Overview
If the LAN is connected to the Internet by multiple links with load balancing, it may be necessary to force certain types of traffic out a particular Interface. For example, sending VoIP traffic out a different Interface than your web browsing or streaming media. This approach is called policy routing. In Kerio Control, policy routing can be defined by conditions in traffic rules for Internet access with IP address translation (NAT). Policy routing traffic rules take higher priority than routes defined in the routing table.
Step-By-Step Guide
Note: The firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mailserver is also hosted. Therefore, all email traffic (SMTP, IMAP and POP3) is routed through this link.
Configure a preferred link for email traffic by defining the following traffic rules:
- The first rule defines that NAT is applied to email services and the Internet 4 Mbit interface is used.
- The other rule is a general NAT rule with automatic interface selection.
The setting of NAT in the rule for email services is shown in the figure below. Allow use of a backup link in case the preferred link fails. Otherwise, email services will be unavailable when the connection fails.
NOTE
In the second rule, automatic interface selection is used. This means that the Internet 4 Mbit link is also used for network traffic load balancing. Email traffic is certainly still respected and has higher priority on the link preferred by the first rule. This means that the total load will be efficiently balanced between both links all the time.
If you need to reserve a link only for a specific traffic type (i.e. route other traffic through other links), go to Interfaces and uncheck the Use for Link Load Balancing option. In this case, the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it.
Configuring an optimization of network traffic load balancing
Kerio Control provides two options for network traffic load balancing:
- per host (clients)
- per connection
The best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after a failure or as an attack attempt.
This problem can be bridged over by policy routing. In case of problematic services (e.g. HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached.
Meeting of the requirements will be guaranteed by using two NAT traffic rules:
- In the first rule, specify corresponding services and set the per host NAT mode.
- In the second rule, which will be applied for any other services, set the per connection NAT mode.
Confirmation: You have configured the policy routing and load balance settings as needed.