I have been beating my head against a concrete wall and I am getting tired of it!
I have a self housed Exchange Server, I have grown tired of the war on spam I have been losing, so I decided to setup Spam Assassin on Ubuntu 24.04. I can see email coming in while viewing the logs in real time, however the mail isn’t delivered to my Exchange Server.
My set up
I have two firewalls to create a DMZ, the outer is OPNSense, the inner is OpenWRT. The Exchange server is behind the OpenWRT, the spam server (running Spam Assassin) is in the DMZ between the firewalls.
I have set up a route for the spam server to send mail to the OpenWRT so it can forward it to the Exchange Server. I have created a port forward rule in OpenWRT to forward port 25 to the Exchange server. However
running telnet 192.168.107.10 25 I get connection refused
running traceroute -p 25 192.168.107.10 I get
traceroute to 192.168.107.10 (192.168.107.10), 30 hops max, 60 byte packets
1 10.78.239.2 (10.78.239.2) 0.421 ms 0.367 ms 0.325 ms
2 10.78.239.2 (10.78.239.2) 0.285 ms 0.244 ms 0.205 ms
running nc -vz 192.168.107.10 25 I get
nc: connect to 192.168.107.10 port 25 (tcp) failed: Connection refused
running nc -vz 10.78.239.2 25 I get Connection to 10.78.239.2 25 port [tcp/smtp] succeeded!
I have a business account with Comcast. I have housed my own spam server for at least 10 years.
If I switch to my old spam server it works just fine. I am switching because my old spam server no longer fulfills my needs.
Besides as I said I can see emails coming into the server while monitoring the logs in real time, the emails just don’t find their way from the spam server to the exchange server. Both are self housed.
Nevermind, rereading the OP, you shouldn’t expect to reach 192.168.107.10 25 from the wan side of the OpenWrt router since NAT is enabled on the wan zone. Only 10.78.239.2 25/tcp should work.
What is the purpose of the OpenWrt router in your config? Not that I would dissuade you from using OpenWrt, but OPNSense is absolutely capable of VLANs - any reason you're not using the OPNSense router to manage the routing for the 192.168.107.0/24 network?
Meanwhile, let's see the complete configuration of the OpenWrt router....
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
When I set this up I did not have switches that could do VLANS. I do now, they are Tripp Lite. However I have not enable VLANS for a couple reasons.
Seems like a lot of work on a network that is already set up, working and in use.
I might be wrong but I believe that what I currently have will be more secure with two network firewalls from different manufactures or sources and a host firewall rather than one network and a host FW.
It is how I first learned how. If I were to build a network from the ground up I would look at VLANS. Just not sure it is something I want to tackle in old network.
I have gotten it to work, using a suggestion from @dave14305 to forward mail to the WAN IP of OpenWRT instead of the IP of the Exchange server.
root@IFW:~# ubus call system board
{
"kernel": "6.12.74",
"hostname": "IFW",
"system": "Intel(R) Core(TM) i3-8100T CPU @ 3.10GHz",
"model": "LENOVO 10RRS3DT00",
"board_name": "lenovo-10rrs3dt00",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32802-f505120278",
"target": "x86/64",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}
root@IFW:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdef:b53d:a189::/48'
option packet_steering '1'
option dhcp_default_duid '00042890ac9d8b36405385522218d5b0b757'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.107.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '10.0.17.2'
config interface 'wan'
option device 'eth3'
option proto 'static'
option ipaddr '10.78.239.2'
option gateway '10.78.239.1'
option broadcast '10.78.239.255'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'eth3'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config interface 'WoodStock'
option proto 'static'
option device 'eth4'
option ipaddr '192.168.214.1'
option gateway '10.0.107.2'
option broadcast '10.0.107.255'
option netmask '255.255.255.0'
root@IFW:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
config dhcp 'WoodStock'
option interface 'WoodStock'
option start '100'
option limit '150'
option leasetime '12h'
root@IFW:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WoodStock'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'lan'
list src_ip '192.168.107.90'
list src_ip '192.168.107.91'
list src_ip '192.168.214.1'
option dest 'lan'
list dest_ip '192.168.107.90'
list dest_ip '192.168.107.91'
list dest_ip '192.168.214.1'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.107.10'
config ipset
option name 'Snoopy/Woodstock'
option family 'ipv4'
list match 'ip'
list entry '192.168.107.90'
list entry '192.168.107.91'
list entry '192.168.214.1'
list entry '192.168.214.2'
list entry '192.168.214.3'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.107.10'
option dest_port '80'
option name 'HTTP'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'PVR'
option src 'wan'
option src_dport '8096'
option dest_ip '192.168.107.93'
option family 'ipv4'
option dest_port '8096'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.107.10'
option dest_port '25'
I can't speak to OPNSense, but on OpenWrt it's not hard to add VLANs.
I think that there is no difference in the security posture. Both OPNSense and OpenWrt are excellent with respect to security, as long as they are properly configured. There is no benefit (or drawback) from a security perspective, again as long as things are configured properly. But there is increased complexity in configuration and management of the two layers of routers.
You're basically half way there... but sure, you can stick with the cascaded routers.
good. You might mark his suggestion as the solution.
The gateway doesn't belong in the section above... remove it. The broadcast line isn't required either (it's auto-calculated). And you might consider using CIDR notation for the IP address field (i.e. 192.168.107.1/24) and removing the subnet line.
Same for the below:
I assume you've disabled the DHCP server because you don't want one on this subnet? If you do want DHCP here, remove the ignore line:
This isn't necessary and can be deleted:
Finally, another option that may be desirable is to remove masquerading from the wan.... to do this, you need to add two static routes to your OPNSense router
192.168.107.0/24 via 10.78.239.2
192.168.214.0/24 via 10.78.239.2
Then, you can remove the port forwards and you can setup basic traffic rules that allow the desired access from the upstream network. Once that's done, you can directly reach any host on the 192.68.107.0/24 and 192.168.214.0/24 networks (obviously depending on your firewall rules) from the 10.78.239.0/24 network.
