Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Traffic Policy
  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
I am testing out WRF 5.1.10 on Windows 2000 Server.

Firstly c bit of my configuration...
I am connecting via dial-up to a server assigned IP.
My local network is using IP subnet 192.168.69.0 etc.

I seem to be having problems with my traffic policy and the wizard.
I ran the wizard, choosing dial-up, allow all services, enable NAT. The traffic policy it produced only contained an entry for Firewall traffic. So I rean it again. This time it included fiewall traffic and internal traffic. So I ran it again. This time I unticked NAT, then ticked it again. I got a NAT entry in the table but it isn't working.

My current traffic policy is as follows. Can you see any problems with it?

1. ICMP Traffic
src = Firewall, dst = any, service = ping

2. Local Traffic
src = (Firewall, LAN), dst = (Firewall, LAN), service = any

3. NAT traffic
src = LAN, dst = internet, service = any
translation = NAT default

4. Firewall traffic
src = Firewall, dst = Internet, service = any

5. Incoming traffic
src = Internet, dst = Firewall, service = HTTP,HTTPS
(this is for internet access to my mail server)

def action = drop


None of my LAN machines are able to access the outside world. They can access the proxy on the firewall, so they can go on the web, but I want to be able to route other things such as RAP.

There also seems to be odd things going on inside my LAN. For example I tried to connect to my firewall from a machine on the LAN using VNC, port 5900. In the logs, it says I connected from port 3010 (or some other seemingly random port) to port 5900. Shouldn't I be connecting from 5900 too? I then get nothing back to the LAN machine, even though the log says something has been sent.

Are there any known issues with running WRF with 2000 server? Are there any services that may be running by default that will conflit with WRF? It seems odd I can connect some of the time.

Hope someone can shed light. I'm baffled.
Thanks in advance
Stuart

[Updated on: Thu, 25 March 2004 10:49]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The KWF 5.1.10 runs perfectly on W2000 server.
It seems there is some conflicting software installed in the firewall. It can be RRAS service, other firewalls, port tunneling applications, another software doing NAT etc.

Also please check the default route and DNS settings on client machines. Both should point to the firewall computer.

BigStoo wrote on Thu, 25 March 2004 10:12

I am testing out WRF 5.1.10 on Windows 2000 Server.

Firstly c bit of my configuration...
I am connecting via dial-up to a server assigned IP.
My local network is using IP subnet 192.168.69.0 etc.

I seem to be having problems with my traffic policy and the wizard.
I ran the wizard, choosing dial-up, allow all services, enable NAT. The traffic policy it produced only contained an entry for Firewall traffic. So I rean it again. This time it included fiewall traffic and internal traffic. So I ran it again. This time I unticked NAT, then ticked it again. I got a NAT entry in the table but it isn't working.

My current traffic policy is as follows. Can you see any problems with it?

1. ICMP Traffic
src = Firewall, dst = any, service = ping

2. Local Traffic
src = (Firewall, LAN), dst = (Firewall, LAN), service = any

3. NAT traffic
src = LAN, dst = internet, service = any
translation = NAT default

4. Firewall traffic
src = Firewall, dst = Internet, service = any

5. Incoming traffic
src = Internet, dst = Firewall, service = HTTP,HTTPS
(this is for internet access to my mail server)

def action = drop


None of my LAN machines are able to access the outside world. They can access the proxy on the firewall, so they can go on the web, but I want to be able to route other things such as RAP.

There also seems to be odd things going on inside my LAN. For example I tried to connect to my firewall from a machine on the LAN using VNC, port 5900. In the logs, it says I connected from port 3010 (or some other seemingly random port) to port 5900. Shouldn't I be connecting from 5900 too? I then get nothing back to the LAN machine, even though the log says something has been sent.

Are there any known issues with running WRF with 2000 server? Are there any services that may be running by default that will conflit with WRF? It seems odd I can connect some of the time.

Hope someone can shed light. I'm baffled.
Thanks in advance
Stuart

  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
Hmmm.

The route tables on the clients all look right and DNS is definately working (although only through the DNS forwarder) as they are resolving hostnames.

KWF is installed on a clean installation of Win2000 server with no other software installed (except KMS).

Does anyone know of any services that ship with W2K server out of the box that may be conflicting? I have disables the routing service and the internet connection sharing service.

[Updated on: Thu, 25 March 2004 21:09]

  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
I have just installed WRF5.1.10 onto an clean installation of Windows 2000 Pro. Nothing else has been installed.

When I run the traffic policy wizard, it does not create a NAT entry.

Any ideas?
  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
I have installed WinRoute Pro 4.2.5 instead of WRF5.1.10
The NAT is working perfectly in WRP.

Could there be a problem with NAT in WRF?
  •  
Jeff Wadlow (Kerio)

Messages: 193
Karma: 6
Send a private message to this user
Are you able to select your dialup account when you run the Traffic Policy wizard? I mean is it an option you can select?
  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
Yes. In fact I if I remember rightly it is the only option available to me.
  •  
Jeff Wadlow (Kerio)

Messages: 193
Karma: 6
Send a private message to this user
When you created the dialup account did you select the option for 'everyone' or 'this user only' when you set who could use that dialup account?
  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
I don't actually remeber being asked. It's windows 2000, remember.
I can't find anywhere where I'd be able to give permissions as to who can use the connection. I was logged on as Administrator when I created it.
  •  
Jeff Wadlow (Kerio)

Messages: 193
Karma: 6
Send a private message to this user
I use XP Pro but I am pretty sure Windows 2000 has this option too. I may not be describing this very well. I created a screen shot of the option I am talking about. I know that with WinRoute Pro I could not see the dialup connection within WinRoute Pro if it was set to 'my user only'.

  • Attachment: dial_up.GIF
    (Size: 41.49KB, Downloaded 589 times)
  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
I'm seeing the dial-up connection fine in both WRP and WRF. As I say, WRP seems to be working perfectly.
It's just the NAT in WRF that won't behave.
  •  
Mazrim

Messages: 5
Karma: 0
Send a private message to this user
Hmm did you manually set the preferred DNS under the properties of the LAN's TCP/IP protocol on your windows box? Might need to do this with a dialup WAN connection.

Or are you only supplying default gateway in KWF?

[Updated on: Tue, 30 March 2004 13:43]

  •  
BigStoo

Messages: 10
Karma: 0
Send a private message to this user
DNS server is set to the WRF machine (192.168.69.1) for all the LAN machines using DHCP (as is the default gateway).

The DNS entry for the dialup connection is assigned by the ISP in the TCP settings, although I have manually assigned it in the WRF DNS forwarder.
Previous Topic: Upgrade from WRP 4.1 to KWF 5
Next Topic: Dial-up Settings Feature Request
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 17 20:41:20 CET 2017

Total time taken to generate the page: 0.00552 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.