Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure a port forwarding rule

You can create a port forwarding rule to forward incoming SMTP and SMTPS traffic to mail servers based on the ports.

Network diagram

This example shows how to forward SMTP and SMTPS traffic, which use ports 25 and 587, to the mail servers in the DMZ.

The IP address details are as follows:

  • Mail servers' public IP address: 203.0.113.1 (MailServers_PublicIP)
  • Mail servers' internal IP addresses: 10.145.15.41 and 10.145.15.42 (MailServers_IPRange)

Network diagram with mail servers.

You must configure the following rules and settings:

  1. Destination NAT (DNAT) rule: Translates traffic from external sources to the internal mail servers.
  2. (Optional) Loopback NAT rule: Translates traffic from internal sources to the internal mail servers.
  3. Reflexive NAT rule: Translates outgoing traffic from the servers.
  4. Firewall rules: Allow incoming and outgoing mail server traffic.

Configure NAT rule with port forwarding

To forward SMTP and SMTPS traffic to the mail servers, do as follows:

  1. Go to Rules and policies > NAT rules and select IPv4.
  2. Click Add NAT rule and click New NAT rule.
  3. Specify the rule name and rule position.
  4. Set Original destination to MailServers_PublicIP.
  5. Set Translated destination to the IP host MailServers_IPRange.

    In this example, the IP host is configured with the mail servers' IP range shown in the network diagram.

  6. Set Original services to SMTP(s).

    The default destination ports for the service are 25 and 587 on the firewall.

  7. Set Translated services to Original.

    Port forwarding settings.

  8. (Optional) Select Create loopback rule to translate traffic from internal users to the internal mail servers.

  9. Select Create reflexive rule to create a source NAT rule that translates outgoing traffic from the mail servers.
  10. Set Load balancing method to Round-robin.
  11. Click Save.

    Loopback and reflexive rules, load-balancing.

Configure firewall rule for incoming traffic

Configure a firewall rule to allow incoming traffic from internal and external sources to the mail servers.

  1. Go to Rules and policies > Firewall rules and select IPv4.
  2. Click Add firewall rule and click New firewall rule.
  3. Set Source zones to LAN and WAN.

    The settings allow traffic from internal and external sources.

  4. Set Destination zones to DMZ.

    In this example, the mail servers are in the DMZ.

  5. Set Source networks and devices to Any.

  6. Set Destination networks to MailServers_PublicIP.
  7. Set Services to SMTP(s).
  8. Click Save.

    Firewall rule corresponding to the DNAT rule.

Configure firewall rule for outgoing traffic

Configure a firewall rule to allow outgoing traffic from the mail servers to internal and external sources.

  1. Go to Rules and policies > Firewall rules and click IPv4.
  2. Click Add firewall rule and click New firewall rule.
  3. Specify the rule name and rule position.
  4. Set Source zones to DMZ.
  5. Set Destination zones to LAN and WAN.
  6. Set Source networks and devices to MailServers_IPRange.
  7. Set Destination networks to Any.
  8. Set Services to SMTP(s).

  9. Click Save.

    Firewall rule corresponding to the reflexive NAT rule.