The network rules wizard demands only the data that is essential for creating a basic set of traffic rules. The rules defined in this wizard will enable access to selected services to the Internet from the local network, and ensure full protection of the local network (including the WinRoute host) from intrusion attempts from the Internet. To guarantee reliable WinRoute functionality after the wizard is used, all existing rules are removed and substituted by rules created automatically upon the new data.
Click on the button to run the network rules wizard.
Note: The existing traffic policy is substituted by new rules after completing the entire process after confirmation of the last step. This means that during the process the wizard can be stopped and canceled without losing existing rules.
To run successfully, the wizard requires the following parameters on the WinRoute host:
at least one active adapter connected to the local network
at least either one active adapter connected to the Internet or one dial-up defined. The dial-up needn't be active to run the wizard.
Select the appropriate type of Internet connection that is used — either a network adapter (Ethernet, WiFi, DSL, etc.) or a dialed line (analog modem, ISDN, etc.).
If the network adapter is used to connect the host to the Internet, it can be selected in the menu. To follow the wizard instructions easily, IP address, network mask and MAC address of the selected adapter are displayed as well.
Notes:
The Web interface with the default gateway is listed first. Therefore, in most cases the appropriate adapter is already set within this step.
If the more IP addresses are set for the interface, the primary IP address will be displayed. On Windows, the address assigned to the interface as first is considered as primary.
In case of a dial line, the appropriate type of connection (defined in the operating system) must be selected and login data must be specified.
Use login data from the RAS entry — username and password for authentication at the remote server will be copied from a corresponding Windows RAS entry. The RAS connection must be saved in the system “phonebook” (the connection must be available to any user).
Use the following login data — specify Username and Password that will be used for authentication at the remote server. This option can be helpful for example when it is not desirable to save the login data in the operating system or if later it would be edited.
Select which Internet services will be available for LAN users:
- Allow access to all services
Internet access from the local network will not be limited. Users can access any Internet service.
- Allow access to the following services only
Only selected services will be available from the local network.
Note: In this dialog, only basic services are listed (it does not depend on what services were defined in WinRoute — see chapter 12.3 Services). Other services can be allowed by definition of separate traffic policy rules— see chapter 6.3 Definition of Custom Traffic Rules.
To use WinRoute's proprietary VPN solution in order to connect remote clients or to create tunnels between remote networks, keep the Create rules for Kerio VPN server selected. Specific services and address groups for Kerio VPN will be added. For detailed information on the proprietary VPN solution, refer to chapter 21 Kerio VPN.
If you intend not to use the solution or to use a third-party solution (e.g. Microsoft PPTP, Nortel IPSec, etc.), disable the Create rules for Kerio VPN option.
To enable remote access to shared items in the local network via a web browser, keep the Create rules for Kerio Clientless SSL-VPN option enabled. This interface is independent from Kerio VPN and it can be used along with a third-party VPN solution. For detailed information, see chapter 22 Kerio Clientless SSL-VPN.
If any service (e.g. WWW server, FTP server, etc. which is intended be available from the Internet) is running on the WinRoute host or another host within the local network, define it in this dialog.
Note: If creating of rules for Kerio VPN was required in the previous step, the Kerio VPN and firewall services will be automatically added to the list of local servers. If these services are removed or their parameters are modified, VPN services will not be available via the Internet!
The dialog window that will open a new service can be activated with the button.
- Service is running on
Select a computer where the corresponding service is running (i.e. the host to which traffic coming in from the Internet will be redirected):
Firewall — the host where WinRoute is installed
Local host with IP address — another host in the local network (local server)
Note: Access to the Internet through WinRoute must be defined at the default gateway of the host, otherwise the service will not be available.
- Service
Selection of a service to be enabled. The service must be defined in Configurations → Definitions → Services formerly (see chapter 12.3 Services).
Note: Majority of common services is predefined in WinRoute.
If you only use one public IP address to connect your private local network to the Internet, run the NAT function (IP address translation). Do not trigger this function if WinRoute is used for routing between two public networks or two local segments (neutral router).
In the last step, traffic rules are generated in accordance with data specified. All existing rules will be removed and replaced by the new rules.
Warning: This is the last chance to cancel the process and keep the existing traffic policy. Click on the button to delete the existing rules and replace them with the new ones.
The traffic policy is better understood through the traffic rules created by the Wizard in the previous example.
- FTP Service and HTTP Service
These rules map all HTTP and HTTPS services running at the host with the
192.168.1.10IP address (step 6). These services will be available at IP addresses of the “outer” interface of the firewall (i.e. the interface connected to the Internet — page 3).Note: Since WinRoute 6.4.0, mapped services can be accessed also from local networks — it is therefore not necessary to use another (private) IP address for connections from local clients. Therefore, the Source value is set to Any. For details, see chapter 6.3 Definition of Custom Traffic Rules.
- Kerio VPN Service and HTTPS Service
The Kerio VPN service rule enables connection to the WinRoute's VPN server (establishment of control connection between a VPN client and the server or creation of a VPN tunnel — for details, see chapter 21 Kerio VPN).
The HTTPS Service rule allows connection via the Clientless SSL-VPN interface (access to shared network items via a web browser — for details, see chapter 22 Kerio Clientless SSL-VPN).
These rules are not created unless the option allowing access to a particular service is enabled in step 5.
Note: In these rules, value for Source is also set to Any. The main reason for this is to keep consistent with rules for mapped services (all these rules are defined in page 6 of the wizard). Access to firewall services from the local network is, under normal conditions, allowed by the Firewall traffic rule but this is not always true.
- ICMP traffic
This rule can be added whenever needed with no respect to settings within individual steps. You can use the PING command to send a request on a response from the WinRoute host. Important issues can be debugged using this command (i.e.Internet connection functionality can be verified).
Note: The ICMP traffic rule does not allow clients to use the PING command from the local network to the Internet. If you intend to use the command anyway, you must add the Ping feature to the NAT rules (for details see chapter 6.3 Definition of Custom Traffic Rules).
- ISS OrangeWeb Filter
If ISS OrangeWeb Filter is used (a module for classification of Websites), this rule is used to allow communication with corresponding databases. Do not disable this traffic, otherwise ISS OrangeWeb Filter might not function well.
- NAT
If this rule is added, the source (private) addresses in all packets directed from the local network to the Internet will be substituted with addresses of the interface connected to the Internet (see the Wizard, steps 3 and 6). However, only services selected within step 4 can be accessed.
The Dial-In interface is included in the Source item for this rule. This implies that all RAS clients connecting to this server can access the Internet through NAT.
- Local Traffic
This rule enables all traffic between local hosts and the host where WinRoute is installed. The Source and Destination items within this rule include all WinRoute host's interfaces except the interface connected to the Internet (this interface has been chosen in step 3).
In this rule, the Source and Destination items cover also the Dial-In interface and a special group called Firewall. This means that the Local Traffic rule also allows traffic between local hosts and RAS clients/VPN clients connected to the server.
If creating of rules for Kerio VPN was set in the wizard (step 5), the Local Traffic rule includes also special address groups All VPN tunnels and All VPN clients. This implies that, by default, the rule allows traffic between the local network (firewall), remote networks connected via VPN tunnels and VPN clients connecting to the WinRoute's VPN server.
Note: Access to the WinRoute host is not limited as the Wizard supposes that this host belongs to the local network. Limitations can be done by modification of an appropriate rule or by creating a new one. An inconvenient rule limiting access to the WinRoute host might block remote administration or it might cause some Internet services to be unavailable (all traffic directed to the Internet passes through this host).
- Firewall Traffic
This rule enables access to certain services from the WinRoute host. It is similar to the NAT rule except from the fact that this rule does not perform IP translation (this host connects to the Internet directly).
- Ident
This rule denies (but does not drop) queries of the Ident service coming from the Internet to the firewall.
Under normal conditions, such a traffic would be blocked (dropped) by default rule. However, in case of the Ident service problems with response timeout expiration might occur while dropping packets (typically during connection to IRC or FTP servers). Therefore, the wizard creates the special Ident rule for this special case that denies the traffic, i.e. it sends client controll messages informing that the Ident service is not available on the WinRoute host.
- Default rule
This rule drops all communication that is not allowed by other rules. The default rule is always listed at the end of the rule list and it cannot be removed.
The default rule allows the administrator to select what action will be taken with undesirable traffic attempts (Deny or Drop) and to decide whether packets or/and connections will be logged.
Note: To see detailed descriptions of traffic rules refer to chapter 6.3 Definition of Custom Traffic Rules..