2

Please esxcuse my english as it is not my home language

I have mailserver in my network behind a mikrotik router and firewall the problem that I'm having is that my mailserver is on a public ip address and that im not able to connect to it internaly. I have no problem connecting from outside the network. The only way I'm able to connect at this point is to assign the public ip to the mikrotik router and setup these two NAT rules

IP Address I have used are only examples - Internal Network = 172.162.30.0/12 - Public IP mailserver = 42.20.16.18 - Private IP mailserver = 172.162.30.65

 **Internal clients Note:** Source address is my whole network this has    a     massive affect on my internet speed because 
 I think all traffic is being routed to mail server 

 chain=srcnat action=src-nat to-addresses=42.20.16.18 
  src-address=172.162.30.0/24 log=no log-prefix=""

For clients connecting from outside the network chain=dstnat action=dst-nat to-addresses=172.162.30.65 dst-address=42.20.16.18 log=no log-prefix=""

I tried almost every solution out there this is my last resort my main goal is that I physically can assign my public ip to the machine and connect internally without using the private ip.

S. Van Wyk
  • 23
  • 1
  • 5

2 Answers2

1

There are two solutions to this problem.

Either you implement NAT Loopback or NAT Hairpin or NAT Reflection (it's the same thing with different names) or you modify your internal DNS so that your mailserver's hostname does not resolve to the public IP but to your local IP (only from inside your private network).

With your src-nat rule you are already doing the first solution (NAT Hairpin) which as you mentioned works. The problem with this approach is that all your connections to the mailserver are being changed to src-address 42.20.16.18 so the mailserver only logs this IP instead of each user's real internal IP.

The other approach is that you either use Mikrotik's DNS server or any other local DNS server of your choice. There you set up a dns record with the mailserver's hostname and you set it to resolve to the internal IP of the mailserver.

Then you must configure all your PCs on your network to use this dns server and when hitting your mailserver's hostname they will resolve the internal IP instead of the public allowing them to connect to it directly instead of having to go through the router via NAT.

For more information about NAT Hairpin you can check the official Mikrotik Documentation here and for more information about the Mikrotik's DNS Server you can check here

Cha0s
  • 2,462
  • 2
  • 16
  • 26
  • Thanks helped a lot and I understand much better know will test mikrotiks DNS Server otherwise I will have to setup a local DNS Server but I hope it doesn't come to that just seems to me that there is alot that can go wrong with it. – S. Van Wyk Jul 20 '16 at 14:43
  • Mikrotik's DNS server is rather simple. It can work as a simple caching resolver and also serve individually defined A records (`/ip dns static`). Nothing fancy. Just take a look under `/ip dns` it's pretty straight forward. I forgot, there's also the solution of manually adding the mailserver's hostname and its local IP to each PC's hosts file. But depending on the size and/or policy of your network this might not be feasible. – Cha0s Jul 20 '16 at 18:36
  • I Finally fixed it with your help. I created the static dns entries on the mikrotik router pointing to the private ip. and I just set the dns on the dhcp server to the router gateway.. so internal dns= mail.example.co.za - 172.162.30.65 Thanks – S. Van Wyk Jul 20 '16 at 18:38
0

For those interested, I encountered an issue with this solution whenever I sent mail to somebody that receivers mail server would detect a different source ip, a source ip that is blacklisted I think that it has to do with the fact that my ISP has masquerading setup somewhere down the line. I don't know, my work around was I created the dst-st and src-nat again, I kept the dst-nat the same as before and just changed the src-nat source address from my whole network to just my mail servers private ip. This worked 100% see below

chain=srcnat action=src-nat to-addresses=42.20.16.18 src-address=172.162.30.65 log=no log-prefix=""

chain=dstnat action=dst-nat to-addresses=172.162.30.65 dst-address=42.20.16.18 log=no log-prefix=""

S. Van Wyk
  • 23
  • 1
  • 5
  • Depending on your mailserver you may be able to remove the `Received` header so that the local IPs are not included in the outgoing mails. This should prevent any blocks as only the public IP of your mailserver will be included. – Cha0s Jul 21 '16 at 14:13