1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent outbound SMTP from using WANx

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by pablito, Mar 29, 2007.

  1. pablito

    pablito Network Guru Member

    Using an RV082 with two WANs and v1.3.5 in load balance mode and protocol binding.

    I have all internal IPs bound to use WAN1 (cable modem), VOiP units bound to WAN2 (DSL), and SMTP bound to WAN2. That works well except when the DSL goes down and SMTP starts going out the cable modem on WAN1. Even though protocol binding is set to one WAN port I still get failover to the other port when the bound port goes down. That is a good thing. Except that I don't want SMTP to ever use WAN1 because it is a cable modem and certain servers will refuse delivery.

    A firewall rule setup to deny SMTP on WAN1 doesn't help since that only deals with inbound. I don't have an option to deny outbound SMTP over a particular WAN. Any ideas how to solve this? The alternative is to push outbound mail over a VPN but I'd rather do direct since it works very well until DSL goes down. Even though this is rare, when it does go down there is usually one email that ends up getting bounced and that makes my friend upset.. :(
  2. aviegas

    aviegas Network Guru Member

    I too had a similar problem as one of my ISPs, and the only solution I found was using an outside relay SMTP that used authentication.

    RV0xx design is to "balance" and direct (based on protocol/address binding) traffic and to fall back to a "regular" router when operating with a single connection.

    They are not a generic filter routers. I agree that there whole setup is too complex, but the idea (I guess) is to hide the concept of "filter rules" with "simpler to understand" things like "protocol binding", etc.

    But back to the solution I use, I have a local SMTP server that works in relay mode: all internal mail is relayed to one of my ISPs authenticated SMTP service. That way it does not matter the source of my connection, it's always accepted.
  3. heidnerd

    heidnerd LI Guru Member

    You can indeed setup firewall rules to block the outbound SMTP on the other router. Firewall rules, Access rules. Then create a rule that blocks (DENY)traffic from (source interface) LAN or ANY for port 25.

    While there... probably a good idea to block all MS (SMB) type traffic, port 135-139 & 445.
  4. pablito

    pablito Network Guru Member

    Thanks for the reply. I know about SMTP auth, that is what I do to get around the problem. But I won't use an ISP server, can't trust them as much as my own. That was the whole point of getting a clean DSL. So I relay it over a VPN to a server that can always get a clean outbound. Inbound isn't a problem since it only comes down the DSL and has secondary MX on the servers across the VPN.

    I don't see a way to allow LAN ->smtp->WAN2->internet while blocking LAN->smtp->WAN1->internet. So I LAN->smtp_relay->VPN->Server->Internet (of course I use internal smtp servers..)

    Simple to use is ok but I wish I had the option for finer grained control. The base is there but the interface is in the way....

    Except for the firewall control (and VPN) limititations the RV does a good job.
  5. heidnerd

    heidnerd LI Guru Member

    I understand now.... also in my case I have both a RV-082 and an RV-042. The RV-042 is on the cable and the RV-082 is on the DSL and mailserver is behind the RV-082.

    I route the WAN2 interface from the RV-082 into one of the RV-042 LAN ports and then block smtp traffic from the LAN on the RV-042... I also bind most port 80 traffic that the RV-082 sees to WAN2 forcing it onto the RV-042. I bind https that orginates behind the RV-082 to the RV-082.

    So setup looks like:

    RV-082 WAN1 = DSL
    RV-082 WAN2 = RV-042 LAN

    RV-042 WAN1 = cable
    RV-042 WAN2 = old SMC barricade router that has serial interface for dialout modem... (never had to fail this far...)

    RV-042 blocks virtually all unsolicited incoming traffic. Outbound SMB, SMTP, newsgroups, etc are blocked.

    RV-082 accepts SMTP, some web activity, etc...

Share This Page