Hey Everyone,

I have a problem here that is causing me to tear my hair out. I have ever chatted with M.T. support on the issue without any resolve.

My clients are all addressed at: 10.0.15.XXX
My mail server is addressed at: 10.0.10.255
I am also using the mail server to run DNS lookups: 10.0.10.255
Default Gateway is: 10.0.10.1

Problem is that the clients can use the web mail portal to get to their mail no problems, but when they try to use Outlook, Thunderbird, Eudora, etc. then they cannot connect to the mail server and get or send the mail.

Why could this be?

I have the clients configured with:

ip firewall nat chain=srcnat out-interface=wlan1 action=masquerade

and I can't figure out why they can't get to the mail server for the mail connections.

I can ping the mail server from the client side no problem... either via I.P. address or via the DNS name mail.pogowave.com

both connections resolve just fine and ping easily. I chatted with Sergejs about it, and he didn't have much to suggest to me.

Can you guys suggest what to do to enable clients to use the mail via their own mail clients without an issue?

Massive Headache......... Help!!!

Adam

Are your clients using a proxy server for web browsing? This could explain why webmail is working.

You haven't specified subnet masks with your network addresses. 10.0.10.255 with a 24 bit subnet mask would be a broadcast address.

Regards

Andrew

No, my clients are not using a Proxy Server for web browsing.

And... They can do whatever they want while online, they're just having problems getting their mail software to talk to my mail server.

This problem is causing me to tear my hair out!!

The subnets for all of the addresses that I have mentioned are /16.

So... The clients all have wlan1 addresses of 10.0.15.XXX/16
The mail server is 10.0.10.255/16

Does anyone have any suggestions?

For my broadcast addresses I use 10.0.255.255 for the wlan1 interface.

Right now I will try anything!

Adam

Adam

So this is one flat layer 2 network? What network devices are between the clients and the mail server?

What's the involvement of the MT router in all of this?

You can ping the mailserver from the clients, can you use telnet to connect to the mail ports?

Regards

Andrew

Dear Andrew,

I don't know what a "flat 2 layer network" means....

Between the clients and the mail server, I have a RB532 in bridge mode.

I think this is a MikroTik client issue because on my Senao client units, they don't have this problem. It is only with the MikroTik units.

So... What did I do wrong? I just got off of the phone with a 30 minute chewing by a client whom cannot use M.S. Mail for his mail client.

Adam

Adam

A layer 2 network is one that is bridged or switched. Layer 3 is routed so we're talking layer 2 here.

Correct me if I'm wrong:

1: Clients can ping the mail server.

2: Clients can connect to the mail server using Internet Explorer (you mentioned webmail).

3: Clients are unable to connect to the mail server using telnet to connect to ports 25 (SMTP), 110 (POP) and/or 143 (IMAP).

In addition, post the interface, bridge, IP address and NAT setups from the MT. A network diagram wouldn't go amiss either if you have one (or at the very least, a description of what interfaces are connected to what).

Regards

Andrew

Dear Andrew,

Yes, all three of those statements are correct.

I will publish the rest of the information in a few minutes.

Adam

Dear Andrew,

OK. Here is the information that you are requesting.

M.T. client unit is a R52-350 w/ Rb133C.

wlan1 is 10.0.14.29/16
network 10.0.0.0 broadcast 10.0.255.255

ether1 is 172.16.0.1/24
network 172.16.0.0 broadcast 172.16.0.255

DHCP enabled for the ether1.
Pool is 172.16.0.2-172.16.0.10
network 172.16.0.0/24
gateway 172.16.0.1

DNS servers:

10.0.10.255 (Same as the mail server)
10.0.10.1 (Same as the default gateway out to the world)

Firewall is a NAT
chain=srcnat out-interface=wlan1 action=masquerade

Really simple, I can't say that I have configured it much beyond that point.

Any ideas?? I am at a total loss, and of course the customers are all getting excited about it...

Adam

I am using a firewall action between the two of them.

Follow up information:

I can ping the mail.pogowave.com from the Client radio, but if I try to ping mail.pogowave.com from one of the dynamically addressed client I.P.s (172.16.0.X), I cannot get through.

Agh... Can anyone suggest why this might be? Is this a MikroTik firewall issue? I just tried to change it from a masquerade / srcnat firewall to a dstnat / srcnat config like as shown with the MikroTik Wiki Examples. Still no luck, cannot ping the mail server from the client side.

Very frustrating...

Adam

You're not making much sense here:

Yes, all three of those statements are correct.

One of which is 'Clients can ping the mail server'

then:

if I try to ping mail.pogowave.com from one of the dynamically addressed client I.P.s (172.16.0.X), I cannot get through

Where did these clients come from? From your original post:

My clients are all addressed at: 10.0.15.XXX

Post a network diagram.

In addition, post the interface, bridge, IP address and NAT setups from the MT.

Regards

Andrew

Dear Andrew,

The funny thing about this is that if the subscriber were to get an Engenius CB5 or Senao CB3 , we would not have this problem at all. Those units operate in simple bridge, and hand the subscriber a 10.0.10.XXX/16 address from the PogoWave ISA server.

They never have any problems getting in to the mail server. So... This makes me think that the issue may be in the MikroTik hardware configuration.

Back to the MikroTik configuration:

Oh dear. I see what is going on now, yes I have not been clear at all. I wish that I could post a screen shot.

Do you have email capabilities? I am support <at> pogowave (dot) com

Please allow me to explain further:

Clients can ping the mail server from their own computers.
If I start Winbox for their individual radios, then use the ping tool, then I can ping the mail server.
If I try to ping the mail server from a source address of what they are dynamically assigned by the Rb133C, then I *cannot* ping the mail server.

All of my clients have wlan1 devices addressed as 10.0.15.XXX/16
Their ether1 is addressed at 172.16.0.1/24
With the M.T. radio addressing them dynamically as 172.16.0.2-172.16.0.10/24

All of the Access Points are operating in simple bridge mode. They are all RB532s. On the bridge side of things, the inside of the network is a addressed at 10.0.10.XXX/16

Interface
bridge
IP address
Nat Setup

OK. Clients are SR9s and a RB133C.

Ether1= 172.16.0.1/24
Wlan1=10.0.15.100/16

No bridge. The A.P. work in a bridge mode.

Nat Setup:

ip firewall add nat chain=srcnat out-interface=wlan1 action=masquerade

I have the client radio addressing their computers with the onboard DHCP server. It is addressing them as 172.16.0.2-172.16.0.10 and using our usual lookup DNS f(x)'s

10.0.10.255 and 10.0.10.1

Does that help?? I got two calls from two quite irate customers because they had to go to web mail to get their messages instead of using Outlook.

Adam

Who's doing the routing between 172.16.0.X and 10.0.15.XXX/16?

The Rb133C is doing the routing, as these are client addresses.

Adam

Just looking at this, mostly because you are in santa rosa, I am in angwin.

I will quote part of your post and mix my questions with it. Please use ONE specific exact configuration.
The generic .xxx examples can allow for something to be overlooked.

"Clients can ping the mail server from their own computers."
are you pinging by IP address or HOST name
(You must have manually configured the computers. Exactly how?)
IP address:
subnet mask:
gateway:
dns:

"If I start Winbox for their individual radios, then use the ping tool, then I can ping the mail server."
Are you starting winbox on the clients computer with the manually configured setting above or the DHCP settings from the 133c?

"If I try to ping the mail server from a source address of what they are dynamically assigned by the Rb133C, then I *cannot* ping the mail server."
Please provide a IPCONFIG /All dump from a DHCP enabled client so the data can be compaired to the
manual settings above.

It maybe that some other DHCP supplied data is incorrect or missing.

Randy

Dear Randy,

Howdy there. Nice to meet someone else whom is somewhat local.

The clients computers are Dynamically addressed from the Rb133C. If I open up a CMD prompt, and then issue a Ping command, I / they can ping the mail server without a problem with either the name, or the ip-address.

Let's look at the DHCP config. At first I thought that the problem was from the fact that the primary DNS lookup was the same addy as the mail server, but re-directing the DNS lookups to Sonic.net main didn't seem to do anything for me.

I will email a client and get the DHCP config dump from a client and see what it has to show.

Adam

There is a little conflict in your problem description.

You said previously that you could ping the mail server from a client machine when (I am guessing) it was configured manually. When the client machine is configured via DHCP you cannot ping the mail server.

Now you say that you CAN ping the mail server when the client machine is configured via DHCP.

Please clarify the problem again.

You could actually be dealing with an SMTP port issue. Perhaps a better test is to "telnet mail.server.ip smtp" from a client machine to see if you can actually connect to port 25 at the ip address in question. Anti SPAM efforts blocking SMTP servers can really cause strange problems.

Ah, Ok. I see where some of this confusion may be coming from.

No client machine was ever configured manually, EVER. (Not sure how people got that idea; I might not have been clear somewhere or I thought something was explicit when it really wasn't)

All clients are addressed via DHCP from the Rb133C. Their addresses come right off of the DHCP address pool in the Routerboard on the client end.

These same clients whom cannot send their mail cannot receive it either. It is like the mail server just don't "see" the clients and I don't know why.... Nothing in POP, nothing in SMTP, etc.

Adam

Wow, I am having a hard time trying to figure out how to ask reasonable questions.
I am trying to GUESS what it is that you are actually doing.
I GUESS that you are NOT actually trying to trouble shoot from the CLIENT computer.
I GUESS that you are remotely connecting via WINBOX to the CLIENT cpe.
I GUESS that you are using the PING tool in WINBOX to do your testing.
I GUESS that you are using the ADVANCED settings in the PING tool to specify a source IP address.
When I try that with my setup I cannot ping anything with the tool.
I have looked a little to see what the "src Address" setting if for, but did not find anything.
This is probably not a valid test....

I messed with the source address setting a little.
I think (guess) that it allows you to specifiy which of possibly many ip addresses assigned to your WAN interface the ping comes from. I have 4 IP addresses assigned to my ether1 interface and I can specify which of those that the ping originates (src) from.

I cannot use it to choose a src address from within my NAT'ed internal private address.

It does not allow you to "Simulate" a client on the internal Nat'ed network.

wondering if you got any further with your problem...

Interestingly enough, this week I am at a MikroTik training class.

I showed the situation to the instructors, and solicited their advice.

They told me that the problem might lie in the internal address of the mail server; they figured that 10.0.10.255/16 is not a valid address that can be addresses or resolved for the MikroTik RouterBoard.

So, on Monday afternoon, I changed it to 10.0.11.3/16.

Now I have told the complaining people about the change, and am waiting for them to check and see if their problem still exists.

Interestingly enough, we can telnet to the mail server via ports 25 and 110 with no problem from the MikroTik radio, so I really don't know what the problem is.

I have the instructors stumped here as well. Outside of the address change idea, no one seems to know what to suggest.

Adam

Maybe you have a client/server that is sending a tcp re-direct and that works in some situations. This can make some things work in a network work where they really shouldn't work.

This article has a good description:
http://support.novell.com/techcenter/ar ... 9_10c.html

I don't know if this has anything to do with your problem, but mail.pogowave.com shows this ip using nslookup:

Non-authoritative answer:
Name: mail.pogowave.com
Address: 76.191.251.5

If you are using that domain name instead of the localnet ip of the mail server, you might have a bit of trouble. Is this server using srcnat-dstnat rules to route this public ip to the private ip?

ADD: If you would please show me the same query using nslookup on a shell from a client computer on your network.

>nslookup
>set query=any
>mail.pogowave.com

ADD2: And the email software you are using in the server is...? Sendmail? PostFix?
And you have IMAP installed so clients can pick up their email from the server on port 110?
And you have the email server software access file allowing your local ips to send mail?

This is very interesting. I had a ton of "NAT on a stick" problems where the client opens the public address of the router and the router sends him to another local address. This does not work :'( or at least not all of the time as we would want it to...

Anyone has a solution??

This is very interesting. I had a ton of "NAT on a stick" problems where the client opens the public address of the router and the router sends him to another local address. This does not work :'( or at least not all of the time as we would want it to...

Anyone has a solution??

What part does not work for you? I have public ips srcnat/dstnat assigned to private ips for internal servers, and mine work all the time. Even from other private ips, and itself. By public ip and domain name.

Here is the discussion about this "myth" that you can't double back...
http://forum.mikrotik.com/viewtopic.php?f=2&t=34795

There were the cases that packets get through those NAT rules you know, they seemed OK. But performance was very pooor. Straaannnge. Will investigate further....

There were the cases that packets get through those NAT rules you know, they seemed OK. But performance was very pooor. Straaannnge. Will investigate further....

After examining some of the setups on this forum, I can see how that could happen. Could you be more specific about the cases that get through? What setup and test was performed to determine the packet loss?