Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Change Internet Line for each Users (Change Internet Line for each Users)
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
Hi there,

I've setup Kerio with 3 NICs (1 for Internet, 1 for DMZ, 1 for Local). And I have 3 Internet router link to Kerio NIC Internet by a small switches. But just one NICs for Internet, i just can setup with one line. So, some users want to use other internet lines. How can i route that users to other internet line ?

1. Internet router have 3 IPs, 10.0.0.1, 10.0.0.2, 10.0.0.3
2. DMZ with 192.168.0.0/24
3. Local with 172.16.0.0/24

Default GW of 172.16.0.0/24 is 10.0.0.1 (NAT)

i want to route some IPs (example 172.16.0.100 to 10.0.0.3).. How ?????

PS: I've used Endian Firewall before, it's default gateway is 10.0.0.1, and it can route just like that ( 172.16.0.100 to other gateway )

[Updated on: Wed, 22 May 2013 09:05]

  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
You can specify the IP Address you want to use in Source NAT.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
Hi Martin Lee,

That's case you talk about if we have many NIC for Internet line
At my case, i'm just have 1 NIC for Internet, default Internet gateway is 10.0.0.1, but some users want use other Internet line, then how can i route that users to other gateways ?

Default users still using default internet line with gateway 10.0.0.1 on Internet NIC
Some other users, same subnet with default users, want to use other Internet Line, but the gateway just 10.0.0.1, how can i route ??/

[Updated on: Thu, 23 May 2013 05:51]

  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
If you have multiple NIC, you can specify the interface. You have 1 NIC so just specify the IP address.

  • Attachment: SNAT.png
    (Size: 13.36KB, Downloaded 351 times)

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
It's not work, i'm trying many way. when apply that rule, PC can not ping anymore
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
THis is my simple diagram. Can you check and fix where i'm wrong ?

http://farm6.staticflickr.com/5343/8786855685_ee0613e3d7_o.jpg

http://farm6.staticflickr.com/5466/8797435692_8ff60e9637_o.jpg

http://farm3.staticflickr.com/2856/8797435526_c9dec78bd8_o.jpg

Thanks you
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
The solution I suggest only works if 10.0.0.3 is an IP address configured in Kerio Control.

As in your case, don't think it can be done.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
It's require one NIC/line internet, NIC use for internet lines can use same subnet with each others but you must switch to LoadBalancing mode.
Endian firewall can do that, it's can route IP to other gateways.

Can Kerio will develop that thing later ?

[Updated on: Fri, 24 May 2013 05:11]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Try using Destination NAT to 10.0.0.3, while using Source NAT.

[Yeah, ignore this. This won't work.]

[Updated on: Sat, 25 May 2013 04:42]

  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
The source NAT IP is IP of NIC which have gateway 10.0.0.3, can not use directly to that gateway.
Example.
If we have 3 NIC for internet..
1. With IP 10.0.0.101 gateway 10.0.0.1. (router 1)
2. 10.0.0.102 gateway 10.0.0.2 (Router 2)
3. Same with .103 and .3

Then you can use source NAT IP but that IP is IP of NIC (101,102,103) not IP of router

If you don't believe, just try, i'm stucking at this many times...

Now with one NIC for Internet, i can't route user to other internet lines if they want...Sad



  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Without VLANs, you'd need Policy-based Routing.

However, with VLANs, you can make it work. The VLANs should show up as additional interfaces to apply to rules. The downside is you would have to modify your 10.0.0.x masking scheme.

Does your switch handles VLANs? Can you alter your 10.0.0.x IP scheme?
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
If split to vlan, then the small switches in diagram must be layer 2 or better, i tried with vlan too and it work with vlan, but require switches at least layer 2.

I don't know how endian can work with this case, but the bussiness product like kerio can't... It just simple case,
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Endian likely includes some Policy-based Routing (using information other than Destination IP in the routing decision). There is also the idea of defining a "Next-Hop" in the traffic rule. This is essentially also Policy-based Routing.

It is hard to find modern switches that don't support VLANs, even the really cheap ones. Most businesses will only consider switches that have VLAN capabilities.

But, to be honest, this is a niche design. You can't design a product to work in all scenarios. It just isn't possible. Not to mention, there are very inexpensive solutions to your problem: buy 2 more NICs, buy another switch, enable VLANs in current switch, etc. Replacing Kerio with Endian will be a significant cost.

I'd love to see Kerio add more Policy routing capabilities, but you can easily solve your problems with simple changes.
  •  
PhoenixVOZ

Messages: 11
Karma: 0
Send a private message to this user
Ok, thanks you, so kerio can't do that. Seem i must use endian for this case.. Anyway, thanks again silars

[Updated on: Wed, 29 May 2013 12:46]

Previous Topic: problem with Traffic rule
Next Topic: Kerio VPN support AES-NI instructions?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 23:28:08 CEST 2017

Total time taken to generate the page: 0.00557 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.