Home » Categories » Kerio Control » Bandwidth Optimization
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring policy routing

Policy routing overview

This article is designed for administrators.

If the LAN is connected to the Internet by multiple links with load balancing, it may be necessary to force certain types of traffic out a particular Interface. For example, sending VoIP traffic out a different Interface than your web browsing or streaming media. This approach is called policy routing.

In Kerio Control, policy routing can be defined by conditions in traffic rules for Internet access with IP address translation (NAT).

Policy routing traffic rules are of higher priority than routes defined in the routing table.

Configuring a preferred link for email traffic

The firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mailserver is also hosted. Therefore, all email traffic (SMTP, IMAP and POP3) is routed through this link.

Define traffic rules:

  • The first rule defines that NAT is applied to email services and the Internet 4 Mbit interface is used.

  • The other rule is a general NAT rule with automatic interface selection.



Setting of NAT in the rule for email services is shown in figure below. Allow use of a back-up link in case the preferred link fails. Otherwise, email services will be unavailable when the connection fails.


In the second rule, automatic interface selection is used. This means that the Internet 4 Mbit link is also used for network traffic load balancing. Email traffic is certainly still respected and has higher priority on the link preferred by the first rule. This means that total load will be efficiently balanced between both links all the time.

If you need to reserve a link only for a specific traffic type (i.e. route other traffic through other links), go to Interfaces and uncheck the Use for Link Load Balancing option. In this case the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it.

Interfaces — Uncheck the Use for Link Load Balancing option

Interfaces — Uncheck the Use for Link Load Balancing option

Configuring an optimization of network traffic load balancing

Kerio Control provides two options of network traffic load balancing:

  • per host (clients)

  • per connection

The best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after failure or as an attack attempt.

This problem can be bridged over by policy routing. In case of problematic services (e.g. HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached.

Meeting of the requirements will be guaranteed by using two NAT traffic rules:

  • In the first rule, specify corresponding services and set the per host NAT mode.

  • In the second rule, which will be applied for any other services, set the per connection NAT mode.

Policy routing — load balancing optimization

Policy routing — load balancing optimization

comments powered by Disqus