[afnog] is NAT messing me up?

Frank Habicht geier-lists-afnog at tih.co.tz
Mon May 12 03:56:31 UTC 2008


Hi,

So i have a serious problem here for a few days with emailing and ...
... while explaining smtp to my colleague ...
... I got an idea on what and who to blame for it.
NAT


So I'm working at $enterprise [ :-( ] here too far out-of-Africa [ :-( ]
We/I run our own mail server (closed source MTA on evil OS), lets assume
it adheres to many important standards like IP, TCP, SMTP ....

$enterprise is located in .mn (Mongolia) , where you can get 2mbps
symmetric (ethernet) for $750 / month and we have fiber out of this
place (via Hongkong), and we have a remote site in China.
$remote_site_in_china is that remote, it is a vsat, connected to shanghai.

we currently have no public IP, own cheap nat router has 10.x.y.z on wan
interface.
I don't know if a) this is NATed in the integrated satellite box
"IPStar" right next to it, or b) the 10... net spans over the satellite
link and they nat in shanghai.
b) would be more messy i guess.
especially since I wonder how many vsat sites in total would be NATed
through the one box.

NAT boxes have to keep the state - internal IP, port, tcp/udp and
translated port, and remote ip/port.

Now my users at $remote_site_in_china send out an email. Your guess in
worst client software would be correct.

Fri 2008-05-09 13:04:50: <-- MAIL FROM: <user_a at aidd.mn>
Fri 2008-05-09 13:04:50: --> 250 <user_a at aidd.mn>, Sender ok
Fri 2008-05-09 13:04:51: <-- RCPT TO: <user_b at aidd.mn>
Fri 2008-05-09 13:04:51: --> 250 <user_b at aidd.mn>, Recipient ok
Fri 2008-05-09 13:04:52: <-- RCPT TO: <user_c at aidd.mn>
Fri 2008-05-09 13:04:52: --> 250 <user_c at aidd.mn>, Recipient ok
Fri 2008-05-09 13:04:54: <-- RCPT TO: <user_d at aidd.mn>
Fri 2008-05-09 13:04:54: --> 250 <user_d at aidd.mn>, Recipient ok
Fri 2008-05-09 13:04:55: <-- DATA
Fri 2008-05-09 13:04:55: Creating temp file (SMTP):
                           c:\mdaemon\queues\temp\md50000027474.tmp
Fri 2008-05-09 13:04:55: --> 354 Enter mail, end with <CRLF>.<CRLF>
Fri 2008-05-09 13:07:42: Message size: 525631 bytes
Fri 2008-05-09 13:07:42: Passing message through AntiVirus (Size:
                           525631)...
Fri 2008-05-09 13:07:42: *  Message is clean (no viruses found)
Fri 2008-05-09 13:07:42: ---- End AntiVirus results
Fri 2008-05-09 13:07:42: Message creation successful:
                           c:\mdaemon\queues\inbound\md50000054979.msg
Fri 2008-05-09 13:07:42: --> 250 Ok, message saved <Message-ID:
                           007201c8b192$3a24f020$ae6ed060$@mn>
Fri 2008-05-09 13:07:42: Connection closed
Fri 2008-05-09 13:07:42: SMTP session successful (Bytes in/out:
                           525816/542)

[user names and intends 'fixed']

I didn't see an SMTP "QUIT" here....
Could it be because the "250 Ok, message saved" never made it to the
client? Well, the problem we're actually experiencing it that the
clients send the same email many many times out.
[could it be that MS Outlook changes the Date: header each time???]

So my best guess is that one of the multiple NAT machines is
'forgetting' which 'inside' ip tht conversation belongs to, and thus it
can't deliver the packet with "250 Ok, message saved" after the DATA phase.

This is likely, since right _before_ that packet out MTA is doing some
calculations, virus-checking the email content and running Spamassassin.
Because we want to reject any mad message (virus or SAscore > 10)
directly here and never take any responsibility for it.

I then tested and asked the users to send small emails to me. many.
All worked fine. tcp session wasn't too old yet.

What do you good people think about my guess?
Any other possibility, even if unlikely?

A public IP would _cost_ us ~$140 / year.
Haven't seen anything at APNIC to directly discourage/forbid that.
I looked at http://www.apnic.net/policy/add-manage-policy.html#4.1.3
Would love to tell the provider my opinion.

If it's really the NAT,
- I hadn't hated it like this before...
- massive multi-level after we run out will never work
   (not with 64K portnumbers)

yes, when i have the right $device at $site I'll ask them about ipv6 ;-)

Oh, the Sat link is Ku band, but weather was ok.

Thanks in advance,

Frank


client_pc   ....  client_pc
     |                 |
     +--------+--------+
              |
         192.168.1.1/24
        cheap NAT router
        10.x.y.z/whatever
              |
         vsat terminal box
              |
              |  vsat link
              |
          Shangai - our provider
              |
              |
       "the internet"
              |
              |
             HK
              |
        our other provider
         = AS 24320
              |
              | MAN fiber
              |
           L2 switch
              |
           Mail server = 202.72.245.43









More information about the afnog mailing list