Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Help with trafic policy
  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
Hi all;

I was using WRP425 until now but then i saw KWF at a friend
and decided to try it because of it's nice features (stats).
My friend passed me his version 5.1.10.

In my server i have 3 nics :
- 1 for internet with public IP
- 1 for internal network IP:192.168.1.1
- 1 for internal network IP:192.168.2.1

On 192.168.1.x i have only servers;
on 192.168.2.x i have clients who need acces to internet AND 192.168.1.x servers;
I need clients from internet to access 192.168.1.x servers.

P1) Now, clients from 192.168.2.x are accessing to the internet but can't connect to the 192.168.1.x servers. Can someone post a sample rule to allow this?

P2) Also i tried using address groups to define acces to internet but it didn't work, i had to add 'network connected to interface' for the connection to work. Any bug here?

Thanks in advance for the help.

[Updated on: Fri, 20 May 2005 17:07]

  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
Hi,

If you're trying WinRoute Firewall, please download a demo copy of 6.0.11 from http://www.kerio.com/kwf_download.html

WinRoute 5.1.10 is very old.

You can always email us at support<_at_>kerio.com for help with 6.0.11.

Cheers,
Joshua Thomas

Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
OK, I will try that, but will it solve the problems posted above?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Asume you have 3 interfaces called internet, servers and lan. I use 6.0.11.

You can use the template rules below for the specific connections.

name: lan to internet
source: interface connected to lan
dest: interface connected to internet
service: specify service like http, ftp, ...
action: allow
translation: nat default outgoing
protocol inspector: default

name: lan to servers
source: interface connected to lan
dest: interface connected to servers
service: specify service like ...
action: allow
translation: none
protocol inspector: default

name: internet to servers
source: interface connected to internet
dest: firewall
service: specify service
action: allow
translation: map (ip of server for service)
protocol inspector: default

name: servers to internet
source: interface connected to servers
dest: interface connected to internet
service: specify
action: allow
translation: nat default outgoing interface
protocol inspector: default

If you want to control http / ftp traffic more specific use the HTTP Policy URL rules and FTP Policies. You can specify a 'valid for ip address group'. If you want a policy to apply to a specific segment like 'lan' or 'servers' create an address group for that segment and select it. The policy now only applies to that segment.
  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
Thanks Feite, i will try that and let you know of the results.
  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
Still not working.
i can access internet from lan
internet can access services on firewall.

but i can't acces servers from lan or internet, can't even do a ping from lan to servers and vice-versa.

funy thing is that in the filter log i see :
[24/May/2005 09:11:18] PERMIT "Inernal ping" packet from Connexion Clients (Haut), proto:ICMP, len:60, ip:192.168.2.5 -> 192.168.1.200, type:8 code:0
[24/May/2005 09:11:18] PERMIT "Inernal ping" packet to Connexion Serveurs (BNC) (Milieu), proto:ICMP, len:60, ip:192.168.2.5 -> 192.168.1.200, type:8 code:0

Don't know what to do except reinstall old WRP 4.25 that works great.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
The internal NICs should not have a default gateway set. Only the external NIC. DO you use 6.0.11? It should work.

Do you have packet logging enabled for all traffic rules? If not enable packet logging. The filterlog shows that a ping request was received from the lan segment and send to the server segment. Is there not a deny or drop rule that blocks the response? What do you see if you try to browse a webserver in the server segment?

If you want you can mail the winroute.cfg file to me (fjaarsma [at] home.nl)

Feite
  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
Hi Feite;

I just sent you an e-mail with winroute.cfg

I got 6.0.11 from the Kerio site on 21/05/2005. One other think i find strange is that when i try to create an IP group it refuses if the first and last IP don't follow, meaning 192.168.2.5 to 192.168.2.6 is accepted but 192.168.2.5 to 192.168.2.7 will get refused.

Thanks again.
Paulo

[Updated on: Wed, 25 May 2005 16:00]

  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I replied to you mail. The file was not in it...
  •  
pacs

Messages: 6
Karma: 0
Send a private message to this user
Hi, Feite and all. This is just to close the matter.

After several days of testing i couldn't make even a simple ping
work between the 2 local networks.
So o installed back WRP4.25 and i will try to find some other
firewall that works as good as WRP and has some of the nice features
i found on KWF.

Thanks again, Feite, for your help.
Previous Topic: Cannot Access Internet with Firewall On
Next Topic: BUG or what: Win2003+2NIC's+ADSL+KWF 6.0.9
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 10:20:25 CET 2017

Total time taken to generate the page: 0.00528 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.