Greets! I need assistance in getting my mail routed thru my OBSD gateway. Here are my confs ..

/etc/pf.conf
[code:1:45632c3d09]
$ cat /etc/pf.conf
# Setup a variable for who IS allowed to go online
FullInternetIPs="{206.190.6.3/32,206.190.6.8/32,206.190.6.11/32,206.190.6.32/32,206.190.6.56/32,206.190.6.97/32,
206.190.6.111/32,206.190.6.156/32,206.190.6.211/32,206.190.6.222/32,206.190.6.212/32,206.190.6.228/32,
206.190.6.243/32,206.190.6.247/32,206.190.6.249/32}"
WAN="xl0"
LAN="ne4"
#MAPQUEST="{64.12.37.89/32,64.12.51.56/32,64.12.37.57/32,64.12.184.89/32,64.12.184.121/32,64.12.174.153/32,
64.12.174.185/32,152.163.226.25/32,152.163.26.89/32,152.163.226.57/32,152.163.226.121/32,152.163.226.153/32,
152.163.226.185/32,205.188.65.57/32,205.188.165.121/32,205.188.165.185/32,205.188.165.249/32,64.12.184.57/32,64.12.184.25/32}"
MAPBLAST="{165.193.102.140/32,165.193.19.12/32}"
SBC="{209.184.193.164/32,216.239.51.101/32}"
DNS="{206.141.239.126/32,206.141.251.2/32,209.253.113.18/32,209.253.113.10/32}"
LONG_DISTANCE="{209.25.87.227/32,216.47.168.105/32}"
# Microsoft's Evil Empire
EVIL_EMPIRE="{207.46.197.100/32,207.46.197.102/32,207.46.230.218/32,207.46.230.219/32,207.46.226.19/32,65.54.249.126/32, 207.68.131.197/32,65.54.249.62/32,207.46.226.17/32}"
# Default Rules
pass out quick on $LAN all
pass in quick on $LAN from any to 206.190.6.222/32
pass in quick on $LAN from $FullInternetIPs to any
pass in quick on $LAN from any to $SBC
pass in quick on $LAN from any to $DNS
pass in quick on $LAN from any to $MAPBLAST
pass in quick on $LAN from any to $LONG_DISTANCE
pass in quick on $LAN from any to $EVIL_EMPIRE
pass in quick on ne3 inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on ne3 proto tcp from any to any port 22
block in log on $LAN all
[/code:1:45632c3d09]

/etc/nat.conf

[code:1:45632c3d09]
#Name the adapters to the above specifications
MCLEOD="xl0"
EXCHANGE="ne1"
SBC="ne3"
LAN="ne4"

# Redirect WAN ports for mail to LAN side
rdr on $SBC from any to 64.109.120.121/32 port 25 -> 206.190.6.249 port 25
rdr on $SBC from any to 64.109.120.121/32 port 110 -> 206.190.6.249 port 110
rdr on $SBC from any to 64.109.120.121/32 port 143 -> 206.190.6.249 port 143
rdr on $SBC from any to 64.109.120.121/32 port 220 -> 206.190.6.249 port 220
rdr on $SBC from any to 64.109.120.121/32 port 585 -> 206.190.6.249 port 585
rdr on $SBC from any to 64.109.120.121/32 port 993 -> 206.190.6.249 port 993
rdr on $SBC from any to 64.109.120.121/32 port 995 -> 206.190.6.249 port 995
rdr on $SBC from any to 64.109.120.121/32 port 22 -> 206.190.6.249 port 22

# NAT Rules
# Use the MCLEOD DSL pipe for LAN internet connectivity
nat on $MCLEOD from 206.190.6.0/24 to any -> $MCLEOD

# Use the SBC DSL pipe for LAN internet connectivity
# nat on $SC from $LAN to any -> $SBC
[/code:1:45632c3d09]

route table

[code:1:45632c3d09]
$ route show
Routing tables

Internet:
Destination Gateway Flags
default 192.168.1.1 UG
127.0.0.0 localhost UG
localhost localhost UH
192.168.1.0 link#2 U
mccleoudrouter 0:0:c5:8b:6:44 UH
192.168.254.0 link#1 U
192.168.254.254 0:20:6f:8:af:4d UH
206.190.6.0 link#3 U
System_3 0:40:5:5e:dd:60 UH
System_4 0:80:c8:68:89:13 UH
System_19 0:0:b4:5f:91:53 UH
System_21 0:c0:a8:34:4a:14 UH
System_22 0:0:b4:5f:92:53 UH
System_23 0:20:18:56:8d:61 UH
System_29 0:0:b4:5f:94:fd UH
System_30 0:0:21:ea:33:74 UH
System_32 0:0:b4:5f:aa:e0 UH
System_82 0:20:c5:0:1c:e5 UH
System_87 0:60:97:9e:c3:ab UH
System_92 0:50:ba:84:3d:30 UH
System_97 0:0:b4:5f:95:ea UH
System_101 0:40:f6:94:1f:29 UH
System_111 0:50:56:40:0:58 UH
phx211.phoenixin 0:0:b4:5f:98:1a UH
amerivoice5 localhost UGH
206.190.6.243 0:10:4b:70:a4:7c UH
amerivoice1 0:0:b4:5f:73:6d UH
BASE-ADDRESS.MCA localhost U
[/code:1:45632c3d09]

IP configurations

[code:1:45632c3d09]
$ ifconfig -a
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33224
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX ,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
inet 192.168.254.3 netmask 0xffffff00 broadcast 192.168.254.255
inet6 fe80::240:95ff:fe42:b92f%ne3 prefixlen 64 scopeid 0x1
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet 10baseT (10baseT half-duplex)
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::260:8ff:fe94:d4de%xl0 prefixlen 64 scopeid 0x2
ne4: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX ,MULTICAST> mtu 1500
media: Ethernet manual
inet 206.190.6.222 netmask 0xffffff00 broadcast 206.190.6.255
inet6 fe80::280:c8ff:fe67:45b7%ne4 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
vlan1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
$
[/code:1:45632c3d09]

Thanks much!

Has this been resolved yet? Anyone wanna take a stab?

give us a diagram of your network.

with a lot of effort we could figure out your network from the conf files, but i've been up for the past 20 hours migrating servers and don't feel like putting forth that much effort.

diagram, please. and a better description of the problem.

Okay, let me do a simple drawing for ya. Ill post it in a bit.

This link is the image (http://www.geocities.com/rammstein_schotty/network.jpg) I drew a bit back, but still just as accurate.

Thanks much :)

The link says the page is unavailable.

No it shouldnt be. I was updating ONE flaw I saw, with how I have the LAN now. So I deleted the image and replaced it with the correction. But I can assure you that it is there :)

Thanks for bringing that to my attention, however.

*my*mind*hurts*

remove network.jpg from the link an you can see the image. look at the source of the page and you will that the page contains a link to network.jpg. pressumably geocities only allows jpg's with REFERER's from geocities?

wasn't like that back when i had a few geocities accounts. time to experiment.

Hmm, aparently depending on if I have a cookie for the page creation on it or not, I can get in. I found that if it gives you an error page, just click the URL pane and hit enter. It will display the graphic.

I need a new web page apparently. I am not all horny for having a page, but it helps alot when sharing graphics.

you need to clean up those files; you've defined nics that arent there and use differing variable names in different files for the same nics.

I'm curious why you need NAT with routable ips. Is there some other net connectivity connected to this lan?

$SC in the last line of the nat.conf file isn't defined. it's commented out, though.

run the following while trying to send mail from the exchange server:
tcpdump -n -e -ttt -i pflog0 host 206.190.6.249 and port 25
it should show you what is logged from the exchange server on port 25 by pf at that time. is anything logged?

presumably the exchange server is set with 206.190.6.222 as its gateway. what happens if you try to traceroute an outside ip address? can it even get out?

an explanation of what you're trying to do and what errors you're getting would be quite useful. From what you've described ("need assistance") it could just be that you forgot to click on "send"

you need to clean up those files; you've defined nics that arent there and use differing variable names in different files for the same nics.


I dont think so... Lemme recheck... Like I said I was toying around trying to get it to do my bidding. A weak master gets weak results :)


I'm curious why you need NAT with routable ips. Is there some other net connectivity connected to this lan?

$SC in the last line of the nat.conf file isn't defined. it's commented out, though.


Yes, I am enabling the ability to nat one of both pipes. Currently I wish to use the McLeod line, but if that dies, I need to quickly switch it over to the SBC (also the email pipe). I may have a typo there that you found I will look into that.


run the following while trying to send mail from the exchange server:
tcpdump -n -e -ttt -i pflog0 host 206.190.6.249 and port 25
it should show you what is logged from the exchange server on port 25 by pf at that time. is anything logged?


Will check into that soon. As soon as the owner leaves tonight Ill get on that. I will start the think up logging, and then send, and then stop logging. Just in case there is any ambiguity with my results.


presumably the exchange server is set with 206.190.6.222 as its gateway. what happens if you try to traceroute an outside ip address? can it even get out?

Yes, it can send, as of the last time I was working on this. The problem was the email packets were looking as a relay. Packets were not getting in right. Now, I do remember this which may have to do with my problem -- I got a package we purchased from SBC that includes 5 IPs, .121-.125, and when I try to map the , ohh say .122 to the line going to it, it doesnt map correctly I think. I cant ping or ssh the box. Meaning if I set the hostmapping in the efficient Networks (the dsl modem) unit to map .122 to 192.168.254.2 (if thats my IP, I am not sure without looking) I cant ping it, although the modem says its mapped. My RedHat box doesnt have this issue. I can jack it straight in and setup a proper IP and map it.

IF that means anything. Christ -- that may be my whole problem now that I think of it... Perhaps that should be my starting point...


an explanation of what you're trying to do and what errors you're getting would be quite useful. From what you've described ("need assistance") it could just be that you forgot to click on "send"

Well, first the description. If you get the picture okay ( I am going to post shortly after this message is done a better link), you will see that I have 2 dsl pipes coming in. One, the SBC, is for email and ftping out (the servers we ftp into, sans one, all use a static IP to get thru the firewall). the second, the McLeod, is for surfing the net. We have a new online ordering and account checking tool from SBC to do our telco stuff that we are now using. Should the McLeod pipe die, I need to switch the natting around as quick as possible.

The one Idea (side note) I came up with was to use two gateways, one for general natting on mcleod and another for email and internet and setup each win98 client to see both gateways. However the boss wants just one gateway.... oh well, the food chain...

As to the send button -- no, I most definitely hit it. Depending on who I sent from (to me at work here) I got mixed results.

Roadrunner personal account got a mail relay issue
Netscape and beer.com got nobody home
From Ameivoice out, it was spotty. I got mainly mail relay problems.

But, things may have changed since then. I believe that I began this back in February, and started hardcore in June working on the email issue. The natting was so easy that I can almost do it blindfolded :)

thanks A TON for the help. I apperciate that you are donating YOUR time to me. If you livein the chicago/milwaukee area, I will buy you a beer or six :)



Andrew.

new url, that is much easier to use :)

Link (http://shadowman_schotty.tripod.com/network.html)