Very, very slow internet browsing/download, 8.2.x

I wonder if anyone has any idea why we would be getting very, very slow browsing/downloading speeds through the Kerio Control software we have on an HP Microserver? Recent 8.2.1 patch did not solve.

Configuration is as follows:

Single internet link:

ADSL comes in to our Vigor 2860n modem/router (we don't have a separate ADSL modem). This has external address of (redacted) 212.x.x.37. Vigor firewall is turned off.

The Kerio Control 8.2.1 software in on a HP Microserver with two NICs.

I set the Kerio Internet Interface NIC at 212.x.x.38 and connected to a port on the Vigor.

The Vigor has NAT (to 192.168.1.x range) and has an internal IP of However it also has an IP Routed Subnet set as 212.x.x.37/mask

The Kerio Trusted /Local interface NIC is set at and connected to another port on the Vigor.

(Bit of a rookie with routing, but I assume that means that ADSL comes in via the Vigor, is transparently routed to the Kerio Internet Interface on .38, which then acts as a firewall to anything which has a gateway value of .150 and is in the range to .255??)

We then have an SBS2011 box connected to a third port on the Vigor, with IP (gway .150, dns .2) which will eventually connect with clients on IPs .3-.50, thanks to a port on the Vigor being connected to a switch, off of which the PCs will hang.

Finally, for my own testing purposes, an HP workstation not part of the SBS domain, with address, gway .150, dns .150)

This is what happens:

SBS2011 and my HP Workstation can browse internet, but INCREDIBLY slowly (e.g. .02 kb/s) leading often to timeouts. Here is an example traceroute to e.g. trying to browse in IE to this address does not work even after waiting 2 mins, but sometimes other sites do work or on 2nd attempt.:

traceroute to (, 30 hops max, 60 byte packets
1 212.x.x.37 0.711 ms 0.690 ms 0.680 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * 8.810 ms 9.865 ms
8 12.137 ms 12.560 ms 13.247 ms
9 21.226 ms 22.775 ms 25.564 ms
10 * * 28.230 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

(on my HP Workstation, with gway changed to point to Vigor on .1, the page comes up immediately in IE, and traceroute is as follows(admittedly with seeming to auto resolve to .com instead):

Tracing route to []
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms Vigor.router []
2 9 ms 7 ms 17 ms []
3 7 ms 6 ms 6 ms []
4 7 ms 6 ms 6 ms []
5 6 ms 5 ms 6 ms []
6 6 ms 6 ms * []
7 6 ms 6 ms 6 ms []
8 7 ms 7 ms 7 ms []
9 13 ms 13 ms 13 ms
10 13 ms 13 ms 15 ms
11 14 ms 13 ms 13 ms
12 13 ms 13 ms 13 ms

Trace complete.

Any suggestions gratefully received.


Where did you get 212.x.x.37/mask from, provider? Then what is 212.x.x.38, your own initiative?
Also, still cant figure out your setup, post info of every interface you use like this: 1) Name(what used for) 2) IP 3) mask 4) gateway, dns 5) NAT or not. And post actual routes. I think youre misconfigured.

Hi, thanks for responding.

Yes, I agree that there is probably some basic mistake that I, as a newbie, have made - which is why I am posting the question in this forum...

(See below - I have noticed that the Internal NIC of the Kerio does not have DNS or Gateway settings - which I guess could be a problem, though nothing alerted me to this during setup - only just found out).

>>Where did you get 212.x.x.37/mask from, provider? Then what is 212.x.x.38, your own initiative? <<

We have static IP range from our ISP, which they quote as:
Static IP: 212.x.x.36 Gateway Address
212.x.x.37 address for router
212.x.x.38 spare address
212.x.x.39 Broadcast Address
Netmask: (this is the ONLY mask ending .252 - all other masks are

This has always worked fine, e.g. for our SBS 2003 box (with two NICs, as it had ISA, a software firewall on it)the router took .37,and the external facing NIC took .38 (with the 2nd NIC on the other side of the software firewall having, connected to a switch off which hang the client PCs)

>>Also, still cant figure out your setup, post info of every interface you use like this:<<

I think I did most of that in original msg, and you haven't asked for any 'report' to be generated by the Kerio Control, but to clarify:

(NOTE that I now have an HP Switch unit, so the configuration is slightly different to my first post; also, I have now changed the internal NAT range of the Vigor Router from> to> in case that was causing issues - since it was the same as the Kerio NAT range)

Overall situation: I have fast ADSL coming into a Vigor modem/router, with a workstation of mine hanging off of it and getting fast browsing speeds.
I have Kerio Control 8.2.1 on an HP Microserver, which has one NIC connected to the Vigor router, and one to the Switch. Hanging off of the Switch is my windows domain kit - an SBS2011 Server and a test Client PC - the idea being that the domain is protected by making the Kerio the gateway. This kit on the 'internal' side of the Kerio are getting the Very, Very slow Browsing speeds...

the Connections:

(a)ADSL incoming CONNECTED to (b) ADSL port on Vigor 2860n Router

On the Vigor router, an IP Routed Subnet is setup - IP Address 212.x.x.37, with mask (so as to provide the Kerio NIC #1 with an external IP, which it has as .38)

(You cannot turn NAT off for the Vigor - it is now set to be the range> - and I have temporarily connected my own workstation to the Vigor, with IP of

DNS for Vigor is picked up automatically from the ISP - 212.x.13.49, 212.x.13.50

(b)Vigor has 2 items connected to its sockets -

socket #b1 - NIC#1 of the Kerio ('Ethernet Interface, Native mode' - set at 212.x.x.38, mask, gateway 212.x.x.37, dns (I just put in the Google DNS since that usually works

socket #b2 - my workstation (for testing only, not part of the SBS domain). It has IP, mask, and DNS now set to be (the Vigor router) - NOTE that with these settings the workstation gets really fast browsing speeds, so the
problem is not with the Vigor router.

(c) the Kerio Control box has two NICs, and is an HP Microserver, gen7

NIC #1 - is the one described above, 212.x.x.38 - connected to the Vigor Router

NIC #2 - is 'Trusted/Local Interface - Native mode' and has IP, with mask of

*** NB - looking at the config for , there is NO Gateway or DNS specified - and to be honest, I am not sure what to put here ***

(d) The Switch - items connected to the Switch are:

#d1- Kerio Nic #2,

#d2 - Msft SBS2011 server - NIC is, mask, gateway (the Kerio), DNS (which is correct SBS DNS'ing for the server to point to itself). This server will be domain server for'OURDOMAIN'

If I try to browse from this server, I get the very, very slow speeds (and I also had slow speeds when my workstation was given a Kerio internal ip of and had the Kerio as the gateway at192.168.1.150) (as soon as I gave my workstation a gateway of the Vigor router at (as it was, previously) my workstation had fast browsing speeds).

#d3 - Windows 7 PC, test client - NIC is, mask, gateway (the Kerio), DNS (the SBS server)

So, hopefully the above helps.


Well, you just answered it yourself - you must have gateway and dns at kerio's NIC 1.
Thats not all for correct inet flow, but for starters, try that, and post back what happened.

>>you must have gateway and dns at kerio's NIC 1<<

If by NIC1 you mean the Internet Interface, it already does have Gwy and DNS values entered - see my post.

If by NIC1 you mean the Internal Interface... Kerio actually advise NOT having a gateway value set there. I have now added to the DNS however, but no change in speed.

Sorat, your answers are fast but not necessarily clear - or helpful - for a newbie. Unless you can help in a more productive way, please don't.

Thank you

Of course only one gateway needed. Yes, now i managed to see you described it earlier. Thats why i asked to post info on interfaces in a manner of tight short list. Instead you go on more like a storytelling about config and not always clear for the purpose of troubleshooting description.
Ok, i'd say looks like you have dns redirect timeouts.
Instead of sbs, try enabling dns forwarder in kerio (no need to use sbs, just configure kerio's properly, write zone of your domain, see hosts file etc), and configure your client to kerio as primary dns server.
Also, use kerio's status->IP tools, for simple checks like ping, tracert, lookups. See if kerio itself is responding properly.

Thanks Sorat, I shall try this and report back.

