Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Enabling IP forwarding on a Win 2k3 box with KWF?
  •  
lightxx

Messages: 15
Karma: 0
Send a private message to this user
By default, IP forwarding is disabled in Win 2k3 (see "ipconfig /all").

Now my scenario here is like this:

1 Server, 3 NICs.
1x WAN (public IP), 1x LAN (10.0.0.0/8), 1x DMZ (192.168.50.0/24).

Since IP forwarding is disabled (per default) in Win2k3, and since i don't want KWF to treat my LAN <-> DMZ traffic as "local traffic", the only option i have is to NAT all traffic to and from my DMZ subnet.

Will enabling IP forwarding on Win2k3 interfere with KWF in any way? I don't see why I would want to NAT my LAN <-> DMZ traffic, there's no need for doing so, and especially on VoIP scenarios it has some nasty side effects.

also, http://www.kerio.com/img/media/kwfhowto.pdf states that
Quote:

The Windows NT/2000/XP operating systems are all capable of IP forwarding. Because other Windows components may depend
on this information, KWF does not use any internal routing functionality, rather it simply enables IP forwarding in Windows
during the boot process and allows Windows to make routing decisions based on the local routing table.


yet, "ipconfig /all" shows IP routing as disabled, and traffic from LAN won't pass through to DMZ without NATing, even though i create FW rules. how come?

any ideas?

Thx a bunch,
Tom

[Updated on: Thu, 22 May 2008 21:45]

  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
lightxx wrote on Fri, 23 May 2008 03:27

By default, IP forwarding is disabled in Win 2k3 (see "ipconfig /all").

Now my scenario here is like this:

1 Server, 3 NICs.
1x WAN (public IP), 1x LAN (10.0.0.0/8), 1x DMZ (192.168.50.0/24).


Since IP forwarding is disabled (per default) in Win2k3, and since i don't want KWF to treat my LAN <-> DMZ traffic as "local traffic", the only option i have is to NAT all traffic to and from my DMZ subnet.

- the simple yet effective solution for that is to have two different network for your LAN and DMZ. KWF will help you define how would you like this two network communicate via "Traffic Policy". you dont have to enable NAT on traffic policy.
you can also secure your network physically by putting your KWF between your LAN and DMZ switches


Will enabling IP forwarding on Win2k3 interfere with KWF in any way? I don't see why I would want to NAT my LAN <-> DMZ traffic, there's no need for doing so, and especially on VoIP scenarios it has some nasty side effects.

care to elaborate more?

also, http://www.kerio.com/img/media/kwfhowto.pdf states that
Quote:

The Windows NT/2000/XP operating systems are all capable of IP forwarding. Because other Windows components may depend
on this information, KWF does not use any internal routing functionality, rather it simply enables IP forwarding in Windows
during the boot process and allows Windows to make routing decisions based on the local routing table.


AFAIK KWF uses win2k3 internal routing system, you can even add routes from command prompt and see the changes on your KWF routing table. so that means any changes on either sides will affect the routing of KWF.

yet, "ipconfig /all" shows IP routing as disabled, and traffic from LAN won't pass through to DMZ without NATing, even though i create FW rules. how come?

any ideas?

try "route print" in win2k3 command prompt if your referring to IP routes and not IP add

Thx a bunch,
Tom

  •  
lightxx

Messages: 15
Karma: 0
Send a private message to this user
1.) routing != ip forwarding. while routing is enabled (duh), ip forwarding is not. you need to edit the registry to enable ip forwarding.

2.)

henrysbox wrote on Sun, 25 May 2008 18:53


- the simple yet effective solution for that is to have two different network for your LAN and DMZ.



lightxx wrote on Thu, 22 May 2008 21:27


1 Server, 3 NICs.
1x WAN (public IP), 1x LAN (10.0.0.0/8), 1x DMZ (192.168.50.0/24).


[Updated on: Mon, 26 May 2008 08:37]

  •  
lightxx

Messages: 15
Karma: 0
Send a private message to this user
ok. just in case someone cares, setting

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\P arameters
IPEnableRouter to 1


does the trick. no NATting necessary between LAN<->DMZ any more, and all my KWF LAN<->DMZ rules still work.

two things worth mentioning:

1.) opening a ticket at Kerio Support didn't do me much good, this is particularly sad as i'm a long time KWF (>10yrs, since Winroute Pro 3) user, with lots of deployments at various companies i work for.
i think its pretty sad that I bought a product for a price comparable to a, say, a Cisco ASA 5005 (last time i checked around $400 with 10 VPN users) that can actually do a zillion times more and doesn't suffer from that 45Mb/s limit KWF does. the times when a hardware NAT device was unaffordable are long gone now.

2.) i find it kinda (extremely) strange that IP forwarding isn't enabled by KFWs installer. either KWF is NEVER used in DMZ / multihomed / ... scenarios, or there is some other reason why it isn't used, one even Kerio support is unaware of.

judging by the post counter, all of Kerio's efforts currently go to their mail server product, and we KWF users are left in the rain.

that said, i got quite a bit of bad experiences with KWF lately. even freeware firewalls like IPCOP outperform and outfunction KWF these days. if things don't chance soon i'll ditch KWF in favor for cheap HW firewalls at all the companies i work for.

[Updated on: Wed, 28 May 2008 21:52]

Previous Topic: What Happened With My KERIO
Next Topic: Whether release KWF for linux is planned?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 04:01:24 CET 2017

Total time taken to generate the page: 0.00441 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.