How to make sure outbound traffic is coming from a certain public IP address as source?


#1


The image attached above is a reference for this discussion.

So I have a mail server hosted within the company corporate network. This server is hosting multiple mail domains using Hmail server mail server application running on a server @ 192.168.100.100 as shown above.

A records of the following domains are pointing to respective public static IP address as shown.
Port forward for SMPT and POP3 are configured on the 3 public IP addresses towards mail server inside.
Each of the ISP have provided additional public static IP address .2 and .3.
Note that mail.domain3.com has an A Record pointing to 20.20.20.3 that is additional static IP address on WAN2 interface.

MX Reverse PTR records are all done by respective ISPs.
10.10.10.1 -> mail.domain1.com
20.20.20.3 -> mail.domain3.com
30.30.30.1 -> mail.domain2.com

What is the best approach of this case to make sure that;

mail traffic for mail.domain1.com will come in and go out on the same public static IP address 10.10.10.1?

mail traffic for mail.domain3.com will come in and go out on the same public static IP address 20.20.20.3?

mail traffic for mail.domain2.com will come in and go out on the same public static IP address 30.30.30.1?

I am trying to explore the possibility using NAT and/or outbound policy and even firewall???


#2

Peplink cannot route the traffic based on the context inside the SMTP packet. You can consider to bind multiple IP addresses on the mail server itself. For example 192.168.100.100, 192.168.100.101, 192.168.100.102. And setup the mail server use specific IP for specific domain.

With NAT Mappings (both Inbound and Outbound Mappings)
192.168.100.100 <-> 10.10.10.1
192.168.100.101 <-> 20.20.20.3
192.168.100.102 <-> 30.30.30.1

Because, each domain will have its own private IP, and with proper Outbound Policy, you can route the mail traffic of different domain via different ISP


#3

Thanks Lai.

OK, assuming I have 3 different private IP addresses for each of the mail server, how can I make sure that incoming and especially outgoing is passing through the same public IP addresss? Especially also for the 20.20.20.3 that is only an additional public iP address.

192.168.100.100 <-> 10.10.10.1
192.168.100.101 <-> 20.20.20.3
192.168.100.102 <-> 30.30.30.1


#4
  1. Outbound Policy: Use Enforce or Priority rule to ensure the traffic from 192.168.100.101 to route across WAN2

  2. NAT Mappings: make sure you have configure “Outbound Mappings” which you need to select 20.20.20.3 on WAN2 for the host 192.168.100.101



#5

hmmm… looks it could work. however I am thinking this will also expose .101 from internet right? Firewall inbound can be used here to allow only relevant traffic??? i will test this one.


#6

No, private IP will not be exposed after NAT. Outgoing traffic of 192.168.100.101 will be NATed to 20.20.20.3


#7

What I mean Lai is that all inbound types of traffic that will hit 20.20.20.3 will be forwarded to private IP .101 right .101 and .3 are being NAT mapped.??? inbound policy will be over ridden and that all I can do to make sure that only TCP 25 and 110 are allowed to be forwarded to .101 is to implement inbound firewall???