Network Rules Wizard
The network rules wizard demands only the data that is essential for creating a basic set of traffic rules. The rules defined in this wizard will enable access to selected services to the Internet from the local network, and ensure full protection of the local network (including the WinRoute host) from intrusion attempts from the Internet. To guarantee reliable WinRoute functionality after the wizard is used, all existing rules are removed and substituted by rules created automatically upon the new data.
Click on the Wizard button to run the network rules wizard.
Note: The existing traffic policy is substituted by new rules after completing the entire process after confirmation of the last step. This means that during the process the wizard can be stopped and canceled without losing existing rules.
Step 1 information
To run successfully, the wizard requires the following parameters on the WinRoute host:
-
at least one active adapter connected to the local network
-
at least either one active adapter connected to the Internet or one dial-up defined. The dial-up needn't be active to run the wizard.
Step 2 selection of Internet connection type
Select the appropriate type of Internet connection that is used either a network adapter (Ethernet, WaveLAN, DSL, etc.), a dialed line (analog modem, ISDN, etc.) or the DirecWay satellite system. DirecWay is available only if a corresponding device driver is detected in the operating system.
Step 3 network adapter or dial-up selection
If the network adapter is used to connect the host to the Internet, it can be selected in the menu. To follow the wizard instructions easily, IP address, network mask and MAC address of the selected adapter are displayed as well.
Note: The Web interface with the default gateway is listed first. Therefore, in most cases the appropriate adapter is already set within this step.
In case of a dial line, the appropriate type of connection (defined in the operating system) must be selected and login data must be specified.
-
Use login data from the RAS entry username and password for authentication at the remote server will be copied from a corresponding Windows RAS entry. The RAS connection must be saved in the system phonebook (the connection must be available to any user).
-
Use the following login data specify Username and Password that will be used for authentication at the remote server. This option can be helpful for example when it is not desirable to save the login data in the operating system or if later it would be edited.
Step 4 Internet access limitations
Select which Internet services will be available for LAN users:
Allow access to all services
Internet access from the local network will not be limited. Users can access any Internet service.
Allow access to the following services only
Only selected services will be available from the local network.
Note: In this dialog, only basic services are listed (it does not depend on what services were defined in WinRoute see chapter Services). Other services can be allowed by definition of separate traffic policy rules see below.
Step 5 enabling Kerio VPN traffic
To use WinRoute's proprietary VPN solution in order to connect remote clients or to create tunnels between remote networks, select Yes, I want to use Kerio VPN. Specific services and address groups for VPN will be added. For detailed information on the proprietary VPN solution integrated in WinRoute, refer to chapter Kerio VPN.
If you intend not to use the solution or to use a third-party solution (e.g. Microsoft PPTP, Nortel IPSec, etc.), choose the No, do not create rules for Kerio VPN option.
Step 6 specification of servers that will be available within the local network
If any service (e.g. WWW server, FTP server, etc. which is intended be available from the Internet) is running on the WinRoute host or another host within the local network, define it in this dialog.
The dialog window that will open a new service can be activated with the Add button.
Service is running on
Definition of the host where the service is running:
-
Firewall the host where WinRoute is installed
-
IP Address address of a server within the local network (the host that the service is running on)
Note: access to the Internet through WinRoute must be defined in the default gateway of the host, otherwise the service will not be available.
Service
Selection of a service to be enabled. The service must be defined in Configurations / Definitions / Services formerly (see chapter Services).
Note: Majority of common services is predefined in WinRoute.
Step 7 NAT
If you only use one public IP address to connect your private local network to the Internet, run the NAT function (IP address translation). Do not trigger this function if WinRoute is used for routing between two public networks or two local segments (neutral router).
Step 8 generating the rules
In the last step an information window warns users that the traffic policy will be built upon the inserted data and all the existing data will be deleted and removed with the new rules.
Warning: This is the last chance to cancel the process and keep the existing traffic policy. Click on the Finish button to delete the existing rules and replace them with the new ones.
Rules Created by the Wizard
The traffic policy is better understood through the traffic rules created by the Wizard in the previous example.
ICMP traffic
This rule can be added whenever needed with no respect to settings within individual steps. You can use the PING command to send a request on a response from the WinRoute host. Important issues can be debugged using this command (i.e.Internet connection functionality can be verified).
Note: The ICMP traffic rule does not allow clients to use the PING command from the local network to the Internet. If you intend to use the command anyway, you must add the Ping feature to the NAT rules (for details see chapter Definition of Custom Traffic Rules).
ISS OrangeWeb Filter
If ISS OrangeWeb Filter is used (a module for classification of Websites), this rule is used to allow communication with corresponding databases. Do not disable this traffic, otherwise ISS OrangeWeb Filter might not function well.
NAT
If this rule is added, the source (private) addresses in all packets directed from the local network to the Internet will be substituted with addresses of the interface connected to the Internet (see the Wizard, steps 3 and 6). However, only services selected within step 4 can be accessed.
The Dial-In interface is also included in the Source column. This means that all RAS clients connected to the server can use the NAT technology to access the Internet.
Local Traffic
This rule enables all traffic between local hosts with the WinRoute host. The Source and Destination items within this rule include all WinRoute host's interfaces except the interface connected to the Internet (this interface has been chosen in step 3).
In this rule, the Source and Destination items cover also the Dial-In and the VPN clients interfaces. This means that the Local Traffic rule also allows traffic between local hosts and RAS clients/VPN clients connected to the server.
Note: Access to the WinRoute host is not limited as the Wizard supposes that this host belongs to the local network. Limitations can be done by modification of an appropriate rule or by creating a new one. An inconvenient rule limiting access to the WinRoute host might block remote administration or it might cause some Internet services to be unavailable (all traffic directed to the Internet passes through this host).
Firewall Traffic
This rule enables access to certain services from the WinRoute host. It is similar to the NAT rule except from the fact that this rule does not perform IP translation (this host connects to the Internet directly).
HTTP and HTTPS
These rules map all HTTP and HTTPS services running at the host with the 192.168.1.10 IP address (step 6). These services will be available on IP addresses of the external interface (step 3).
Default rule
This rule denies all communication that is not allowed by other rules. The default rule is always listed at the end of the rule list and it cannot be removed.
The default rule allows the administrator to select what action will be taken with undesirable traffic attempts (Deny or Drop) and to decide whether packets or/and connections will be logged.
Note: To see detailed descriptions of traffic rules refer to chapter Definition of Custom Traffic Rules.
