Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Help me: Routing Configuration
  •  
trisse

Messages: 19
Karma: -1
Send a private message to this user
Hi!

We got two seperate offices (norworks).
NetworkA: 192.168.0.0/24
NetworkB: 192.168.1.0/24

We established a directional radio between those offices.
This raido link acts as a plain old network cable, no routing in between.
We cant get networking right between both offices.

https://picload.org/image/rcadiwgw/1.png

Port1 and Port3 on the left box belongs to lan-switch, no seperate ip.
Left box has the following static route: 192.168.1.0/24 -> gw 192.168.0.97
On the right box, Port1 has 192.168.0.97
Right box has no custom static route.
Port3 is lan-switch. (192.168.1.112)

With that configuration, NetworkA is able to reach networkB, bot not vice versa.
networkB can only reach to control-box on networkA (192.168.0.110)

Could you please help us get this right?

Thanks!
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
Why does port 3 on Office b have a different subnet? Based on your diagram it doesn't seem there is a need to have different subnets and set up routing.
Otherwise, you may have port 3 on Office b configured in the Internet interfaces of Kerio Control. In that case it would protect Office A and assume that the internal network of Office b is the Internet. Another assumption for this routing to work is that the hosts on Office b are using 192.168.1.112 as their default gateway. If they are not, then you need to add a route on the default gateway of Office b that directs 192.168.0.0/24 through 192.168.1.112.

Brian Carmichael
Instructional Content Architect
  •  
trisse

Messages: 19
Karma: -1
Send a private message to this user
Thanks for your reply.

Let me simplify this:
Imagine both boxes side-by-side.
Both inter-connected via Port3.

On both boxes, on port1, a computer trying to reach the other.

https://picload.org/image/rcaawlal/bild1.png

I wanted to state the configuration that makes sense for me, but please try to forget what i did..
maybe you can just tell me, based on this picture, what to configure to get this right.


Please do not care about the following, if its compleately inconnect:
My idea was to create a seperate interface on Box-B (LAN3) and configure it with an IP-Adress in the 0.0-Network (so LAN3 on Box-B has 192.168.0.97)
Remember: LAN3 on Box-A and LAN3 on Box-B are connected via a simple network cable.
What I now did was created a static route on Box-A like: 192.168.1.0/24 -> gw 192.168.0.97
Read this route like: "if you want to go to 1.0/24-Network, go to GW 0.97 (which is LAN3 on BoxB)"


  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
Based on the information in your diagram I can provide only a general answer. Both PC1 and PC2 should use their corresponding Kerio Control as the default gateway. In the configuration of both Kerio Controls, all ports involved in this setup should belong to the trusted/local interface group.
The static route you added on Box-A is correct. If your original diagram still applies, then you don't need any static route on Box B since it had an interface that was part of the Box A subnet.

Brian Carmichael
Instructional Content Architect
  •  
trisse

Messages: 19
Karma: -1
Send a private message to this user
What you now said, is exactly what we did.
Box-B has an interface in the 0.0/24-Network.
Box-B has no statc route, Box-A has one.

Wen can reach from Network 0.0 -> 1.0 but not the other way.

We talked to out local Kerio distributor and he also said, that this setup sould work.
He also said, that a transfer-network might work.
In that szenario, both interfaces should have a seperate (third) network. e.g. 192.168.3.0/24.

What do you think about that?

Thanks.
  •  
trisse

Messages: 19
Karma: -1
Send a private message to this user
Ok we did it with the origial setup and without the transfer-network-thing.

Our setup was correct, there was one rule we had to change:
https://picload.org/image/rcocdwwa/222.png

We added the the trustworthy interfaces to the destination at rule "internet access (nat)"
Normaly (default), this is not.

it simply startet to work, but we dont know exactly why.
Can you tell us, why we had to change this setting and if there is a possible security impact?


Thanks!
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
There is not enough information provided in your diagrams to consider the security implications of this configuration. Normally you would put those interfaces in the Trusted/Local interface group as I indicated previously. Assuming you have not modified the default traffic rules, they would be permitted to communicate via the "Local traffic" rule as the Trusted/Local interface group is added to both the source and destination of that rule.

Brian Carmichael
Instructional Content Architect
Previous Topic: On Windows 10, changing the VPN Virtual Network Adaptor to a Private network Profile.
Next Topic: AEP files After effects and backup problems
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 11:28:13 CEST 2017

Total time taken to generate the page: 0.00436 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.