Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Help on traffic policy rules
  •  
pmatos

Messages: 25
Karma: 0
Send a private message to this user

Hi there,

I have been trying to implement some basic traffic rules with help from this forum, but unfortunnetly I was unable to create the rules that meets my needs.

So, I have decided to post my actual needs to see if I can get the correct traffic rules for each situation.

My network is like:
- NIC VSAT (for the internet)
- NIC LAN (for the local network on a win2k3 server on a domain controller)
- NIC EXTERNAL (to provide controlled internet access to users outside the company via Wi-Fi)
(all NIC's have different IP segments as instructed)

There are (assuming that I will delete all basic rules created by winroute configuration).

1.- Force all users to be logged onto the firewall to be able to use internet services
(I already now how to create accounts and activate user autentication, the problem is that it is only working for http and https services, not for other like smtp, pop3 messenger, etc.)

2.- Allow users on the LAN network NIC segment to be abble to use a local network with file and printing sharing (assuming that must autenticated on the firewall to be able to use internet).

3.- All users from EXTERNAL network NIC segment, does not have access to the local network but can use internet if autenticated on the firewall with accounts previsoully created on the firewall. To disable file and printing sharing, I have disabled this service (File and Printing Sharing) on network properties for the EXTERNAL NIC.

4.- If possible, allow users from local network to access machines on segment NIC EXTERNAL (because the WI-FI AP are on this segments)

5.- Most important of all, not expose the local network and the server to the EXTERNAL network NIC and the internet.

The idea is to delete all the basic traffic rules created by winroute firewall and re-create them one by one.

Thank you very much


Paulo Matos
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
1.- Force all users to be logged onto the firewall to be able to use internet services
Login of users using http/https is configured at Users / Authentication Options.
To allow internet access only for authenticated users create rules like this:
name: LAN to VSAT
source: group LANusers
dest: VSAT
service: specify service
translation: NAT default outgoing

The usergroup LANusers contains only users that belong to the domain.

Make sure the users can authenticate on the firewall by creating a rule that allows authentication of LAN users on the firewall. You can do this with login scripts / logout script in the AD. There is a topic discussing this.

2.- Allow users on the LAN network NIC segment to be abble to use a local network with file and printing sharing (assuming that must autenticated on the firewall to be able to use internet).
Create rules like this:
name: LAN to firewall
source: group LANusers
dest: firewall
service: specify services

Make sure the users can authenticate ....

3.- All users from EXTERNAL network NIC segment, does not have access to the local network but can use internet if autenticated on the firewall with accounts previsoully created on the firewall. To disable file and printing sharing, I have disabled this service (File and Printing Sharing) on network properties for the EXTERNAL NIC.
Create rules like this:
name: EXTERNAL to VSAT
source: group EXTusers
dest: VSAT
service: specify services
translation: NAT default outgoing

The usergroup EXTusers contains all the accounts created on the firewall for this purpose.

4.- If possible, allow users from local network to access machines on segment NIC EXTERNAL (because the WI-FI AP are on this segments)
Create rules like this:
name: LAN to EXTERNAL
source: group LANusers
dest: EXTERNAL (or specific ip address of AP if only access to AP is needed)
service: specify services
translation: NAT default outgoing

5.- Most important of all, not expose the local network and the server to the EXTERNAL network NIC and the internet.
Only create rules that allow some specific kind of traffic (service). Kerio has a default rule that denies all traffic at the end of the traffic rules. This rule blocks all not allowed traffic.
  •  
pmatos

Messages: 25
Karma: 0
Send a private message to this user
Thank you feite,

I will try the traffic rules and instructions provided and then I let you know the results.

King regards

Paulo Matos
Previous Topic: NAT - Wizard
Next Topic: Usando KWF6 con 3 tarjetas de internet y una para NAT
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 17:56:10 CET 2017

Total time taken to generate the page: 0.00356 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.