Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Very complicated Winroute scenario (Push it to the limits baby !)

Messages: 7
Karma: 0
Send a private message to this user
Hi all,

Probably the most complicated installation in the forum, maybe too complicated, but I need to handle a difficult configuration.
Thank you in advance if you have enough courage to read the whole message.
A super mega amazing thank you if you reply a working solution Very Happy .

Why Winroute ?

We are using multiple SOHO Gigabit routers for the moment.
Even if they are Gigabit routers they cannot support more traffic because the configuration is very heavy (many rules, bandwidth control, packet filtering, etc.).
Management is also becoming very hard (updates, configurations, etc.).

We are going to upgrade our internet bandwidth soon from 10Mbit to 20Mb (it can be upgraded up to 200Mbit on-demand).
We are a small company and we cannot buy tons of Cisco, that's why I hope Winroute will do the job.


Because I cannot interrupt our web services and because I don't have enough computers, I cannot test the configuration before.
I'll do the "migration" during weekend (Sad), if everything is already configured it will take a couple of hours so it is acceptable.


Internet 1

Range1: a.a.a.50 -> a.a.a.54
Gateway: a.a.a.49

Range2: b.b.b.100 -> b.b.b.104
Gateway: b.b.b.99

Important note: as the two ranges are on the same physical line, I can choose to use 1 or 2 adapters on the server (I put a switch between the server and ISP, it works fine).

Internet 2

Single IP: c.c.c.2
Gateway: c.c.c.1


LAN 1 is a Windows 2003 native Active Directory with DHCP and DNS.

LAN 2 is a separated network of a "partner" company.

Except internet "sharing" there are no link (no AD, no trust) between the two LANs.

Winroute server & connections

The server will be member of the Active Directory in LAN 1.
Hardware: Xeon 2.4, 2Gb Ram, 10 Gigabit NICs

#1 Internet 1 (Range1)
#2 Internet 1 (Range2)
#3 Internet 2
#4 LAN 1
#5 LAN 2
#6 Kerio Mailserver (with webmail)
#7 FTP server (with "webftp")
#8 DMZ 1 (webservers)
#9 DMZ 2 (webservers)
#10 DMZ 3 (webservers)

As I said in the Internet part, I can put physically Range1 and Range2 on the same adapter #1 (if Windows/Kerio accept that), adapter #2 will be unused in this case.

Expected results

1) LAN 1 can access internet to any service (FTP, HTTPS, etc.) but I can block some Users/Groups from accessing some services.

2) LAN 2 can access internet without authentication.

3) LAN 1 and LAN 2 use the main IP of NIC#1 wich is a.a.a.50
(LAN 2 can use another IP if it is not possible to use a.a.a.50)

4) Kerio Mailserver is mapped to external IP a.a.a.51

5) FTP server is mapped to external IP a.a.a.52

6) Each DMZ is mapped to external IPs b.b.b.90 -> b.b.b.94
(Some DMZ have multiple servers)

Servers mapped to an external IP must send and receive packets from and to this IP only (eg: FTP server must not respond with the IP of a DMZ).

7) An automatic or manual failover must be set with the Internet 2 line.


Let's have fun here Smile

Begin with the easy part, failover.
As the Internet 2 have only one IP, I didn't see any trick to do it automatically (maybe someone is better than me).
So my idea was to create two separated configuration for Winroute, one normal (with all IPs etc.) and a failover config.
The failover config will be a lot of port redirection, so I can say to our customer "Use www.server.ext and if not working use".
When the main line is down I switch the two config files and restart Winroute.

Seems to be good ?

Ok now let's play with the two IP ranges.

I see that it is possible to put different IP/Mask in the TCP/IP configuration for a network adapter.
How Winroute will handle that ?

I also see that it is possible to put multiple gateways on the same nick but it use "metric", so it will always use the first one until it is not reachable.
If I use 2 adapters with 2 gateways Windows will probably have problems to choose the correct way to send a packet.
But maybe if I put the correct rules (MAP an NAT rules) in Winroute it can work ?

I'm open to any other working scenarios.

The machine is dedicated to Winroute, maybe somebody with Winroute experience can tell me if the hardware is strong enough of if I need a more powerful machine (DualQuadCoreWithTonsOfRamWichCostTooMuch) ?

Thanks for responses.

Messages: 186

Karma: 0
Send a private message to this user

I think it might be possible to do it with one configuration.
I will take a look at it tomorrow as it is getting very late for me now.

If the server is able to handle all the rules, I am not sure as I don't have that much knowlegde/experience. I thing RAM should be fine. CPU speed also greatly depends on what NIC's you use.

Messages: 7
Karma: 0
Send a private message to this user
Thank you for your reply,

I can upgrade the memory (up to 16Gb) and add a second Xeon if really needed.

The network cards are two HP NC364T Quad-Port Gigabit adapters.
There are two Intel 82571EB controllers on each card wich is also used in fiber gigabit network, so I suppose it is a good controller.

Don't hesitate to reply if you have any idea (or send me a private message if you prefer).

Messages: 186

Karma: 0
Send a private message to this user
First of all, I am not sure if this will work, but this is how I would try to setup Winroute. I haven't got time and computers to test it out, so it is a theoretical approach.

I hope you are able to switch back to your old setup easily, if this doesn't work as intended.

--- Probable Config pt1 ---

1. Setup all the NIC's with the proper settings in Windows, I would setup #1 and #2 separate, as I am not aware of how windows handles multiple subnets/ranges on one NIC.

2. Install Winroute (Duh...)

3. Configure Winroute / setup the traffic rules (lets follow your expected behaviour order):

Rule with: Source: LAN1, Destination: Internet, Service: What you want, Translation: Enable Source NAT, Use Specified IP, and setup the IP (a.a.a.50).
Do the same for LAN2.

For the authentication part, I don't know how to setup correctly.

Setup rules for Kerio Mailserver
Incoming: Source: Internet1, Destination: a.a.a.51, Service: What you need, Translation: Enable Destination NAT with IPofMailserver.
Outgoing: Source: IPofMailserver Destination: Internet1, Service: What you need, Translation: Enable Source NAT with a.a.a.51

Same for FTP and DMZ but with different IP's

Setup failover (perhaps needed to be setup above other rules)
Create portmapping rules with Source: Internet2, Destination: WhereYouWantService, Sercice: PortToTranslate (external eg 1234), Translation Enable Destionation NAT, with IP and Port of server (Webserver1 port 80).

---- THE END ----
I think this will work, but as I said, I don't have that much experiance, perhaps you can/should check with Kerio Support if this will work.

Messages: 7
Karma: 0
Send a private message to this user
Thank you for your suggestions, I had approximatively the same idea.
I can rollback easy, it's just some cabling stuff.

I won't ask Kerio support because I did when we bought Kerio Mailserver and the answers were always "commercially affected".
When the support just say "yes." it could be in reality "yes, but...".

I'll try this weekend (if I have the courage and time) just to check if the 2 ranges can work together (I think it's the main stuff in this issue).

Messages: 186

Karma: 0
Send a private message to this user
Care to share your experience.. did it work!?

Messages: 7
Karma: 0
Send a private message to this user
I didn't have the tile last weekend so I've scheduled that for the next weekend.

I preconfigured the machine (routing, IPs, forwards, etc.) and I have a plan on paper Smile.

I'll reply when it's done (successful or not).
Previous Topic: remot by another site
Next Topic: suggest creat hot room chatting
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 21:27:16 CET 2017

Total time taken to generate the page: 0.00404 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.