Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Outbound one-to-many NAT

SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

I'd need to distribute outgoing connections to multiple WAN IPs in a round robin fashion but this doesn't seem to be possible as I receive the error: "Source translation few:many not supported"

Is there any workaround? This would be for sending email out over multiple WAN IPs to avoid throttling.

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited February 2023

    @SonicAdmin80 don't kill me if it's not working, but did you tried Multipath-Routing for outbound SMTP traffic by creating a Default Route with Multiple Gateways? I don't have that at my disposal, but might worth a shot.

    Update:
    Forget everything I wrote about Routing .. you need multiple IP and not multiple WAN ... 
    sorry for the confusion.
    

    But I guess you followed this already:

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I don't think that would work as that's routing over multiple interfaces or gateways, not utilizing multiple X1 IP addresses for outgoing traffic which would require NAT anyway.

    The trouble is that Microsoft sometimes throttles my Email Security IP addresses. And If I recall, Email Security always uses the primary IP address for email delivery, so creating additional paths might not help. I would need to deploy additional analyzers just to load balance over multiple IPs.

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited February 2023

    @SonicAdmin80 I tried to trick the few-to-many by translating a whole network to multiple addresses (/24 translated to a group of 4 addresses), but the source always got translated to the same IP (out of the 4), so there was no load sharing over the pool, which would'nt help at all.

    Update:
    The internal setting "Allocate sequential addresses when performing many-to-few NAT" 
    seems to make some sort of a difference, but I can't really test it.
    
    Problematic could be that not all of the addresses pass the rDNS test which a recipient 
    system might do, when the HELO does not match the the reverse mapping, you might consider 
    this as well.
    

    --Michael@BWC

Sign In or Register to comment.