> -----Original Message----- > From: Giuliano Gavazzi [mailto:[email protected]] > Sent: 06 July 2009 06:54 PM > To: Kim Attree > Cc: [email protected] > Subject: Re: Problem with source based policy routing > > > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: > > > I have one Internal Exchange server (don't laugh), and NAT handles > > the static mapping of IP/Port to that server. The original point > > here is to have two mapped NAT port 25's to the same internal Mail > > server, hence the addition of the NAT before and during the forward > > logic (obviously wrong though). > > > > > ah, if you want to have an internal server to be reachable on both > public addresses, via the corresponding two firewall interfaces, you > must have a way to tell the firewall how to distinguish the return > packets in order to use the correct natd instance. If the internal > exchange server port is the same, there is no way telling that. At > most you could use the peer port, but even that would not be > failproof, and I would not know how to proceed (I think dynamic rules > can only establish holes - allow action - in the firewall, not a fwd > action). So you must use two different ports or alias addresses on the > exchange server, and divert to the appropriate outgoing natd instance > on the basis of that. > > I have not enough time at the moment to write down a complete > workflow, but I hope this, with the remarks in my previous post, gives > you enough hints.
It has, I realised that the return traffic needs differing source IP's - I've added another IP and SMTP Connector to exchange and will test the theory out today. > > Giuliano Thanks, Kim _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
