Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Traffic Policy Figure 7.40 Enabling Full cone NAT in the traffic rule Rule for Full cone NAT must precede the general rule with NAT allowing traffic from the local network to the Internet. 7.9 Media hairpinning Kerio Control allows to “arrange” traffic between two clients in the LAN which “know each other” only from behind the firewall’s public IP address. This feature of the firewall is called hairpinning (with the hairpin root suggesting the packet’s “U-turn” back to the local network). Used especially for transmission of voice or visual data, it is also known as media hairpinning. Example: Two SIP telephones in the LAN Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at a SIP server in the Internet. The parameters may be as follows: • IP addresses of the phones: 192.168.1.100 and 192.168.1.101 • Public IP address of the firewall: 195.192.33.1 • SIP server: sip.server.com For the telephones, define corresponding traffic rules — see chapter 7.8 (as apparent from figure7.39, simply specify Source of the Full cone NAT traffic rule by IP address of the other telephone). Both telephones will be registered on SIP server under the firewall’s public IP address (195.192.33.1). If these telephones establish mutual connection, data packets (for voice transmission) from both telephones will be sent to the firewall’s public IP address (and to 110
7.9 Media hairpinning the port of the other telephone). Under normal conditions, such packets would be dropped. However, Kerio Control is capable of using a corresponding record in the NAT table to recognize that a packet is addressed to a client in the local network. Then it translates the destination IP address and sends the packet back to the local network (as well as in case of port mapping). This ensures that traffic between the two phones will work correctly. Note: 1. Hairpinning requires traffic between the local network and the Internet being allowed (before processed by the firewall, packets use a local source address and an Internet destination address — i.e. this is an outgoing traffic from the local network to the Internet). In default traffic rules created by the wizard (see chapter 7.1), this condition is met by the NAT rule. 2. In principle, hairpinning does not require that Full cone NAT is allowed (see chapter 7.8). However, in our example, Full cone NAT is required for correct functioning of the SIP protocol. 111
- Page 59 and 60: 5.6 Supportive scripts for link con
- Page 61 and 62: 6.1 Persistent connection with a si
- Page 63 and 64: 6.1 Persistent connection with a si
- Page 65 and 66: 6.2 Connection with a single leased
- Page 67 and 68: 6.3 Connection Failover Advanced di
- Page 69 and 70: 6.3 Connection Failover Figure 6.8
- Page 71 and 72: 6.4 Network Load Balancing Note: 1.
- Page 73 and 74: 6.4 Network Load Balancing On the t
- Page 75 and 76: 6.4 Network Load Balancing Hint: Sp
- Page 77 and 78: Chapter 7 Traffic Policy Traffic Ru
- Page 79 and 80: 7.1 Network Rules Wizard Step 4 —
- Page 81 and 82: 7.1 Network Rules Wizard Figure 7.5
- Page 83 and 84: 7.1 Network Rules Wizard Note: In t
- Page 85 and 86: 7.3 Definition of Custom Traffic Ru
- Page 87 and 88: 7.3 Definition of Custom Traffic Ru
- Page 89 and 90: 7.3 Definition of Custom Traffic Ru
- Page 91 and 92: 7.3 Definition of Custom Traffic Ru
- Page 93 and 94: 7.3 Definition of Custom Traffic Ru
- Page 95 and 96: 7.3 Definition of Custom Traffic Ru
- Page 97 and 98: 7.4 Basic Traffic Rule Types Do not
- Page 99 and 100: 7.4 Basic Traffic Rule Types Figure
- Page 101 and 102: 7.4 Basic Traffic Rule Types Transl
- Page 103 and 104: 7.5 Policy routing 7.5 Policy routi
- Page 105 and 106: 7.6 User accounts and groups in tra
- Page 107 and 108: 7.7 Partial Retirement of Protocol
- Page 109: 7.8 Use of Full cone NAT as possibl
- Page 113 and 114: 8.1 Network intrusion prevention sy
- Page 115 and 116: 8.1 Network intrusion prevention sy
- Page 117 and 118: 8.2 MAC address filtering Figure 8.
- Page 119 and 120: 8.3 Special Security Settings Anti-
- Page 121 and 122: 8.4 P2P Eliminator Figure 8.5 Detec
- Page 123 and 124: 8.4 P2P Eliminator The Define servi
- Page 125 and 126: 9.1 DNS module of the firewall’s
- Page 127 and 128: 9.1 DNS module Figure 9.2 Editor of
- Page 129 and 130: 9.1 DNS module Figure 9.3 Specific
- Page 131 and 132: 9.2 DHCP server If the Do not forwa
- Page 133 and 134: 9.2 DHCP server Figure 9.5 DHCP ser
- Page 135 and 136: 9.2 DHCP server Figure 9.7 DHCP ser
- Page 137 and 138: 9.2 DHCP server Figure 9.9 DHCP ser
- Page 139 and 140: 9.2 DHCP server Leases IP scopes ca
- Page 141 and 142: 9.2 DHCP server Figure 9.13 DHCP se
- Page 143 and 144: 9.3 Dynamic DNS for public IP addre
- Page 145 and 146: 9.4 Proxy server Proxy Server Confi
- Page 147 and 148: 9.5 HTTP cache Note: The configurat
- Page 149 and 150: 9.5 HTTP cache other objects can be
- Page 151 and 152: 9.5 HTTP cache TTL TTL of objects m
- Page 153 and 154: Chapter 10 Bandwidth Limiter The ma
- Page 155 and 156: 10.2 Bandwidth Limiter configuratio
- Page 157 and 158: 10.2 Bandwidth Limiter configuratio
- Page 159 and 160: 10.3 Detection of connections with
Traffic Policy<br />
Figure 7.40<br />
Enabling Full cone NAT in the traffic rule<br />
Rule for Full cone NAT must precede the general rule with NAT allowing traffic from the local<br />
network to the Internet.<br />
7.9 Media hairpinning<br />
<strong>Kerio</strong> Control allows to “arrange” traffic between two clients in the LAN which “know each<br />
other” only from behind the firewall’s public IP address. This feature of the firewall is called<br />
hairpinning (with the hairpin root suggesting the packet’s “U-turn” back to the local network).<br />
Used especially for transmission of voice or visual data, it is also known as media hairpinning.<br />
Example: Two SIP telephones in the LAN<br />
Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at<br />
a SIP server in the Internet. The parameters may be as follows:<br />
• IP addresses of the phones: 192.168.1.100 and 192.168.1.101<br />
• Public IP address of the firewall: 195.192.33.1<br />
• SIP server: sip.server.com<br />
For the telephones, define corresponding traffic rules — see chapter 7.8 (as apparent from<br />
figure7.39, simply specify Source of the Full cone NAT traffic rule by IP address of the other<br />
telephone).<br />
Both telephones will be registered on SIP server under the firewall’s public IP address<br />
(195.192.33.1). If these telephones establish mutual connection, data packets (for voice<br />
transmission) from both telephones will be sent to the firewall’s public IP address (and to<br />
110