Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Dec 2011
    Posts
    45

    Default Moving HTTP/S and SMTP from DMZ to Internal (NAT)

    Hi, all.

    I'm running Untangle 14.1. I currently have the Untangle router setup as follows:

    Eth0: External WAN
    Eth1: Internal LAN, NAT/DCHP, etc...
    Eth2: Bridged DMZ (one web server, one email server for our business operations, one email/web server that handles web-based email for our customers).
    Eth3: Backup WAN

    My employer is moving to new physical offices in a month. My servers are going to be moving from our own in-house rack into the co-located rack in the office building we're moving too. We'll still have our own dedicated WAN and ISP.

    In order to simplify things at the new destination, I'm looking at consolidating all of the email operations into a single server, and moving the web server and the consolidated email server inside the Internal NAT LAN.

    My question is, "Will I need to reconfigure Untangle and how will that affect it?"

    For instance - I assume that for my proposed configuration to work, that I'll need to use the router's static IP as the address of both HTTP and SMTP, and that I'll need to implement port forwarding rules to direct those services to the correct computer inside the LAN.

    However - Untangle itself already commandeers port 80 and 443 for its own web interface. Is it alright to assign Untangle to use another arbitrary port value for those services? Likewise, if I port forward SMTP from the router's IP to the internal NAT, will that affect the operation of the Spam Blocker Lite app or will it go merrily on its way, regardless?

    Are there any other issues I should be aware of before setting this up?

    Thanks in advance for the advice.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,617

    Default

    You will want a dedicated IP address for your mail operations, or you risk getting black listed and things getting ugly.

    That dedicated address can forward 80, 443, and 25 to the Exchange server easily. You'll need a NAT policy to force traffic sourced from the Exchange's IP to the correct WAN address, and appropriate port forwards. You'll also need appropriate public and private DNS records to make everything resolve correctly. There's not much else to worry about.

    Spam Blocker operates on unencrypted TCP 25 communications passing through Untangle. Source and destination honestly do not matter. However, the module does look for sessions passing from an interface that doesn't have "is WAN" enabled to an interface that does to know those are going outbound. But ingress simply doesn't matter, if TCP 25 is going somewhere, SpamBlocker is processing it right up until you configure it not to.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    You can move the external port used by Untangle to other port by using /admin/index.do#config/network/services to port forward 443 and 80 to your web server behind Untangle.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Dec 2011
    Posts
    45

    Default

    In the "live and learn" department - I was encountering an issue where I could contact the SMTP server inside my NAT'ed LAN, but not from outside, even though the port forwarding was clearly working.

    It turned out that some time in the distant past, I had installed a "failsafe" rule in the firewall that was designed to prevent outside access to the internal LAN by blocking anything with a NON-WAN destination, that hadn't already been allowed by previous rules.

    As it happened, allowing access to Untangle-server-IP:25 did NOT automagically allow access to internal-mail-server-IP:25. There's no reason why it should, either; it's just that in my mind it was an atomic operation when, in fact, connecting to Untangle:25, then port forwarding to internal-email:25 are two separate operations with separate rules applying to them.

    Disabling the global "don't let any outsider touch anything in the local LAN" rule allowed the outside email to flow in to the internal email server. (I've still got some issues with outgoing mail from that server, but that's almost certainly a postfix configuration issue rather than an Untangle issue.)

    I guess the takeaway in this case is to always question your assumptions.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Good detective work.

    Yes, destination address matches on the post-NAT value, and source address matches on the pre-NAT value.
    https://wiki.untangle.com/index.php/...Condition_List

    It not because of the order, but because we match on the value with the most information. Pre-NAT destination would be the same for all port forwards to your external IP. By looking at the post-nat value the rule sees where the traffic is *actually* going and inverse where it is *actually* coming from in the source address condition.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2