=dst-nat chain=dstnat comment="server 2 FTP" dst-address=XX.YY.ZZ.235 dst-port=21 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=21
add action=dst-nat chain=dstnat comment="server 2 SSH" dst-address=XX.YY.ZZ.235 dst-port=22 in-interface=ether1-WAN protocol=tcp src-address=AA.AA.AA.AA to-addresses=192.168.18.10 to-ports=22
add action=dst-nat chain=dstnat comment="server 2 SMTP" dst-address=XX.YY.ZZ.235 dst-port=25 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=25
add action=dst-nat chain=dstnat comment="server 2 HTTP" dst-address=XX.YY.ZZ.235 dst-port=80 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=80
add action=dst-nat chain=dstnat comment="server 2 POP" dst-address=XX.YY.ZZ.235 dst-port=110 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=110
add action=dst-nat chain=dstnat comment="server 2 IMAP" dst-address=XX.YY.ZZ.235 dst-port=143 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=143
add action=dst-nat chain=dstnat comment="server 2 SNMP" dst-address=XX.YY.ZZ.235 dst-port=161 in-interface=ether1-WAN protocol=udp to-addresses=192.168.18.10 to-ports=161
add action=dst-nat chain=dstnat comment="server 2 SMTP submission" dst-address=XX.YY.ZZ.235 dst-port=587 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=587
add action=dst-nat chain=dstnat comment="server 2 Management" dst-address=XX.YY.ZZ.235 dst-port=8080 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.18.10 to-ports=8080
add action=dst-nat chain=dstnat comment="server 1 SSH" dst-address=XX.YY.ZZ.110 dst-port=22 in-interface=ether1-WAN protocol=tcp src-address=AA.AA.AA.AA src-port="" to-addresses=192.168.18.20 to-ports=22
add action=dst-nat chain=dstnat comment="server 1 SMTP" dst-address=XX.YY.ZZ.110 dst-port=25 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=25
add action=dst-nat chain=dstnat comment="server 1 HTTP" dst-address=XX.YY.ZZ.110 dst-port=80 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=80
add action=dst-nat chain=dstnat comment="server 1 POP" dst-address=XX.YY.ZZ.110 dst-port=110 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=110
add action=dst-nat chain=dstnat comment="server 1 IMAP" dst-address=XX.YY.ZZ.110 dst-port=143 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=143
add action=dst-nat chain=dstnat comment="server 1 SNMP" dst-address=XX.YY.ZZ.110 dst-port=161 in-interface=ether1-WAN protocol=udp src-port="" to-addresses=192.168.18.20 to-ports=161
add action=dst-nat chain=dstnat comment="server 1 HTTPS" dst-address=XX.YY.ZZ.110 dst-port=443 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=443
add action=dst-nat chain=dstnat comment="server 1 SMTP SSL" dst-address=XX.YY.ZZ.110 dst-port=465 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=465
add action=dst-nat chain=dstnat comment="server 1 SMTP submission" dst-address=XX.YY.ZZ.110 dst-port=587 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=587
add action=dst-nat chain=dstnat comment="server 1 IMAP SSL" dst-address=XX.YY.ZZ.110 dst-port=993 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=993
add action=dst-nat chain=dstnat comment="server 1 POP SSL" dst-address=XX.YY.ZZ.110 dst-port=995 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=995
add action=dst-nat chain=dstnat comment="server 1 Sieve" dst-address=XX.YY.ZZ.110 dst-port=4190 in-interface=ether1-WAN protocol=tcp src-port="" to-addresses=192.168.18.20 to-ports=4190
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Two mailservers behind one routerboard with two public I

Sun Aug 31, 2014 5:38 am

If the servers are looking up the MX record for the domain(s) handled by the other server and getting the public IP you may be seeing an issue related to the need for hairpin NAT:

http://wiki.mikrotik.com/wiki/Hairpin_NAT
Last edited by CelticComms on Sun Aug 31, 2014 3:54 pm, edited 1 time in total.
Top
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:
Contact docmarius

Re: Two mailservers behind one routerboard with two public I

Sun Aug 31, 2014 3:28 pm

You may need to change the mail server configuration to trust the others LAN IP and/or domain so they can accept mail. This will override the need for the MX record. How to do this depends on the mail server software you are running.
Top
 
agehall
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Fri Aug 15, 2014 8:47 pm

Re: Two mailservers behind one routerboard with two public I

Mon Sep 01, 2014 1:39 am

Does SSH etc between the servers work if you use the 192.168.x.y addresses? I suspect it does.

If so, the issue is probably your NAT rules. I suspect you need to take special care of requests from your internal network to your public IPs to ensure that the target doesn't respond directly to the client. Take a look at the hairpin NAT example in the manual and you will see the problem illustrated very well...
Top
Post Reply
  4. RouterOS
  5. General