In this chapter you will find some rules used to manage standard configurations. Using these examples you can easily create a set of rules for your network configuration.
IP translation (NAT) is a term used for the exchange of a private IP address in a packet going out from the local network to the Internet with the IP address of the Internet interface of the WinRoute host. The following example shows an appropriate traffic rule:
- Source
Interface connected to the private local network.
If the network includes more than one segment and each segment is connected to an individual interface, specify all the interfaces in the Source entry.
If the local network includes other routers, it is not necessary to specify all interfaces (the interface which connects the network with the WinRoute host will be satisfactory).
- Destination
Interface connected to the Internet.
- Service
This entry can be used to define global limitations for Internet access. If particular services are defined for IP translations, only these services will be used for the IP translations and other Internet services will not be available from the local network.
- Action
To validate a rule one of the following three actions must be defined: Permit, Drop, Deny.
- Translation
In the Source NAT section select the Translate to IP address of outgoing interface option (the primary IP address of the interface via which packets go out from the WinRoute host will be used for NAT).
To use another IP address for the IP translation, use the Translate to IP address option and specify the address. The address should belong to the addresses used for the Internet interface, otherwise IP translations will not function correctly.
Warning: Only in very specific and unique situations is it necessary to define both source and destination NAT. For example, you are hosting a service on the LAN that requires a port mapping, however the local server cannot have a default gateway, or it uses a gateway other than WinRoute. In this case it is possible to perform source NAT on traffic passed to the internal server so that it will reply back to the WinRoute firewall.
Note: The previously defined rule allows outgoing traffic initiated from the local network to the Internet. It is also necessary to define a rule to allow traffic initiated from the WinRoute host (defined by source Firewall). Because the WinRoute host is directly connected to the Internet, it is not necessary to enable translation. The default "catch all" rule at the bottom of the filter list will enforce stateful packet inspection of the WinRoute host.
Port mapping allows services hosted on the local network (typically in private networks) to become available over the Internet. The locally hosted server would behave as if it existed directly on the Internet. The traffic rule therefore must be defined as in the following example:
- Source
Interface connected to the Internet (requests from the Internet will arrive on this interface).
- Destination
The WinRoute host labelled as Firewall, which represents all IP addresses bound to the firewall host.
- Service
You can select one of the predefined services (see chapter 8.3) or define an appropriate service with protocol and port number.
Any service that is intended to be mapped to one host can be defined in this entry. To map services for other hosts you will need to create a new traffic rule.
- Action
Select the Allow option, otherwise all traffic will be blocked and the function of port mapping will be irrelevant.
- Translation
In the Destination NAT (Port Mapping) section select the Translate to IP address option and specify the IP address of the host within the local network where the service is running.
Using the Translate port to option you can map a service to a different port. This allows services to be available on non-standard ports without the necessity of modifying the port used by the server application.
Warning: In the Source NAT section should be set to the No Translation option. Combining source and destination IP address translation is relevant under special conditions only .
Note: For proper functionality of port mapping, the locally hosted server must point to the WinRoute firewall as the default gateway. Otherwise, it will be necessary to enable Source NAT in addition to Destination NAT .
Multihoming is a term used for situations when one network interface connected to the Internet uses multiple public IP addresses. Typically, multiple services are available through individual IP addresses (this implies that the services are mutually independent).
Example: In the local network a web server web1 with IP address 192.168.1.100 and a web server web2 with IP address 192.168.1.200 are running in the local network. The interface connected to the Internet uses two public IP addresses — 63.157.211.10 and 63.157.211.11. We want the server web1 to be available from the Internet at the IP address 63.157.211.10, the server web2 at the IP address 63.157.211.11.
The two following traffic rules must be defined in WinRoute to enable this configuration:
- Source
Interface which is connected to the Internet (incoming requests from Internet clients will be accepted through this interface).
- Destination
An appropriate IP address of the interface connected to the Internet (use the Host option for insertion of an IP address).
- Service
Service which will be available through this interface (the HTTP service in case of a Web server).
- Action
Use the Permit option, otherwise the traffic will be blocked.
- Translation
Go to the Destination NAT (Port Mapping) section, select the Translate to IP address option and specify IP address of a corresponding Web server (web1 or web2).
Access to Internet services can be limited in several ways. In the following examples, the limitation rules use IP translation. There is no need to define other rules as all traffic that would not meet these requirements will be blocked by the default "catch all" rule.
Other methods of Internet access limitations can be found in the Exceptions section (see below).
Note: Rules mentioned in these examples can be also used if WinRoute is intended as a neutral router (no address translation) — in the Translation entry there will be no translations defined.
Allow access to selected services only. In the translation rule in the Service entry specify only those services that are intended to be allowed.
Limitations sorted by IP addresses. Access to particular services (or access to any Internet service) will be allowed only from selected hosts. In the Source entry define the group.
Note: This type of rule should be used only if each user has his/her own host and the hosts have static IP addresses.
Limitations sorted by users. Firewall monitors if the connection is from an authenticated host. In this case you must define user accounts in WinRoute and users must authenticate using the firewall authentication page before access is granted to the specified service.
Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in WinRoute will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user (it is not possible to connect anonymously).
Note: Detailed information about user connections to the firewall can be found in chapter 7.2.
The rules mentioned above can be combined in various ways (i.e. a user group can be allowed to access certain Internet services only).
You may need to allow access to the Internet only for a certain user/address group, whereas all other users should not be allowed to access this service.
This will be better understood through the following example (how to allow a user group to use the Telnet service). Use the two following rules to meet these requirements:
First rule will deny selected users (or a group of users/IP addresses, etc.) to access the Internet.
Second rule will deny the other users to access this service.