Announcement

Collapse
No announcement yet.

RRAS problem (can't close certain ports)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RRAS problem (can't close certain ports)

    hi all, I'm new on this forum
    here is what is troubling me.

    I have a workgroup which has 8 XP-sp1 computers and 1 win2k3 server (Standard edition). in this server I have 2 NIC (one for the local network 192.168.0.1/24 and the second NIC is for wireless broadband internet (dynamic IP assigned by DHCP of ISP, this connection is always active). I also have a ISDN modem in that server.
    ok, now for easier understanding of my problem let's call my wireless broadband Internet Service Provider - ISPw, and the other provider (through ISDN) - ISPi. [i know i'm making it complicated...sorry]

    i have a mailserver (not exchange) on win2k3 that collects mail from my user mail clients and then connects to (every 30 minutes) to mail servers (pop3 and smtp) on ISPi to send/recieve mail.
    here comes the problem...
    when mailserver tries to connect to ISPi mail servers, those mail servers reject connection because he tried to connect from ISPw address, not from ISPi address.
    when I disable NIC which connects me to ISPw everything is working fine.
    i tried to set outbound filters in RRAS on my wireless connection to disable any trafic on ports 110 and 25. then i tried again. no luck...everytime when both connections are active, mail server tries to connect from ISPw IP.
    i also tried telnet...same result...he cannot connect to mail servers when both connections are active...when i disable ISPw....telnet works.

    uhhh....help?

    p.s. if anyone undrerstood what I wrote here I owe him a beer

  • #2
    I think you owe me a beer ...

    I bet you have ISPw and ISPi on the same subnet, so Windows cannot 'guess' the correct source address. I can think of two ways to solve this.

    1. put a NAT on the ISDN interface, or even better, on both.
    2. put the ISPw and ISPi interfaces on different subnets.

    I may be wrong here, but I think it is worth trying. 2nd is probably better.

    Comment


    • #3
      Your default gateway will be your wireless NIC, which you obviously need for Internet Access.

      Add a static route to your mail servers to go out of your ISDN NIC. Run

      Code:
      route add /?
      on your server to get the syntax.

      topper
      * Shamelessly mentioning "Don't forget to add reputation!"

      Comment


      • #4
        I've been thinking all night about this
        i came to the same conclusion as topper.
        i'll try it today...

        thanx guys

        @wkasdo
        big, cold one (beer ofcourse)

        Comment


        • #5
          Always interesting trying to debug this stuff remotely!

          From your description it cannot be a gateway problem. You say that: "when mailserver tries to connect to ISPi mail servers, those mail servers reject connection [..]" So, apparently you already have a route there... and I figured it was a problem with the source IP.

          Let us know how it works out!

          Comment


          • #6
            The servers reject the connection because it's from a different source address to that of the allowed ISDN, presumably the ISP provides email and ISDN services, so they will restrict access to ISDN calls only (more money for them).

            topper
            * Shamelessly mentioning "Don't forget to add reputation!"

            Comment


            • #7
              @topper
              exactly like that....

              I've been there today but (you'll not believe this, but here everything is possible) wireless access point, to which I connect to, is down. It will be operational tomorrow...i'll check then.

              but something else is confusing me.
              ISDN is not an usual interface, right? or am I wrong?
              I mean, I can't see it anywhere until I connect to internet and recieve an IP (not like NICs).
              I don't know should I even add that dial-up connection to the RRAS (i think no, because only localhost (local mail server) uses ISDN)?

              do you maybe think that it could be a metric problem??

              ----
              offtopic
              could anyone explain to me the purpose of inbound and outbound filters (it seems that they don't work) on NAT/Basic firewall? you can choose there source address and destination address. but there are also subnet masks for both source and destination IP. I mean, if i want to close port TCP 80 for internet destination adress (for example www.google.com) 66.102.9.147 what purpose has subnet mask there?

              Comment


              • #8
                Not quite sure what you mean and how you have it setup.

                Metric is not the problem as you want all Internet traffic going out of your wireless NIC. The ISDN is plugged into a secondary NIC... yes?

                You can add a route for traffic to your ISP mail servers to go out of your 2nd interface, although this depends on your binding order which should have your wireless NIC at the top then the ISDN NIC.

                topper
                * Shamelessly mentioning "Don't forget to add reputation!"

                Comment


                • #9
                  Originally posted by AlekZ
                  offtopic
                  could anyone explain to me the purpose of inbound and outbound filters (it seems that they don't work) on NAT/Basic firewall? you can choose there source address and destination address. but there are also subnet masks for both source and destination IP. I mean, if i want to close port TCP 80 for internet destination adress (for example www.google.com) 66.102.9.147 what purpose has subnet mask there?
                  In future create a new thread for this, no cross posting.

                  But, you need a subnet mask to denote how many hosts you want to cover with the filter, this is basic TCP\IP fundamentals. Yes for one host you use subnet mask 255.255.255.255 which gives a single host but the filters don't know you just want to cover 1 IP, you may want to cover a network.

                  And the filters do work if you've set them up correctly.

                  topper
                  * Shamelessly mentioning "Don't forget to add reputation!"

                  Comment


                  • #10
                    Originally posted by topper

                    In future create a new thread for this, no cross posting.
                    understood.

                    Originally posted by topper
                    But, you need a subnet mask to denote how many hosts you want to cover with the filter, this is basic TCP\IP fundamentals. Yes for one host you use subnet mask 255.255.255.255 which gives a single host but the filters don't know you just want to cover 1 IP, you may want to cover a network.

                    And the filters do work if you've set them up correctly.
                    I understand know...thank you.

                    ok...concerning my problem. still doesn't work.
                    i am having trouble adding a static route.

                    i'm in a bit of a hurry. i'll come back later and explain.

                    Comment


                    • #11
                      something I'm not doing right.
                      i've managed to solve proble to some point.

                      i've changed metric for the ISDN interface (metric=1).
                      this means that when ISDN is not connected internet through wireless is working fine. now, when mailserver calls ptt to exchange mails, ISDN interface's (because his metric is 1) gateway becomes default.
                      meaning that mailserver can succesfully connect to the pop3 and smtp servers. when he disconnects default gateway once again is from my wireless ISPs.
                      that's cool, but users cannot use internet until mailserver finishes sending/recieving mail (because of the change in the default gateway).

                      (ofcourse...this is only a temporare solution)


                      I know I need to add two persistent routes (one for smtp and one for pop3 server) for ISDN interface....but i'm doing somethin wrong.

                      I type:
                      Code:
                      route -p add 212.62.32.3 mask 255.255.255.255 metric 50 IF x
                      instead of x I type my interface (can't tell by heart)
                      212.62.32.3 is pop3 server

                      Comment


                      • #12
                        Code:
                        route add 212.62.32.3 MASK 255.255.255.255 "GATEWAY" IF x -P
                        You need a gateway for it to go out of, is it just an ISDN card you have in the server or a NIC going to an ISDN router.

                        if the first then I don't think the above will work.

                        What you can do though is use RRAS on your server (purely for routing), then add a static route in for the ISDN interface which would be dial on demand.

                        topper.
                        * Shamelessly mentioning "Don't forget to add reputation!"

                        Comment


                        • #13
                          You need a gateway for it to go out of, is it just an ISDN card you have in the server or a NIC going to an ISDN router.

                          if the first then I don't think the above will work.
                          it's just an ISDN card and I tried also with gateway. it doesn't work.

                          What you can do though is use RRAS on your server (purely for routing), then add a static route in for the ISDN interface which would be dial on demand.
                          i tried this before I even posted this thread. it works that way.
                          the problem with this is that managment of that company wants to see those two monitor screens in the systray when isdn is connected (they doesn't show when I do it in the RRAS).

                          but nevermind. works without those monitor screens in the systray. everything is working, that is what's important.

                          all of this made a few important clicks in my head
                          thanx a lot

                          Comment

                          Working...
                          X