7.3  Definition of Custom Traffic Rules

The traffic rules are displayed in the form of a table, where each rule is represented by a row and rule properties (name, conditions, actions — for details see below) are described in the columns. Left-click in a selected field of the table (or right-click a rule and choose the Edit... option in the context menu) to open a dialog where the selected item can be edited.

To define new rules press the Add button. Move the new rule within the list using the arrow buttons.

Name

Name of the rule. It should be brief and unique. More detailed information can be included in the Description entry.

Matching fields next to names can be either ticked to activate or unticked to disable. If a particular field is empty, WinRoute will ignore the rule. This means that you need not remove and later redefine these rules when troubleshooting a rule.

Traffic rule — name, color and rule description

Figure 7.8. Traffic rule — name, color and rule description


The background color of each row with this rule can be defined as well. Use the Transparent option to make the background transparent (background color of the whole list will be used, white is usually set). Colors allow highlighting of rules or distinguishing of groups of rules (e.g. rules for incoming and outgoing traffic).

Any text describing the particular rule may be used to specify the Description entry (up to 1024 characters).

If the description is specified, the “bubble” symbol is displayed in the Name column next to the rule name. Place the mouse pointer over the bubble to view the rule description.

It is recommended to describe all created rules for better reference (automatic descriptions are provided for rules created by the wizard). This is helpful for later reference (at the first glance, it is clear what the rule is used for). WinRoute administrators will appreciate this when fine-tuning or trouble-shooting.

Note: Descriptions and background colors of the rules are used for better reference and greater comfort — they do not influence the firewall's functionality.

Source, Destination

Definition of the source or destination of the traffic defined by the rule.

Traffic rule — source address definition

Figure 7.9. Traffic rule — source address definition


A new source or destination item can be defined after clicking the Add button:

  • Host — the host IP address or name (e.g. 192.168.1.1 or www.company.com)

    Warning

    If either the source or the destination computer is specified by DNS name, WinRoute tries to identify its IP address while processing a corresponding traffic rule.

    If no corresponding record is found in the cache, the DNS forwarder forwards the query to the Internet. If the connection is realized by a dial-up which is currently hung-up, the query will be sent after the line is dialed. The corresponding rule is disabled unless IP address is resolved from the DNS name. Under certain circumstances denied traffic can be let through while the denial rule is disabled (such connection will be closed immediately when the rule is enabled again).

    For the reasons mentioned above we recommend you to specify source and destination computers only through IP addresses in case that you are connected to the Internet through a dial-up!

  • IP range — e.g. 192.168.1.10192.168.1.20

  • IP address group — a group of addresses defined in WinRoute (refer to chapter 14.1  IP Address Groups)

  • Subnet with mask — subnet defined by network address and mask

    (e.g. 192.168.1.0/255.255.255.0)

  • Network connected to interface — selection of the interface or a group of interfaces from which the packet comes in (Source) or via which they are sent out (Destination).

    Traffic rule — selecting an interface of a group of interfaces

    Figure 7.10. Traffic rule — selecting an interface of a group of interfaces


    Groups of interfaces allow creation of more general rules independent from any particular network configuration (e.g. it is not necessary to change such rules when Internet connection is changed or when a new LAN segment is added). It is recommended to define traffic rules associated with groups of interfaces wherever possible. For details on network interfaces and groups of interfaces, see chapter 5  Network interfaces.

    Note: Only the Internet interfaces and the Trusted / Local interfaces group can be used in traffic rules. Another method is used to add interfaces for Kerio VPN(see below). The Other interfaces group includes interfaces of various types that were not filed in another group. For this reason, traffic rules for such group would not be of much use.

  • VPN — virtual private network (created with Kerio VPN). This option can be used to add the following items:

    Traffic rule — VPN clients / VPN tunnel in the source/destination address definition

    Figure 7.11. Traffic rule — VPN clients / VPN tunnel in the source/destination address definition


    1. Incoming VPN connections (VPN clients) — all VPN clients connected to the WinRoute VPN server via the Kerio VPN Client

    2. VPN tunnel — network connected to this server from a remote server via the VPN tunnel The All option covers all networks connected by all VPN tunnels defined which are active at the particular moment.

    For detailed information on the proprietary VPN solution integrated in WinRoute, refer to chapter 23  Kerio VPN.

  • Users — users or groups that can be chosen in a special dialog

    Traffic rule — users and groups in the source/destination address definition

    Figure 7.12. Traffic rule — users and groups in the source/destination address definition


    The Authenticated users option makes the rule valid for all users authenticated to the firewall (see chapter 10.1  Firewall User Authentication). Use the User(s) from domain option to add users/groups from mapped Active Directory domains or from the local user database (for details, refer to chapter 15  User Accounts and Groups).

    Hint

    Users/groups from various domains can be added to a rule at a moment. Select a domain, add users/groups, choose another domain and repeat this process until all demanded users/groups are added.

    In traffic rules, user are represented by IP address of the host they are connected (authenticated) from. For detailed description on user authentication, refer to chapter 10.1  Firewall User Authentication.

    Note:

    1. If you require authentication for any rule, it is necessary to ensure that a rule exists to allow users to connect to the firewall authentication page. If users use each various hosts to connect from, IP addresses of all these hosts must be considered.

    2. If user accounts or groups are used as a source in the Internet access rule, automatic redirection to the authentication page nor NTLM authentication will work. Redirection requires successful establishment of connection to the destination server.

      If traffic policy is set like this, users must be told to open the authentication page (see chapters 11  Web Interface and 10.1  Firewall User Authentication) in their browser and login before they are let into the Internet.

      This issue is described in detail in chapter 7.6  User accounts and groups in traffic rules.

  • Firewall — a special address group including all interfaces of the host where the firewall is running. This option can be used for example to permit traffic between the local network and the WinRoute host.

Use the Any button to replace all defined items with the Any item (this item is also used by default for all new rules). This item will be removed automatically when at least one new item is added.

Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). This is helpful when rules are changed — it is not necessary to remove items one by one. Whenever at least one item is added, the Nothing value will be removed automatically. If the Nothing value is kept for the Source or/and Destination item, a corresponding rule is disabled.

The Nothing value takes effect when network interfaces (see chapter 5  Network interfaces) and users or groups (see chapter 15  User Accounts and Groups) are removed . The Nothing value is automatically used for all Source, Destination or/and Service items of rules where a removed interface (or a user account, a group or a service) has been used. Thus, all these rules are disabled.

Definition of rules with the Nothing value in any column is not of any use — it is more useful to use the checkbox in the Name column instead to disable a rule.

Note: Removed interfaces cannot be replaced by the Any value, otherwise the traffic policy might be changed fundamentally (e.g. an undesirable traffic might be allowed).

Service

Definition of service(s) on which the traffic rule will be applied. Any number of services defined either in Configurations → Definitions → Services (see chapter 14.3  Services) or using protocol and port number (or by port range — a dash is used to specify the range) can be included in the list.

Traffic rule — setting a service

Figure 7.13. Traffic rule — setting a service


Use the Any button to replace all defined items with the Any item (this item is also used by default for all new rules). Whenever at least one new service is added, the Any value removed automatically.

Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). Whenever at least one service is added, the Nothing value will be removed automatically. If the Nothing value is kept in the Service column, the rule is disabled.

The Nothing value is important for removal of services (see chapter 14.3  Services). The Nothing value is automatically used for the Service item of rules where a removed service has been used. Thus, all these rules are disabled. Inserting the Nothing value manually is not meaningful —a checking box in the Name column can be used instead.

Note: If there is a protocol inspector for a certain service in WinRoute, it is applied to all corresponding traffic automatically. If desired to bypass the protocol inspector for certain traffic, it is necessary to define this exception in the particular traffic rule. For detailed information, see chapter 7.7  Partial Retirement of Protocol Inspector.

Action

Action that will be taken by WinRoute when a given packet has passed all the conditions for the rule (the conditions are defined by the Source, Destination and Service items). The following actions can be taken:

Traffic rule — selecting an action

Figure 7.14. Traffic rule — selecting an action


  • Permit — traffic will be allowed by the firewall

  • Deny — client will be informed that access to the address or port is denied. The client will be warned promptly, however, it is informed that the traffic is blocked by firewall.

  • Drop — all packets that fit this rule will be dropped by firewall. The client will not be sent any notification and will consider the action as a network outage. The action is not repeated immediately by the client (the client expects a response and tries to connect later, etc.).

Note: It is recommended to use the Deny option to limit the Internet access for local users and the Drop option to block access from the Internet.

Translation

Source or/and destination IP address translation.

Source IP address translation (NAT — Internet connection sharing)

The source IP address translation can be also called IP masquerading or Internet connection sharing. The source (private) IP address is substituted by the IP address of the interface connected to the Internet in outgoing packets routed from the local network to the Internet. Therefore, the entire local network can access the Internet transparently, but it is externally considered as one host.

Source address translation is used in traffic rules applied to traffic from the local private network to the Internet. In other rules (traffic between the local network and the firewall, between the firewall and the Internet, etc.), NAT is meaningless. For detailed information and examples of rules, refer to chapter 7.4  Basic Traffic Rule Types.

For source address translation, WinRoute offers these options:

Automatic IP address selection
Traffic rule — NAT — automatic IP address selection

Figure 7.15. Traffic rule — NAT — automatic IP address selection


By default, in packets sent from the LAN to the Internet the source IP address will be replaced by IP address of the Internet interface of the firewall through which the packet is sent. This IP address translation method is useful in the general rule for access from the LAN to the Internet (see chapter 7.4  Basic Traffic Rule Types), because it works correctly in any Internet connection configuration and for any status of individual links (for details, see chapter 6  Internet Connection).

If WinRoute works in the mode of network traffic load balancing (see chapter 6.4  Network Load Balancing), you can select a method which will be used for spreading the traffic between the LAN and the Internet over individual Internet links:

  • Load balancing per host — all traffic from the specific host (client) in the LAN will always be routed via the same Internet link. All connections from the client will be established from the same source IP address (the public address of the particular interface of the firewall). This method is set as default, because it guarantees the same behavior as in case of clients connected directly to the Internet. However, load balancing dividing the traffic among individual links may be not optimal in this case.

  • Load balancing per connection — for each connection established from the LAN to the Internet will be selected an Internet link to spread the load optimally. This method guarantees the most efficient use of the Internet connection's capacity. However, it might also introduce problems and collisions with certain services. The problem is that individual connections are established from various IP addresses (depending on the firewall's interface from which the packet is sent) which may be considered as an attack at the destination server which might result in closing of the session, blocking of the traffic, etc.

If another type of Internet connection is used (a single leased link, on demand dialing or connection failover), these options have no effect on WinRoute's functionality.

Hint

For maximal efficiency of the connection's capacity, it is possible to combine both load balancing methods. In the general rule for access from the LAN to the Internet, use load balancing per connection and add a rule for specific services (servers, clients, etc.) which will employ the load balancing per host method. For details, see also chapter 7.4  Basic Traffic Rule Types.

NAT to IP address of a specific interface

It is possible to select a specific interface which will be used for the source NAT in outgoing packets. This also determines that packets will be sent to the Internet via this specific link. This allows definition of rules for sending of a specific traffic through a selected — so called policy routing — see chapter 7.5  Policy routing.

Traffic rule — NAT — NAT with specific interface (its IP address)

Figure 7.16. Traffic rule — NAT — NAT with specific interface (its IP address)


If the selected Internet link fails, Internet will be unavailable for all traffic meeting criteria (specific services, clients, etc.) specified by this rule. To prevent from such situations, it is possible to allow use of an alternative (back-up) interface (link) for cases of the link's failure. If set as suggested, WinRoute will behave like in mode of automatic interface selection (see above) if the such failure occurs.

NAT with a specified IP address

It is also possible to specify an IP address for NAT which will be used as the source IP address for all packets sent from the LAN to the Internet. This option is available above all to keep the environment compatible with older WinRoute versions. However, use of a fixed IP address has many limitations:

  • It is necessary to use an IP address of one of the firewall's Internet interfaces. If any other address is used (including even local private addresses). NAT will not work correctly and packets sent to the Internet will be dropped.

  • For obvious reasons, specific IP address cannot be used for NAT in the Internet connection failover and the network traffic load balancing modes.

Traffic rule — NAT — NAT with specific IP address

Figure 7.17. Traffic rule — NAT — NAT with specific IP address


Full cone NAT

For all NAT methods it is possible to set mode of allowing of incoming packets coming from any address — so called Full cone NAT.

If this option is off, WinRoute performs so called Port restricted cone NAT. In outgoing packets transferred from the local network to the Internet, WinRoute replaces the source IP address of the particular interface by public address of the firewall (see above). If possible, the original source port is kept; otherwise, another free source port is assigned. As to incoming traffic, only packets sent from the same IP address and port from which the outgoing packet was sent are let in. This translation method guarantees high security — the firewall will not let in any packet which is not a response to the sent request.

However, many applications (especially applications working with multimedia, Voice over IP technologies, etc.) use another traffic method where other clients can (with direct connection established) connect to a port “opened” by an outgoing packet. Therefore, WinRoute supports also the Full cone NAT mode where the described restrictions are not applied for incoming packets. The port then lets in incoming packets with any source IP address and port. This translation method allows running of applications in the private network that would either work only partially or they would not work at all.

For example of using of Full cone NAT for VoIP applications, refer to chapter 7.8  Use of Full cone NAT.

Warning

Use of Full cone NAT brings certain security threats — the port opened by outgoing connection can be accessed without any restrictions being applied. For this reason, it is recommended to enable Full cone NAT only for a specific service (i.e. to create a special rule for this purpose).

By any means do not allow Full cone NAT in the general rule for traffic from the local network to the Internet[4]! Such rule would significantly decrease security of the local network.

Note:

  1. Older versions of WinRoute (to version 6.3.1 incl.) used so called Symmetric NAT where each outgoing connection on the firewall was assigned a new source port from the reserved range. For this reason, since 6.4.0 WinRoute includes significantly improved support for VoIP and multimedia applications than the previous versions even without using special traffic rules. Both methods have the same security level — they differ only in method of assigning source ports on the firewall.

  2. The method of IP address translation having been used since version 6.4.0 (i.e. Port restricted cone NAT) allows also using of the IPSec protocol. Special support for IPSec included in older versions of WinRoute is not needed any longer.

Destination NAT (port mapping):

Destination address translation (also called port mapping) is used to allow access to services hosted in private local networks behind the firewall. All incoming packets that meet defined rules are re-directed to a defined host (destination address is changed). This actually “moves” to the Internet interface of the WinRoute host (i.e. IP address it is mapped from). From the client's point of view, the service is running on the IP address from which it is mapped (usually on the firewall's IP address).

Options for destination NAT (port mapping):

Traffic rule — destination address translation

Figure 7.18. Traffic rule — destination address translation


  • No Translation — destination address will not be modified.

  • Translate to — IP address that will substitute the packet's destination address. This address also represents the IP address of the host on which the service is actually running.

    The Translate to entry can be also specified by DNS name of the destination computer. In such cases WinRoute finds a corresponding IP address using a DNS query.

    Warning

    We recommend you not to use names of computers which are not recorded in the local DNS since rule is not applied until a corresponding IP address is found. This might cause temporary malfunction of the mapped service.

  • Translate port to — during the process of IP translation you can also substitute the port of the appropriate service. This means that the service can run at a port that is different from the port where it is available from the Internet.

    Note: This option cannot be used unless only one service is defined in the Service entry within the appropriate traffic rule and this service uses only one port or port range.

For examples of traffic rules for port mapping and their settings, refer to chapter 7.4  Basic Traffic Rule Types.

Log

The following actions can be taken to log traffic:

Traffic rule — packet/connection logging

Figure 7.19. Traffic rule — packet/connection logging


  • Log matching packets — all packets matching with rule (permitted, denied or dropped, according to the rule definition) will be logged in the Filter log.

  • Log matching connections — all connections matching this rule will be logged in the Connection log (only for permit rules). Individual packets included in these connections will not be logged.

    Note: Connection cannot be logged for blocking and dropping rules (connection is not even established).

The following columns are hidden in the default settings of the Traffic Policy window (for details on showing and hiding columns, see chapter 3.2  Administration Console - view preferences):

Valid on

Time interval within which the rule will be valid. Apart from this interval WinRoute ignores the rule.

The special always option can be used to disable the time limitation (it is not displayed in the Traffic Policy dialog).

When a denying rule is applied and/or when an allowing rule's appliance terminates, all active network connections matching the particular rule are closed immediately.

Protocol inspector

Selection of a protocol inspector that will be applied on all traffic meeting the rule. The menu provides the following options to select from:

Traffic rule — protocol inspector selection

Figure 7.20. Traffic rule — protocol inspector selection


  • Default — all necessary protocol inspectors (or inspectors of the services listed in the Service entry) will be applied on traffic meeting this rule.

  • None — no inspector will be applied (regardless of how services used in the Service item are defined).

  • Other — selection of a particular inspector which will be applied to traffic meeting this rule (all WinRoute's protocol inspectors are available). No other protocol inspector will be applied to the traffic, regardless of settings of services in the Service section.

    Do not use this option unless the appropriate traffic rule defines a protocol belonging to the inspector. Functionality of the service might be affected by using an inappropriate inspector.

    For more information, refer to chapter 7.7  Partial Retirement of Protocol Inspector.

Note: Use the Default option for the Protocol Inspector item if a particular service (see the Service item) is used in the rule definition (the protocol inspector is included in the service definition).



[4] Typically the NAT rule created by the Traffic policy wizard — see chapter 7.1  Network Rules Wizard.