7.1  Network Rules Wizard

The network rules wizard demands only the data that is essential for creating a basic set of traffic rules. The rules defined in this wizard will enable access to selected services to the Internet from the local network, and ensure full protection of the local network (including the WinRoute host) from intrusion attempts from the Internet. To guarantee reliable WinRoute functionality after the wizard is used, all existing rules are removed and substituted by rules created automatically upon the new data.

Click on the Wizard button to run the network rules wizard.

Note: The existing traffic policy is substituted by new rules after completing the entire process after confirmation of the last step. This means that during the process the wizard can be stopped and canceled without losing existing rules.

Step 1 — information

Traffic Policy Wizard — introduction

Figure 7.1. Traffic Policy Wizard — introduction


To run successfully, the wizard requires the following parameters on the WinRoute host:

  • at least one active adapter connected to the local network

  • at least either one active adapter connected to the Internet or one dial-up defined. This connection is not required to be dialed at the moment of the wizard's startup.

Steps 2 and 3— internet connection settings

On the second page of the wizard, select how the LAN will be connected to the Internet with WinRoute (leased link, dial-up, leased link with connection failover or multiple links with network traffic load balancing).

On the third page, you can set parameters for the selected type of Internet connection.

Individual options of Internet connection are addressed thoroughly in chapter 6  Internet Connection.

Note:

  1. Selection of Internet connection type does not affect resulting traffic rules, but only configuration of interfaces and their classification in groups (see chapters 5  Network interfaces and 6  Internet Connection).

  2. The Traffic Policy Wizard no longer includes the option to enable /disable IP address translation (NAT) which was available in older versions of WinRoute. In all created traffic rules, NAT is enabled automatically. The reason for this is that modes of network load balancing, connection failover and on-demand dialing cannot actually be used without NAT.

Step 4 — Internet access limitations

Select which Internet services will be available for LAN users:

Network Policy Wizard — enabling access to Internet services

Figure 7.2. Network Policy Wizard — enabling access to Internet services


Allow access to all services

Internet access from the local network will not be limited. Users can access any Internet service.

Allow access to the following services only

Only selected services will be available from the local network.

Note:

  1. Defined restrictions will be applied also to the firewall itself.

  2. In this dialog, only basic services are listed (it does not depend on what services were defined in WinRoute — see chapter 14.3  Services). Other services can be allowed by modification of NAT traffic rules (for LAN hosts) or Firewall traffic rules (for the firewall) or by adding custom rules. For details, see chapter 7.3  Definition of Custom Traffic Rules.

Step 5 — enabling Kerio VPN traffic

To use WinRoute's proprietary VPN solution in order to connect remote clients or to create tunnels between remote networks, keep the Create rules for Kerio VPN server selected. Specific services and address groups for Kerio VPN will be added. For detailed information on the proprietary VPN solution, refer to chapter 23  Kerio VPN.

If you intend not to use the solution or to use a third-party solution (e.g. Microsoft PPTP, Nortel IPSec, etc.), disable the Create rules for Kerio VPN option.

To enable remote access to shared items in the local network via a web browser, keep the Create rules for Kerio Clientless SSL-VPN option enabled. This interface is independent from Kerio VPN and it can be used along with a third-party VPN solution. For detailed information, see chapter 24  Kerio Clientless SSL-VPN (Windows).

Network Policy Wizard — Kerio VPN

Figure 7.3. Network Policy Wizard — Kerio VPN


Step 6 — specification of servers that will be available within the local network

If any service (e.g. WWW server, FTP server, etc. which is intended be available from the Internet) is running on the WinRoute host or another host within the local network, define it in this dialog.

Network Policy Wizard — enabling local services

Figure 7.4. Network Policy Wizard — enabling local services


Note: If creating of rules for Kerio VPN was required in the previous step, the Kerio VPN and HTTPS firewall services will be automatically added to the list of local servers. If these services are removed or their parameters are modified, VPN services will not be available via the Internet!

The dialog window that will open a new service can be activated with the Add button.

Network Policy Wizard — mapping of the local service

Figure 7.5. Network Policy Wizard — mapping of the local service


Service is running on

Select a computer where the corresponding service is running (i.e. the host to which traffic coming in from the Internet will be redirected):

  • Firewall — the host where WinRoute is installed

  • Local host with IP address — another host in the local network (local server)

    Note: Access to the Internet through WinRoute must be defined at the default gateway of the host, otherwise the service will not be available.

Service

Selection of a service to be enabled. The service must be defined in Configurations → Definitions → Services formerly (see chapter 14.3  Services). Majority of common services is predefined in WinRoute.

Step 7 — generating the rules

In the last step, traffic rules are generated in accordance with data specified. All existing rules will be removed and replaced by the new rules.

Network Rules Wizard — the last step

Figure 7.6. Network Rules Wizard — the last step


Warning

This is the last chance to cancel the process and keep the existing traffic policy. Click on the Finish button to delete the existing rules and replace them with the new ones.

Rules Created by the Wizard

The traffic policy is better understood through the traffic rules created by the Wizard in the previous example.

These rules are not affected by the selected type of Internet connection (the wizard, pages 2 and 3).

Traffic Policy generated by the wizard

Figure 7.7. Traffic Policy generated by the wizard


FTP Service and HTTP Service

These rules map all HTTP and HTTPS services running at the host with the 192.168.1.10 IP address (step 6). These services will be available at IP addresses of the “outbound” interface of the firewall (i.e. the interface connected to the Internet — page 3).

Note: Since WinRoute 6.4.0, mapped services can be accessed also from local networks — it is therefore not necessary to use another (private) IP address for connections from local clients. Therefore, the Source value is set to Any. For details, see chapter 7.3  Definition of Custom Traffic Rules.

Kerio VPN Service and HTTPS Service

The Kerio VPN service rule enables connection to the WinRoute's VPN server (establishment of control connection between a VPN client and the server or creation of a VPN tunnel — for details, see chapter 23  Kerio VPN).

The HTTPS Service rule allows connection via the Clientless SSL-VPN interface (access to shared network items via a web browser — for details, see chapter 24  Kerio Clientless SSL-VPN (Windows)).

These rules are not created unless the option allowing access to a particular service is enabled in step 5.

Note: In these rules, value for Source is also set to Any. The main reason for this is to keep consistent with rules for mapped services (all these rules are defined in page 6 of the wizard). Access to firewall services from the local network is, under normal conditions, allowed by the Firewall traffic rule but this is not always true.

NAT

This rule sets that in all packets routed from the local network to the Internet, the source (private) IP address will be replaced by the address of the Internet interface through which the packet is sent from the firewall. Only specified services can be accessed by the Internet connection (the wizard, page 4).

The Source item of this rule includes the Trusted / Local interfaces group and the Destination item includes group Internet interfaces. This makes the rule applicable to any network configuration. It is not necessary to change this rule whenever a new segment of the LAN is connected or Internet connection is changed.

By default, the Trusted / Local interfaces group includes also a Dial-In interface, i.e. all RAS clients connecting to this server can access the Internet with the NAT technology.

Local Traffic

This rule allows all traffic between local hosts and the firewall (i.e. the computer where WinRoute is installed). In this rule, items Source and Destination include the Trusted / Local interfaces group (see chapter 5  Network interfaces) and the special group Firewall.

By default, the Trusted / Local interfaces group includes also a Dial-In interface. This means that the Local Traffic rule also allows traffic between local hosts and RAS clients/VPN clients connected to the server.

If creating of rules for Kerio VPN was set in the wizard (the wizard, page 5), the Local Traffic rule includes also special address groups All VPN tunnels and All VPN clients. This implies that, by default, the rule allows traffic between the local network (firewall), remote networks connected via VPN tunnels and VPN clients connecting to the WinRoute's VPN server.

Note: Access to the WinRoute host is not limited as the Wizard supposes that this host belongs to the local network. Limitations can be done by modification of an appropriate rule or by creating a new one. An inconvenient rule limiting access to the WinRoute host might block remote administration or it might cause some Internet services to be unavailable (all traffic between the LAN and the Internet passes through this host).

Firewall Traffic

This rule enables access to certain services from the WinRoute host. It is similar to the NAT rule except from the fact that this rule does not perform IP translation (this host connects to the Internet directly).

Default rule

This rule drops all communication that is not allowed by other rules. The default rule is always listed at the end of the rule list and it cannot be removed.

The default rule allows the administrator to select what action will be taken with undesirable traffic attempts (Deny or Drop) and to decide whether packets or/and connections will be logged.

Note: To see detailed descriptions of traffic rules refer to chapter 7.3  Definition of Custom Traffic Rules.