Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Large network with two internet connections
  •  
zouklover

Messages: 3
Karma: 0
Send a private message to this user
Dear all,

I intend to use Kerio Control for a large company with multiple network (VLAN) and dual WAN.

The network has the following specs:
- Domain controller on vlan 30
- Kerio installed on a firewall with 02 NIC
- 02 internet connections for Load Balance
- computers on vlan 10, 20, 40, 50

My questions:
- Are 02 NIC enough for this? Can I use VLAN also for the interface connected to the internet links?
- I tried testing and the IPS blocked traffic coming from a lan network different from the NIC. Does that mean I have to create a VLAN foreach lan network?

  •  
Vicky

Messages: 656

Karma: 82
Send a private message to this user
Hi Zouklover,

I have not had a user need to have a VLAN on a WAN card before. I do not believe that it will work. From what I have seen of other users setup VLANs need to be on a dedicated LAN card and single LAN card can then handle all the local VLAN traffic and your two WAN cards can then load balance your internet connection.

All the best,
Vicky
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
I'd have to disagree, Vicky. While I haven't tested it either, the configuration options within Control appear to support this. Two NICs should be sufficient if VLANs are an option. Your only issue would be if both the WAN connections exceed the bandwidth of the single NIC. It would still work but you risk starvation.

Remember, you have to create rules to allow traffic between trusted interfaces. Try configuring a rule that specifically allows that distant LAN segment to be forwarded through Control, not just that interface. That should change the behavior.
  •  
zouklover

Messages: 3
Karma: 0
Send a private message to this user
Thanks for the replies guys.
As for the LANs do I have to create a separated VLAN right?

Will Kerio be able to autheticate each user using Domain Controller?

Find attached a diagram to clarify this

Regards

[Updated on: Wed, 26 February 2014 19:48]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
For security purposes, separate VLANs would be best. As long as Control is properly configured for the DC, it should be able to use it to authenticate users.

Another option would be to run Control as a VM in a hypervisor. Let the hypervisor manage vSwitches that match to the VLANs. In this case, the hypervisor would present Control with a vNIC per vSwitch. You wouldn't need to enable VLANs within Control. This is how I handle dual WAN connections. This won't be an option if you use a hardware appliance.

You can also download a trial of Control for testing purposes. I would recommend at least testing this configuration before trying it live. Every network is slightly different. It would be difficult for any forum to catch all the issues you may have.
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Hi Guys,

I don't still understand the VLAN's on the WAN to internet.
What kind of internet providing will this be? What is the purpose of that.
VPLS/MPLS?

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
I cheat. I have two Service providers. Instead of using two NICs, I use a switch to translate those ports to VLANs into my virtualized environment. A bit more like a pseudo-wire, though not VLL.

This configuration allows me to quickly reconfigure my network as needed. I can also mirror traffic from either WAN into an analyzer as needed without requiring physical reconfiguration.
Previous Topic: change hardware mac address permanently
Next Topic: 64bit linux VPN client
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 19:12:05 CET 2017

Total time taken to generate the page: 0.00646 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.