Configuring policy routing
When the LANLocal area network - A network that connects computers and other devices in a small area. is connected to the Internet by multiple links with load balancing, it may be necessary to force certain types of traffic out a particular Interface. For example, sending VoIPVoice over Internet protocol - A digital telephone system that uses the internet as the transmission medium, rather than the PSTN. traffic out a different Interface than your web browsing or streaming media. This approach is called policy routingPolicy routing allows you to force certain types of traffic out a particular interface..
In Kerio Control, policy routing can be defined by conditions in traffic rules for Internet access with IP addressAn identifier assigned to devices connected to a TCP/IP network. translation (NATNetwork address translation - A method that remaps IP addresses by changing network address information.).
Policy routing traffic rules are of higher priority than routes defined in the routing table.
The firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mail server is also hosted. Therefore, all email traffic (SMTP, IMAPInternet Message Access Protocol - One of the two most commonly used Internet standard protocols for e-mail retrieval, the other being POP3. and POP3Post Office Protocol 3 - A protocol used by local email clients to retrieve emails from mailboxes over a TCP/IP connection.) is routed through this link.
Define traffic rules:
- The first rule defines that NAT is applied to email services and the Internet 4 Mbit interface is used.
- The other rule is a general NAT rule with automatic interface selection.
The setting of NAT in the rule for email services is shown in the figure below. Allow use of a backup link in case the preferred link fails. Otherwise, email services will be unavailable when the connection fails.
In the second rule, automatic interface selection is used. This means that the Internet 4 Mbit link is also used for network traffic load balancing. Email traffic is certainly still respected and has higher priority on the link preferred by the first rule. This means that the total load will be efficiently balanced between both links all the time.
If you need to reserve a link only for a specific traffic type (i.e. route other traffic through other links), go to Interfaces and uncheck the Use for Link Load Balancing option. In this case, the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it.
Kerio Control provides two options of network traffic load balancingAlgorithm distributes network or application traffic across multiple internet links.:
- per host (clients)
- per connection
The best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after a failure or as an attack attempt.
This problem can be bridged over by policy routing. In case of problematic services (e.g. HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. and HTTPSHypertext Transfer Protocol - version of HTTP secured by SSL.) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached.
Meeting of the requirements will be guaranteed by using two NAT traffic rules:
- In the first rule, specify corresponding services and set the per host NAT mode.
- In the second rule, which will be applied for any other services, set the per connection NAT mode.