Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Multiple public ip's and multiple services
  •  
sirkirby

Messages: 14
Karma: 0
Send a private message to this user
Here is my scenario, any help would be greatly appreciated. I have 5 public ip's assigned to me by my isp. IP 1 is the primary wan ip, and i've bound the other four to my WAN adapter, as suggested by another thread in this forum. The idea is for the firewall to be able to process rules based on the destination ip, which is how i had my previous hardware solution set up. The problem I'm having with Kerio Winroute is that, for example, I have 2 mail servers. Mail server 1 receives smtp traffic for IP1 and is mapped to a local server on the LAN. Mail server 2 receives smtp traffic on IP2 and is mapped to another local server on the LAN. However, Winroute cannot seem to process this scenario. For some reason, the first policy rule (Port map to mail server 1 on IP 1) is capturing all of the smtp traffic, regardless of the destination. So, mail server 2's smtp traffic is getting captured and forwarded to mail server 1. Any thoughts on how to circumvent this? It almost appears that IP's 1-5 are all treated as the same destination, e.g. "Firewall"...which is certainly not the desired result.
  •  
sirkirby

Messages: 14
Karma: 0
Send a private message to this user
Interesting development...If i change the order of the rules, i seem to get the desired result. if i move the port map for the rule which processes IP 2 for mail server 2 above the rule for IP1 (firewall) to mail server 1. They both magically work. Any ideas why this would be the case? Seems quite strange to me, but my knowledge of this is fairly limited.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I'm planning to start using multiple public IP addresses with KWF as well. Did you ever find out what was causing your strange behavior?
  •  
sirkirby

Messages: 14
Karma: 0
Send a private message to this user
I'm still not sure why i have to order the rules as i do, but if you implement it the same way, then you'll be fine. In short, make sure all of the port map rules with a destination public ip other than the firewall public ip (additional publics) precede those rules with a destination of "firewall" (primary ip).
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Maybe 'firewall' simply means what is says: the firewall. And not 'the main IP of the firewall'. To me it would be logical 'Firewall' to mean 'the firewall with all it's known IP's'. No?
  •  
sirkirby

Messages: 14
Karma: 0
Send a private message to this user
In my experience so far, by 'Firewall', they are referring to the primary WAN ip assigned to the interface. I think its just an easy way of entering the rule vs typing in the actual ip for each one (though you could with the same result)...the same would be true for the LAN or other interface ip's. If it referred to all bound ip's then there would be no way for the rule to differentiate the destination of two similar inbound packets with the same port but separate public destination ip's.
Previous Topic: Remote Installation for KWF v6.4.0
Next Topic: Installing KWF block http/s traffic
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 19:50:35 CET 2017

Total time taken to generate the page: 0.00405 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.