Phone Lines icon GFI Support Home

Articles in this section

See more

Configuring NAT in Kerio Control

Author: Vladyslav Velychko Updated

Overview

Network Address Translation (NAT) is a term used for the exchange of a private IP address in a packet going out from the local network to the Internet with the IP address of the Internet interface of the Kerio Control host. This technology is used to connect local private networks to the Internet by a single public IP address.

Kerio Control traffic rules configuration supports source, destination, and reverse connections (full cone NAT) modes.

Solution

  1. In the Kerio Control administration interface, go to Traffic Rules. IP address translation must be configured for the particular rule.
  2. Double-click Translation column in the selected rule.
  3. In the Traffic Rule - Translation dialog, you can apply the settings to IPv4 NAT only or to both IPv4 and IPv6:

translation.png

Source IP address translation (source NAT — Internet connection sharing)

Source address translation is used in traffic rules applied to traffic from the local private network to the Internet. In other rules (traffic between the local network and the firewall, between the firewall and the Internet, etc.), NAT is unnecessary.

For source address translation, check Enable source NAT and select one of the following options:

By default, in packets sent from the LAN to the Internet source, IP address will be replaced by IP address of the Internet interface of the firewall through which the packet is sent. This IP address translation method is useful in the general rule for access from the LAN to the Internet because it works correctly in any Internet connection configuration and for any status of individual links.

translation0.png

For a single leased link or connection failover, the following options have no effect on Kerio Control's functionality. If Kerio Control works in the mode of network traffic load balancing, you can select:

  • Perform load balancing per host — traffic from the specific host in the LAN will be routed via the same Internet link. This method is set as default because it guarantees the same behavior as in the case of clients connected directly to the Internet. However, load balancing dividing the traffic among individual links might be not optimal in this case.

  • Perform load balancing per connection — the Internet link will be selected for each connection established from the LAN to the Internet to spread the load optimally. This method guarantees the most efficient use of the Internet connection's capacity. However, it might also introduce problems and collisions with certain services. The problem is that individual connections are established from various IP addresses (depending on the firewall's interface from which the packet is sent) which may be considered as an attack at the destination server.

Packets will be sent to the Internet via this specific link. This allows the definition of rules for forwarding specific traffic through a selected Interface — so-called policy routing.

translation2.png

If the selected Internet link fails, the Internet will be unavailable for all services, clients, etc. specified by this rule. To prevent such situations, check to Allow using a different interface if this one becomes unavailable.

An IP address for NAT will be used as the source IP address for all packets sent from the LAN to the Internet.

translation3.png

  • It is necessary to use an IP address of one of the firewall's Internet interfaces.
  • Definition of a specific IP Address cannot be used in combination with network load balancing or connection failover.
  • IPv6 Prefix will be available only if IPv4 NAT and IPv6 prefix translation is chosen. If IPv4 NAT only is selected, the field will be greyed out.

 

Destination NAT (port mapping)

Destination address translation is used to allow access to services hosted in private local networks behind the firewall.

For port mapping:

  1. Check Enable destination NAT.
  2. In the field Translate to the following host, type a host address or DNS name. IP address that will substitute the packet's destination address. This address also represents the address/name of the host on which the service is actually running.
  3. If you want to change a port, check Translate port as well and type the service port. During the process of IP translation, you can also substitute the port of the appropriate service. This means that the service can run at a port that is different from the port where it is available from the Internet.

mceclip2.png

Example

A default NAT rule description:

A typical traffic rule for NAT (Internet connection sharing):

Column Description
Source

Group Trusted/Local Interfaces (from the Interfaces section). This group includes all segments of the LAN connected directly to the firewall. If access to the Internet from some segments is supposed to be blocked, the most suitable group to file the interface into is Other interfaces.

If the local network consists of cascaded segments (i.e. it includes other routers), it is not necessary to customize the rule in accordance with this fact — it is just necessary to set routing correctly. 
Destination

The Internet Interfaces group. With this group, the rule can be used for any type of Internet connection.
Service

This entry can be used to define global limitations for Internet access. If particular services are defined for NAT, only these services will be used for the NAT and other Internet services will not be available from the local network.
Actions

The Action must be set to Allow.
Translation

In the Source NAT section select the Default settings option (the primary IP address of the outgoing interface will be used for NAT). The default option will ensure that the correct IP address and Interface are used for the intended destination.

Warning: Destination NAT should NOT be configured for outgoing rules, except under very unique circumstances.
Placing the rule

The rule for destination address translation must be preceded by all rules which deny access to the Internet from the local network.

Such a rule allows access to the Internet from any host in the local network, not from the firewall itself (i.e. from the Kerio Control host).

 

Traffic between the firewall and the Internet is enabled by a special rule by default. Since the Kerio Control host can access the Internet directly, it is NOT necessary to use NAT.

 A rule for traffic between the firewall and hosts in the Internet

Related articles