Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » general advice for routing problems
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
Hi, i'm looking for some advice in a routing problem.

In my lan I have 2 router

1) 10.10.10.1 Kerio Control all routes and internet usage.
2) 10.10.10.2 Proprietary Cisco (static routes 10.50.50.x to central company service)

Now I have con config static routes on each workstation with deafult gateway 10.10.10.1 and a route 10.50.50.0 mask 255.255.255.0 to GW 10.10.10.2

I'm looking for a config where only KControl (10.10.10.1) is set as gateway, and it forward the specific route to the other router.

I've configured in KControl the static route to the Cisco now I can ping the Company hosts at the 10.50.50.x address, but services not works, I suspect that packets don't return through the KControl but directly to workstation that don0t have the Cisco as gateway.

Keep in mind that I cannot manage and config the proprietary Cisco.

Thanks for any help.

  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Have encountered similar request and I don't think your proposed topology would work.

It works if you put the static route in your DHCP server though.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
Can you explain better, please?
You mean, If I don't use static ip I can add the route to Dhcp server in order that it release the ip/subnet/gateway and route to workstation?

The problem is that I don't use dynamic ip and Dhcp in my lan.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Actually, this should work and is similar in concept to another thread up at the moment (lightyear's thread).

This can work a number of ways:

1. ICMP Redirect, if Control supports it. Essentially, if a router receives a packet on an interface that is also the next-hop route interface, it will generate an ICMP packet telling that host to use that next-hop route. The host will then install that route for future use. I don't believe Kerio supports this, though.

2. Control routes to the Cisco, but doesn't NAT the traffic. This should work and I have seen work with enterprise routers (Cisco, Juniper, Brocade, Extreme, etc.). However, all the security features need to account for this, primarily, stateful inspections. You are right, traffic will not flow back in the manner it went out. This is legal IP traffic though. ECMP uses this to its advantage.

3. What Martin described. DHCP can be used to install host routes.
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
Thanks Silars,
I've read lightyear's thread before submitting this one, but I thought it was a little different.

So...point #3 - I have to use static Ip for workstations.......

About way #1 Who knows if KControl support this??

The #2 seems more interesting.....in addition to static route in KControl, you suggest me a specific filter rule? And in this case how it should be written ?

source : Kcontrol IP
Dest: Cisco Router Ip
protocol: Any
Action: permitted
nat : ?????

If I enable NAT maybe the Cisco return packet to the Kcontrol and not directly to workstations??

Thanks for help.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
His problem is slightly different, but it is the similar mechanic involved. You are both try to do what is sometimes referred to as a "router on a stick" or OAR (one-armed routing). Some routers can handle this, some can't.

If you enable NAT, the traffic should return to the Control device. However, I've never tried this with Control. On other routers, this has worked.

Fundamentally, you shouldn't need NAT to make this work.

You may need to get some packet captures of the traffic that Cisco sends/receives. Do you have Wireshark and a switch that supports SPAN or port mirroring?
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
It works !
Just add a rule source:lan - dest:subnets - service: any - nat standard enabled
and all packets return through the Kcontrol and It redirect to the right workstation.

Clearly all the desired subnets must be on destination group and properly routed in routing table.

No matter if target hosts see only the Kcontrol firewall in place of workstations.

Thanks Silars......
Previous Topic: What that can be?
Next Topic: Kerio Control Separate Wireless and Authentication
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 14:10:16 CET 2017

Total time taken to generate the page: 0.00447 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.