WinRoute is a network firewall. This implies that it represents a gateway between two or more networks (typically between the local network and the Internet) and controls traffic passing through network adapters (Ethernet, WiFi, dial-ups, etc.) which are connected to these networks.
WinRoute functions as an IP router for all WinRoute's network interfaces installed within the system.[3] The linchpin of the firewall's configuration therefore is correct configuration of network interfaces.
Network interfaces of the firewall can be displayed and configured in the Administration Console or in the Web Administration's Configuration → Interfaces section.
To simplify the firewall's configuration and make it as comfortable as possible, network interfaces are sorted in groups in WinRoute. In the firewall's traffic rules, these groups as well as individual interfaces can be used in Source and Target (refer to chapter 7.3 Definition of Custom Traffic Rules). The main benefit of groups of interfaces is that in case of change of internet connection, addition of a new line, change of a network adapter etc., there is no need to edit traffic rules — simple adding of the new interface in the correct group will do.
In WinRoute, the following groups of interfaces are defined:
Internet interfaces — interfaces which can be used for Internet connection (network cards, wireless adapters, dial-ups, etc.),
Trusted / Local interfaces interfaces connected to local private networks protected by the firewall (typically Ethernet or WiFi cards),
VPN interfaces — virtual network interfaces used by the Kerio VPN proprietary solution (VPN server and created VPN tunnels — for details, refer to chapter 23 Kerio VPN),
Other interfaces — interfaces which do not belong to any of the groups listed above (i.e. a network card for DMZ, idle dial-up, etc.).
Groups of interfaces cannot be removed and it is not possible to create new ones (it would not be of any help).
During the initial firewall configuration by Traffic rules wizard (see chapter 7.1 Network Rules Wizard), interfaces will be sorted in correct groups automatically. This classification can be later changed (with certain limits — e.g. VPN server and VPN tunnels cannot be moved from the VPN interfaces group).
To move an interface to another group, drag it by mouse to the desired destination group or select the group in properties of the particular interface — see below.
Note: If the initial configuration is not performed by the wizard, all interfaces (except VPN interfaces) are set as Other interfaces. Before you start creating traffic rules, it is recommended to define correctly interfaces for Internet connection as well as interfaces for the local network — this simplifies definitions of the rules significantly.
Interfaces include also the following special items:
This interface is used as a server for connection of the proprietary VPN client (Kerio VPN Client — this solution can be downloaded for free from http://www.kerio.com/firewall/download). VPN servers are always sorted in the VPN interfaces group.
Double-click on this interface or click on VPN server interface cannot be removed.
to edit settings and parameters of the VPN server. TheFor detailed information on the proprietary solution Kerio VPN, refer to chapter 23 Kerio VPN.
This interface represents the server of the RAS service (dial-up connection to the network) on the WinRoute host. This interface can be used for definition of traffic rules (see chapter 7 Traffic Policy) for RAS clients which are connecting to this server.
Dial-In interfaces are considered as trustworthy (clients connected via this interface use it to access the local network). This interface cannot be either configured or removed. If you do not consider RAS clients as parts of trustworthy networks for any reason, you can move the Dial-In interface to Other interfaces.
Note:
If both RAS server and WinRoute are used, the RAS server must be configured to assign clients IP addresses of a subnet which is not used by any segment of the local network. WinRoute performs standard IP routing which might not function unless this condition is met.
For assigning of IP addresses to RAS clients connecting directly to the WinRoute host, it is not possible to use the WinRoute's DHCP server. For details, see chapter 8.2 DHCP server.
In the list of interfaces, WinRoute shows parameters related to firewall's configuration and operations:
The unique name used for interface identification within WinRoute. It should be clear for easy reference, e.g. Internet for the interface connected to the Internet connection.
The name can be edited later (see below) with no affect on WinRoute's functionality.
The icon to the left of the name represents the interface type (network adapter, dial-up connection, VPN server, VPN tunnel).
Note: Unless the name is edited manually, this item displays the name of the adapter as assigned by the operating system (see the Adapter name entry).
IP address and the mask of this interface's subnet.
If the more IP addresses are set for the interface, the primary IP address will be displayed. On Windows, the address assigned to the interface as first is considered as primary.
Current status of the interface (up/down).
This information indicates the method the interface uses for Internet connection (primary/secondary connection, bandwidth used).
Adapter identification string returned by the device driver.
The name of the adapter (e.g. “LAN connection 2”). The name is for reference only.
IP address of the default gateway set for the particular interface.
IP address of the primary DNS server set on the interface.
Hardware (MAC) address of a corresponding network adapter. This entry is empty for dial-ups as its use would be meaningless there.
Use the buttons at the bottom of the interface list to remove or edit properties of the chosen interface. If no interface is chosen or the selected interface does not support a certain function, appropriate buttons will be inactive.
Use this option to create a new server-to-server VPN tunnel. Details on the proprietary Kerio VPN solution are provided in chapter 23 Kerio VPN.
Note: In Software Appliance / VMware Virtual Appliance, it is also possible to add new interfaces (dial-up, PPTP or PPPoE connections) — see section Adding new interface. If WinRoute is installed on Windows, it is necessary to define new connections by standard methods right in the operating system.
Click on Edit to view and/or modify parameters of the selected interface.
In WinRoute, it is specify to specify a special name for each interface (names taken from the operating system can be confusing and the new name may make it clear). It is also possible to change the group of the interface (Internet, secure local network, another network — e.g. DMZ).
It is also possible to change the default gateway and edit parameters of DNS servers. In the Software Appliance / VMware Virtual Appliance edition, all parameters of the network interface can be set in this dialog.
For dial-ups it is also possible to set login data and dialing options (see chapter 6.2 Connection with a single leased link - dial on demand).
For VPN server and VPN tunnels, a dialog for setting of the VPN server (see chapter 23.1 VPN Server Configuration) or a VPN tunnel (refer to chapter 23.3 Interconnection of two private networks via the Internet (VPN tunnel)) will be opened.
Removes the selected interface from WinRoute. This can be done under the following conditions:
the interface is an inactive (disabled) VPN tunnel,
the network adapter is not active or it is not physically present,
the interface is a dial-up which no longer exists in the system.
Network cards and dial-ups defined in the operating system as well as established VPN tunnels cannot be removed in WinRoute.
Note:
Records related to network cards or dial-ups that do not exist any longer (those that have been removed) do not affect WinRoute's functionality — such interfaces are considered as inactive (as in case of a hung-up dial-up).
When an adapter is removed, the Nothing value is automatically used for corresponding items of all traffic rules where the interface was used. These rules will be disabled. This ensures that the traffic policy is not endangered (for details, refer to chapter 7.3 Definition of Custom Traffic Rules).
Function of these buttons depend on the interface selected:
For dial-up, PPTP and PPPoE connections, the
and buttons are available and they are used to handle the line by hand.Note: Users with appropriate rights can also control dial-ups in the user web interface (see chapter 15.2 Local user accounts and the Kerio WinRoute Firewall — User's Guide).
For VPN tunnels, the 23.3 Interconnection of two private networks via the Internet (VPN tunnel)).
and buttons are available that can be used to enable /disable the VPN tunnel selected for details, see chapterIn the Software Appliance / VMware Virtual Appliance edition, it is also possible to block individual network adapters.
If the Dial-in interface or a VPN server is selected, these buttons are inactive.
In the Software Appliance / VMware Virtual Appliance edition, WinRoute allows to add new network interfaces (dial-up, PPPoE and PPTP connections) right in the administration console.
Click on Add to open a menu and select type of the new interface (dial-up can be added only if an analog or ISDN modem is installed on the firewall host).
The new interface needs an easily identifiable name that will be showed in WinRoute and it needs to be added to a group of interfaces (this item can be changed as desired any time later).
Other parameters of the interface depend on the selected interface type. Most types require username and password for access verification.
Optionally, you can specify IP address of a specific DNS server which will then be used as the primary DNS server for Internet connections via this interface.
The Dialing settings can be used to set time intervals in which the connection should be established persistently and when it should be disconnected. Out of these intervals, the connection will be established on demand (i.e. it will be established automatically any time WinRoute needs to send a packet to the corresponding network). For details about on-demand dialing, see chapters 6.2 Connection with a single leased link - dial on demand and 25.5 Internet links dialed on demand.
[3] If you want to disable WinRoute for any of these interfaces, go to the adapter's properties and disable Kerio WinRoute Firewall (the WinRoute's low level driver). However, for security reasons and to guarantee full control over the network traffic, it is strongly unrecommended to disable WinRoute's low level driver on any network adapter!