Q: Just wondered if you know what these 2 NAT rules do and I can not even change them. The reason I was asking this is because after the Internet Outage in Site 1 2 weeks ago, some of our user there could not connect to port 25 to any smtp server including ours, from either outlook or printer. I check the gateway router and this 2 NAT looks like having something to do with port 25
Rule number 0 and number 13, you can jump into x.x.x.x and have a look if needed. Thanks
A: Those rules are smtp redirect support for captive portal (hotspot) application. It is added by default when setting up hotspot service under IP -> Hotspot -> Setup IF an IP address is entered in response for 'smtp relay server'
You will notivce that the chain is 'hs-auth' which is jumped to by rule #8 which says when arriving in 'hotspot chain' and hotspot type is 'authenticated', jump to 'hs-auth' chain.
'hotspot chain' is triggered by rule #1, when hotspot type is 'from client', jump to 'hotspot' chain.
the rule in your question (rule # zero) has the effect that when the destination port is 25, jump to 'hs-smtp' chain. There is one rule in smtp chain, #23, which essentially says "redirect the connection to host x.x.x.x"
So your one question becomes two ;-)
1. what is x.x.x.x, and
2. why is that host defined at all?
Unfortunately I can't answer either of those questions. x.x.x.x seems to reverse lookup to some dynamic host address with no apparent sarvices attached (certainly not mail service at least) and we NEVER define smtp redirect host when we set up default captive portal services.
I can tell you how to disable/change it though! :-) Just go to 'IP -> Hotspot -> Server profiles' and edit the active profile (in this case it is 'hsprof1') On the 'general tab' set or remove the last field "SMTP Server":
Should you change it or remove it? Anser depends on what you want to acheive.
The reason it is there is because most unauthenticated mail delivery agents will not accept outbound mail from unknown networks. This is a security measure to prevent unauthorised relay of unsolicited bulk mail (i.e. spam). Therefore, users who normally access mail using some kind of desktop main client like windows mail, outlook, thunderbird, etc via their own internet service will have outbound mail server set to the smtp agent of their ISP. The ISP accepts the mail and relays to the final destination because it recognises the client as one of their own customers. When sending via a hotspot service, though, the client is unknown to that ISP mail server and so it will reject the mail delivery, thus the customer can't deliver mail - end result: customer calls YOU ;-)
The intent of this smtp relay system is to trap the outbound mail connections and route it to a mail relay agent that WILL relay the mail - i.e. your own. Your own smtp relay will recognise the client as coming from inside your own network, and so the client mail program works again without anyone noticing. End result NO PHONE CALL :-)
BUT this is all well and good for mail clients that send email by unauthenticated SMTP (unless the mail server is set to some non-existent host like you have right now!) - the problem these days is that most mail systems use some form of AUTHENTICATED smtp outbound mail. Thus the mail client will connect to the ISP mail server and offer it some credentials that identify the client as 'known' and therefore allowed to relay mail through that service.
If you have been clever enough to relay the mail through your own server (to avoid phone calls) then you are caught out because YOUR mail server will not accept the auth credentials offered by the clicnt. Why should it? They are credentials configured on some other mail server! End result: the customer calls you!
So,..... the dilemma. Do you implement a redirect to avoid getting phone calls from customers who do not use smtp auth, or do you NOT implement to avoid getting calls from customers who DO use smtp auth? 10 years ago, the decision was easy to go with the former - not many people used smtp auth. About 5 years ago the decision was hard - the auth to non-auth base was about 50/50 - you were caught between a rick and a hard place. Nowadays, the decision is easy again. MOST mail systems implement smtp auth, so you will likely get more calls if you DO redirect than if you don't.
Therefore, I recommend that you leave the smtp relay server field disabled for this reason.
Hope it helps - further questions are welcome!