Kerio Tech Firewall6 User Manual
Page 82
Chapter 7
Traffic Policy
82
If WinRoute works in the mode of network traffic load balancing (see chapter
), you
can select a method which will be used for spreading the traffic between the LAN and the
Internet over individual Internet links:
•
Load balancing per host — all traffic from the specific host (client) in the LAN will
always be routed via the same Internet link. All connections from the client will be
established from the same source IP address (the public address of the particular
interface of the firewall). This method is set as default, because it guarantees the
same behavior as in case of clients connected directly to the Internet. However,
load balancing dividing the traffic among individual links may be not optimal in
this case.
•
Load balancing per connection — for each
established from the LAN
to the Internet will be selected an Internet link to spread the load optimally.
This method guarantees the most efficient use of the Internet connection’s ca-
pacity. However, it might also introduce problems and collisions with certain
services. The problem is that individual connections are established from vari-
ous IP addresses (depending on the firewall’s interface from which the packet is
sent) which may be considered as an attack at the destination server which might
result in closing of the session, blocking of the traffic, etc.
If another type of Internet connection is used (a single leased link, on demand dialing or
connection failover), these options have no effect on WinRoute’s functionality.
Hint
For maximal efficiency of the connection’s capacity, it is possible to combine both load
balancing methods. In the general rule for access from the LAN to the Internet, use load
balancing per connection and add a rule for specific services (servers, clients, etc.) which
will employ the load balancing per host method. For details, see also chapter
NAT to IP address of a specific interface
It is possible to select a specific interface which will be used for the source NAT in outgo-
ing packets. This also determines that packets will be sent to the Internet via this specific
link. This allows definition of rules for sending of a specific traffic through a selected —
so called
— see chapter
If the selected Internet link fails, Internet will be unavailable for all traffic meeting criteria
(specific services, clients, etc.) specified by this rule. To prevent from such situations, it
is possible to allow use of an alternative (back-up) interface (link) for cases of the link’s
failure. If set as suggested, WinRoute will behave like in mode of automatic interface
selection (see above) if the such failure occurs.
NAT with a specified IP address
It is also possible to specify an IP address for NAT which will be used as the source IP
address for all packets sent from the LAN to the Internet. This option is available above
all to keep the environment compatible with older WinRoute versions. However, use of
a fixed IP address has many limitations:
•
It is necessary to use an IP address of one of the firewall’s Internet interfaces. If