WinRoute traffic policy provides a range of network traffic filtering options. In this chapter you will find some rules used to manage standard configurations. Using these examples you can easily create a set of rules for your network configuration.
IP translation (as well as Internet connection sharing) is a term used for the exchange of a private IP address in a packet going out from the local network to the Internet with the IP address of the Internet interface of the WinRoute host. This technology is used to connect local private networks to the Internet by a single public IP address.
The following example shows an appropriate traffic rule:
The Trusted / Local interfaces group. This group includes all segments of the LAN connected directly to the firewall. If access to the Internet from some segments is supposed to be blocked, the most suitable group to file the interface into is Other interfaces.
If the local network consists of cascaded segments (i.e. it includes other routers), it is not necessary to customize the rule in accordance with this fact — it is just necessary to set routing correctly (see chapter 18.1 Routing table).
The Internet interfaces group. With this group, the rule is usable for any type of Internet connection (see chapter 6 Internet Connection) and it is not necessary to modify it even it Internet connection is changed.
This entry can be used to define global limitations for Internet access. If particular services are defined for IP translations, only these services will be used for the IP translations and other Internet services will not be available from the local network.
To validate a rule one of the following three actions must be defined: Permit, Drop, Deny.
In the Source NAT section select the Default settings option (the primary IP address of the interface via which packets go out from the WinRoute host will be used for NAT). This also guarantees versatility of this rule — IP address translation will always be working correctly, regardless the Internet connection type and the particular link type via which the packet will be sent to the Internet.
The No translation option should be set in the Destination address translation section, otherwise the rule might not function. Combining source and destination IP address translation is relevant under special conditions only .
The rule for destination address translation must be preceded by all rules which deny access to the Internet from the local network.
Note: Such a rule allows access to the Internet from any host in the local network, not from the firewall itself (i.e. from the WinRoute host)!
Traffic between the firewall and the Internet must be enabled by a special rule. Since WinRoute host can access the Internet directly, it is not necessary to use NAT.
Port mapping allows services hosted on the local network (typically in private networks) to become available over the Internet. The locally hosted server would behave as if it existed directly on the Internet (public address of the WinRoute host).
Since 6.4.0, WinRoute allows to access mapped services also from the local network. This avoids problems with different DNS records for the Internet and the local network.
Traffic rule for port mapping can be defined as follows:
Mapped services can be accessed by clients both from the Internet and from the local network. For this reason, it is possible to keep the Any value in the Source entry (or it is possible to list all relevant interface groups or individual groups — e.g. Internet and LAN).
The WinRoute host labeled as Firewall, which represents all IP addresses bound to the firewall host.
This service will be available at all addresses of the interface connected to the Internet. To make the service available at a particular IP address, use the Host option and specify the IP address (see the multihoming example).
Services to be available. You can select one of the predefined services (see chapter 14.3 Services) or define an appropriate service with protocol and port number.
Any service that is intended to be mapped to one host can be defined in this entry. To map services for other hosts you will need to create a new traffic rule.
Select the Allow option, otherwise all traffic will be blocked and the function of port mapping will be irrelevant.
In the Destination NAT (Port Mapping) section select the Translate to IP address option and specify the IP address of the host within the local network where the service is running.
Using the Translate port to option you can map a service to a port which is different from the one where the service is available from the Internet.
In the Source NAT section should be set to the No Translation option. Combining source and destination IP address translation is relevant under special conditions only .
Note: For proper functionality of port mapping, the locally hosted server must point to the WinRoute firewall as the default gateway. Port mapping will not function well unless this condition is met.
As already mentioned, mapped services can be accessed also from the local network. During access from the local network, connection is established from the local (private) IP address to an IP address in the Internet (the firewall's public IP address). If the rule for mapped service is preceded by a rule allowing access from the local network to the Internet, according to this rule the packet would be directed to the Internet and then dropped. Therefore, it is recommended to put all rules for mapped services at the top of the table of traffic rules.
Note: If there are separate rules limiting access to mapped services, these rules must precede mapping rules. It is usually possible to combine service mapping and access restriction in a single rule.
Multihoming is a term used for situations when one network interface connected to the Internet uses multiple public IP addresses. Typically, multiple services are available through individual IP addresses (this implies that the services are mutually independent).
In the local network a web server web1
with IP address 192.168.1.100
and a web server web2
with IP address 192.168.1.200
are running in the local network. The interface connected to the Internet uses public IP addresses 63.157.211.10
and 63.157.211.11
. We want the server web1
to be available from the Internet at the IP address 63.157.211.10
, the server web2
at the IP address 63.157.211.11
.
The two following traffic rules must be defined in WinRoute to enable this configuration:
Any (see the previous example referring to mapping of single service).
An appropriate IP address of the interface connected to the Internet (use the Host option for insertion of an IP address).
Service which will be available through this interface (the HTTP service in case of a Web server).
Select the Allow option, otherwise all traffic will be blocked and the function of port mapping will be irrelevant.
Go to the Destination NAT (Port Mapping) section, select the Translate to IP address option and specify IP address of a corresponding Web server (web1
or web2
).
Sometimes, it is helpful to limit users access to the Internet services from the local network. Access to Internet services can be limited in several ways. In the following examples, the limitation rules use IP translation. There is no need to define other rules as all traffic that would not meet these requirements will be blocked by the default "catch all" rule.
Other methods of Internet access limitations can be found in the Exceptions section (see below).
Note: Rules mentioned in these examples can be also used if WinRoute is intended as a neutral router (no address translation) — in the Translation entry there will be no translations defined.
Allow access to selected services only. In the translation rule in the Service entry specify only those services that are intended to be allowed.
Limitations sorted by IP addresses. Access to particular services (or access to any Internet service) will be allowed only from selected hosts. In the Source entry define the group of IP addresses from which the Internet will be available. This group must be formerly defined in Configuration → Definitions → Address Groups (see chapter 15.5 User groups).
Note: This type of rule should be used only if each user has his/her own host and the hosts have static IP addresses.
Limitations sorted by users. Firewall monitors if the connection is from an authenticated host. In accordance with this fact, the traffic is permitted or denied.
Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in WinRoute will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user (it is not possible to connect anonymously).
For detailed description on user authentication, refer to chapter 10.1 Firewall User Authentication.
Note:
The rules mentioned above can be combined in various ways (i.e. a user group can be allowed to access certain Internet services only).
Usage of user accounts and groups in traffic policy follows specific rules. For detailed description on this topic, refer to chapter 7.6 User accounts and groups in traffic rules.
You may need to allow access to the Internet only for a certain user/address group, whereas all other users should not be allowed to access this service.
This will be better understood through the following example (how to allow a user group to use the Telnet service for access to servers in the Internet). Use the two following rules to meet these requirements:
First rule will deny selected users (or a group of users/IP addresses, etc.) to access the Internet.
Second rule will deny the other users to access this service.