7.6  User accounts and groups in traffic rules

In traffic rules, source/destination can be specified also by user accounts or/and user groups. In traffic policy, each user account represents IP address of the host from which user is connected. This means that the rule is applied to users authenticated at the firewall only (when the user logs out, the rule is not effective any longer). This chapter is focused on various issues relating to use of user accounts in traffic rules as well as hints for their solution.

Note: For detailed information on traffic rules definition, refer to chapter 7.3  Definition of Custom Traffic Rules.

How to enable certain users to access the Internet

How to enable access to the Internet for specific users only? Assuming that this problem applies to a private local network and Internet connection is performed through NAT, simply specify these users in the Source item in the NAT rule.

This traffic rule allows only selected users to connect to the Internet

Figure 7.34. This traffic rule allows only selected users to connect to the Internet


Such a rule enables the specified users to connect to the Internet (if authenticated). However, these users must open the WinRoute interface's login page manually and authenticate (for details, see chapter 10.1  Firewall User Authentication).

However, with such a rule defined, all methods of automatic authentication will be ineffective (i.e. redirecting to the login page, NTLM authentication as well as automatic authentication from defined hosts). The reason is that the automatic authentication (or redirection to the login page) is not invoked unless connection to the Internet is being established (for license counting reasons — see chapter  4.6  User counter). However, this NAT rule blocks any connection unless the user is authenticated.

Enabling automatic authentication

The automatic user authentication issue can be solved easily as follows:

  • Add a rule allowing an unlimited access to the HTTP service before the NAT rule.

    These traffic rules enable automatic redirection to the login page

    Figure 7.35. These traffic rules enable automatic redirection to the login page


  • In URL rules (see chapter 12.2  URL Rules), allow specific users to access any Web site and deny any access to other users.

    These URL rules enable specified users to access any Web site

    Figure 7.36. These URL rules enable specified users to access any Web site


User not authenticated yet who attempts to open a Web site will be automatically redirected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure 7.35  These traffic rules enable automatic redirection to the login page) will be allowed to access also other Internet services. As well as users not specified in the rules, unauthenticated users will be disallowed to access any Web site or/and other Internet services.

Note: In this example, it is assumed that client hosts use the WinRoute DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If client stations used a DNS server in the Internet (this configuration is not recommended!), it would be necessary to include the DNS service in the rule which allows unlimited Internet access.