Chapter 5  Network interfaces

WinRoute is a network firewall. This implies that it represents a gateway between two or more networks (typically between the local network and the Internet) and controls traffic passing through network adapters (Ethernet, WiFi, dial-ups, etc.) which are connected to these networks.

WinRoute functions as an IP router for all WinRoute's network interfaces installed within the system.[3] The linchpin of the firewall's configuration therefore is correct configuration of network interfaces.

Interfaces can be set in the WinRoute's administration console under Configuration → Interfaces.

Network interfaces

Figure 5.1. Network interfaces


Groups of interfaces

To simplify the firewall's configuration and make it as comfortable as possible, network interfaces are sorted in groups in WinRoute. In the firewall's traffic rules, these groups as well as individual interfaces can be used in Source and Target (refer to chapter 7.3  Definition of Custom Traffic Rules). The main benefit of groups of interfaces is that in case of change of internet connection, addition of a new line, change of a network adapter etc., there is no need to edit traffic rules — simple adding of the new interface in the correct group will do.

In WinRoute, the following groups of interfaces are defined:

  • Internet interfaces — interfaces which can be used for Internet connection (network cards, wireless adapters, dial-ups, etc.),

  • Trusted / Local interfaces   interfaces connected to local private networks protected by the firewall (typically Ethernet or WiFi cards),

  • VPN interfaces — virtual network interfaces used by the Kerio VPN proprietary solution (VPN server and created VPN tunnels — for details, refer to chapter 23  Kerio VPN),

  • Other interfaces — interfaces which do not belong to any of the groups listed above (i.e. a network card for DMZ, idle dial-up, etc.).

Groups of interfaces cannot be removed and it is not possible to create new ones (it would not be of any help).

During the initial firewall configuration by Traffic rules wizard (see chapter 7.1  Network Rules Wizard), interfaces will be sorted in correct groups automatically. This classification can be later changed (with certain limits — e.g. VPN server and VPN tunnels cannot be moved from the VPN interfaces group).

To move an interface to another group, drag it by mouse to the desired destination group or select the group in properties of the particular interface — see below.

Note: If the initial configuration is not performed by the wizard, all interfaces (except VPN interfaces) are set as Other interfaces. Before you start creating traffic rules, it is recommended to define correctly interfaces for Internet connection as well as interfaces for the local network — this simplifies definitions of the rules significantly.

Viewing and editing interfaces

In the list of interfaces, WinRoute shows parameters related to firewall's configuration and operations:

Name

The unique name used for interface identification within WinRoute. It should be clear for easy reference, e.g. Internet for the interface connected to the Internet connection.

The name can be edited later (see below) with no affect on WinRoute's functionality.

The icon to the left of the name represents the interface type (network adapter, dial-up connection, VPN server, VPN tunnel).

Note: Unless the name is edited manually, this item displays the name of the adapter as assigned by the operating system (see the Adapter name entry).

IP Address and Mask

IP address and the mask of this interface's subnet.

If the more IP addresses are set for the interface, the primary IP address will be displayed. On Windows, the address assigned to the interface as first is considered as primary.

Status

Current status of the interface (up/down).

Internet

This information indicates the method the interface uses for Internet connection (primary/secondary connection, bandwidth used).

Details

Adapter identification string returned by the device driver.

System Name

The name of the adapter (e.g. “LAN connection 2”). The name is for reference only.

Gateway

IP address of the default gateway set for the particular interface.

DNS

IP address of the primary DNS server set on the interface.

MAC

Hardware (MAC) address of a corresponding network adapter. This entry is empty for dial-ups as its use would be meaningless there.

Use the buttons at the bottom of the interface list to remove or edit properties of the chosen interface. If no interface is chosen or the selected interface does not support a certain function, appropriate buttons will be inactive.

Add VPN Tunnel

Use this option to create a new server-to-server VPN tunnel. Details on the proprietary Kerio VPN solution are provided in chapter 23  Kerio VPN.

Note: Dial-ups must be defined by following a standard procedure in the operating system.

Modify

Click on Edit to view and/or modify parameters of the selected interface.

Editing interfaces

Figure 5.2. Editing interfaces


In WinRoute, it is specify to specify a special name for each interface (names taken from the operating system can be confusing and the new name may make it clear). Likewise, it is possible to change a group to which an interface belongs, in accordance of the network it is actually connected to (Internet, secure local network, another network — e.g. DMZ).

It is also possible to change the default gateway and edit parameters of DNS servers. In most cases, if traffic to the corresponding networks works smoothly before WinRoute installation, it is not necessary to change settings taken from the operating system.

For dial-ups it is also possible to set login data and dialing options (see chapter 6.2  Connection with a single leased link — dial on demand).

For VPN server and VPN tunnels, a dialog for setting of the VPN server (see chapter 23.1  VPN Server Configuration) or a VPN tunnel (refer to chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)) will be opened.

Remove

Removes the selected interface from WinRoute. This can be done under the following conditions:

  • the interface is an inactive (disabled) VPN tunnel,

  • the network adapter is not active or it is not physically present,

  • the interface is a dial-up which no longer exists in the system.

Network cards and dial-ups defined in the operating system as well as established VPN tunnels cannot be removed in WinRoute.

Note:

  1. Records related to network cards or dial-ups that do not exist any longer (those that have been removed) do not affect WinRoute's functionality — such interfaces are considered as inactive (as in case of a hung-up dial-up).

  2. When an adapter is removed, the Nothing value is automatically used for corresponding items of all traffic rules where the interface was used. These rules will be disabled. This ensures that the traffic policy is not endangered (for details, refer to chapter 7.3  Definition of Custom Traffic Rules).

Dial or Hang Up /Enebale, Disable

Function of these buttons depend on the interface selected:

  • For dial-ups, the Dial and Hang-up buttons are available and they are used to handle the line by hand.

    Note: You can use WinRoute's Web interface (see chapter  11  Web Interface) to dial or hang up lines.

  • For VPN tunnels, the Enable and Disable buttons are available that can be used to enable /disable the VPN tunnel selected for details, see chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)).

  • If a network adapter, a Dial-in interface or a VPN server is selected, these buttons are inactive.

Special interfaces

Interfaces include also the following special items:

Dial-In

This interface represents the server of the RAS service (dial-up connection to the network) on the WinRoute host. This interface can be used for definition of traffic rules (see chapter 7  Traffic Policy) for RAS clients which are connecting to this server.

Dial-In interfaces are considered as trustworthy (clients connected via this interface use it to access the local network). This interface cannot be either configured or removed. If you do not consider RAS clients as parts of trustworthy networks for any reason, you can move the Dial-In interface to Other interfaces.

Note:

  1. If both RAS server and WinRoute are used, the RAS server must be configured to assign clients IP addresses of a subnet which is not used by any segment of the local network. WinRoute performs standard IP routing which might not function unless f this condition is met.

  2. For assigning of IP addresses to RAS clients connecting directly to the WinRoute host, it is not possible to use the WinRoute's DHCP server. For details, see chapter 8.2  DHCP server.

VPN server

This interface is used as a server for connection of the proprietary VPN client (Kerio VPN Client — this solution can be downloaded for free from http://www.kerio.com/kwfdwn). VPN servers are always sorted in the VPN interfaces group.

Double-click on this interface or click on Edit to edit settings and parameters of the VPN server. The VPN server interface cannot be removed.

For detailed information on the proprietary solution Kerio VPN, refer to chapter 23  Kerio VPN.



[3] If you want to disable WinRoute for any of these interfaces, go to the adapter's properties and disable Kerio WinRoute Firewall (the WinRoute's low level driver). However, for security reasons and to guarantee full control over the network traffic, it is strongly unrecommended to disable WinRoute's low level driver on any network adapter!