NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
router blocking SYN-ACKs from internal host
I have an internal host on my local network (actually, a raspberry pi) that I'm trying to send email from to an external host such as gmail.com. It's irrelevent, but it's a postfix server intended to relay alert emails from my Icinga2 server. However, every time the postfix server tries to connect to an external host, it times out. A traceroute leads me to believe that the issue is coming from my router in the form of blocking SYN/SYN-ACK. Here's a snippet of the traceroute I used to test it:
pi@icinga:~ $ sudo traceroute -n -T -p 25 gmail-smtp-in.l.google.com traceroute to gmail-smtp-in.l.google.com (0.0.0.0), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
Whereas other things work fine, like a similar traceroute on port 80
pi@icinga:~ $ sudo traceroute -n -T -p 80 google.com traceroute to google.com (172.217.14.206), 30 hops max, 60 byte packets 1 10.0.1.1 0.955 ms 0.916 ms 0.910 ms 2 67.182.144.1 4.586 ms 7.813 ms 7.883 ms 3 68.86.97.113 3.332 ms 68.86.97.77 3.270 ms 68.86.97.113 3.288 ms 4 69.139.160.249 3.314 ms 3.310 ms 3.209 ms 5 68.86.93.165 4.991 ms 4.925 ms 69.139.160.249 3.198 ms 6 68.86.93.165 6.865 ms 6.174 ms 6.175 ms 7 50.208.232.246 4.094 ms 50.208.232.242 2.363 ms 50.208.232.246 3.120 ms 8 50.208.232.242 3.948 ms 50.208.232.246 3.887 ms 74.125.37.71 4.935 ms 9 209.85.254.237 10.382 ms 209.85.254.171 10.201 ms 108.170.227.7 3.196 ms 10 172.217.14.206 2.676 ms 2.705 ms 209.85.254.237 8.760 ms
Is there any way to allow SYN/SYN-ACT traffic on a RAX200 router? FWIW, I tried temporarily disabling the "Disable port scan and DoS protection" in the WAN setup advanced page, but it made no difference.
My setup is basically xFinity directly connectd to the WAN side of my RAX200. According to xFinity, they are not doing any sort of SYN/SYN-ACK blocking.
Any help would be greatly appreciated!
ok, so I found the problem... so, for posterity: The problem wasn't in the router, it was a misconfiguration of my relayhost in postfix; I had a semicolon between user and password in the sasl password file that should have been a colon.
Now, it's properly directing traffic to whatever host I define.
<facepalm>
3 Replies
I wasn't able to connect to gmail-smtp-in.l.google.com over port 25 using two routers. Perhaps the SMTP settings on the the Google page below can help you. They might be requiring SSL/TLS for sending email.
Thanks for the reply... It's not just google, I get the exact same result trying to connect to 2 other servers, as well: gmail, zoho, and outlook all do exactly the same and I get a DoS warning in the router logs (which is why I thought of disabling the DoS protection option in the first place)... I used the traceroute output from Google to show examples of what I'm seeing.
However, I will indeed look at that link; it might help identify what I might be doing wrong across the board.
Thanks again!
ok, so I found the problem... so, for posterity: The problem wasn't in the router, it was a misconfiguration of my relayhost in postfix; I had a semicolon between user and password in the sasl password file that should have been a colon.
Now, it's properly directing traffic to whatever host I define.
<facepalm>