Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Strange routing problem
  •  
dthomi

Messages: 18
Karma: 0
Send a private message to this user
Hello!

I expirience a strange routing problem with WinRoute 6.0.8:

My WinRoute computer is the main router in the central LAN (192.168.0.0/24). There are some other LANs that are connected to the central LAN in different ways (Dial-Up, T3, etc.) using different routers (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24).

All clients in the central LAN are using the WinRoute-PC as default gateway. WinRoute itselfs knows the path to each subnet by the definition of static routes (e.g. 192.168.3.0/24 - Gateway 192.168.0.253 - Metric 1).

I defined a traffic policy that enables any service between Firewall/LAN-Connection <-> Firewall/LAN-Connection.

A ping of a client in the central LAN to a client in one of the connected LANs works perfect, but if I try to use a different protocol (e.g. VNC), I cannot connect to the remote machine. The VNC connection is shown under Status - Connections and is assigned to the traffic rule mentioned above.

Any suggestions?

Thank you very much!

David
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Here are some suggestions:

Does VNC work inside the other LAN?

Enable packet logging on the traffic rule you defined and check the packet flow in the filterlog.

Is the ip address of the firewall 192.168.0.253? If so the firewall gateway setting (static route) should be removed. So I presume the firewall machine is not the gateway to the 192.168.3.0/24 LAN and that another router is the gateway. If the machine you are using in the 192.168.0.0/24 segment does not know about the different gateway to the 192.168.3.0/24 segment it should get an 'ICMP redirect' from the default gateway directing it to the correct gateway. After that the communication goes directly to the correct gateway.

Feite
  •  
dthomi

Messages: 18
Karma: 0
Send a private message to this user
Thanks you for your reply!

The hint with the ICMP redirect was the solution!

The firewall of XP SP2 is active on each client in the central LAN and blocks by default any ICMP Message (except incoming echo). Therefor the redirect was blocked and WinRoute didn't route the packets since the clients has a direct connection to the gateway.

Now I opened up ICMP Traffic on each client by policies and it works!

I'm experiencing another problem and maybe you know a solution:

My clients can't connect to an https site without using WinRoute as proxy. I measured the MTU size by using the ping command and got a value of 1452. I can't even ping with packets above this value (I don't get "can't fragment" but "not reachable").

After setting MTU size in the registry to 1452 it works fine. Without this entry it won't.

Since I have a lot of clients I don't want to edit each registry and the DHCP option "MTU" doesn't work, too...

Any suggestions?

Thanks you!

  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I'm not sure. You could check the MTU on the firewall. Maybe its to small? Maybe the MTU on the internet NIC is wrong? There is a tool TCPOptimizer.exe (http://www.speedguide.net/downloads.php). Maybe its of some help. One advice: do not optimize the TCP settings, use defaults! I noticed in some W2000/XP networks that changing these settings could slow down the connection very much.

Feite
  •  
dthomi

Messages: 18
Karma: 0
Send a private message to this user
Indeed - the MTU to LAN connection seems to be 1500 while MTU to Internet is 1480 (as I can see by pinging).

I tried to change the MTU of the Internet NIC and Dial-Up Connection by editing the registry but nothing happens. I still can't ping packets larger then 1452 bytes (MTU 1480).

Do I have to reduce the MTU of the LAN Adapter. If so - do I have to reduce the MTU in the hole LAN?!

Thank you!

David
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Did try it here. Ping -l 1024 <somesite> works, ping -l 2048 <somesite> give a host not reachable. Same result. Ping to the NIC of the firewall works for both sizes. Probable kerio does not allow fragmentation of ICMP packets.

Feite
Previous Topic: KWF 6.0.9 & QoS & VoIP
Next Topic: How do share your internet connection with other computers?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 16:36:54 CET 2017

Total time taken to generate the page: 0.00395 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.