If you have more than one Internet connection, Kerio Control can configure and use these in different ways. Learn how here.
Two Internet links - load balance or failover?
I'm seeing more customers who have two Internet connections. Often this is because they originally had a T1, DSL or Cable connection and have been able to add a new high speed connection like Verizon FIOS. They keep the old connection because it's usually not particularly expensive to do so and because they hope to use it for load balancing or fail-over
Kerio Control has support for both fail-over and load balancing, as well as"policy routing" - that is, directing specific types of traffic to one of your Internet connections. Although this can be quite simple to set up, it can also be confusing.
Equal Speed Connections?
If both of your Internet links are the same speed or very close to the same speed, the simplest thing to do is to set the links to Load Balancing:
The "probe hosts" would only be defined if the default gateway of the primary link will not respond to pings (or won't reliably respond). Your ISP's DNs servers might be a good alternate choice.
If your connections are unequal, using the slower one for failover is simple:
This adds the option of reconnecting VPN tunnels when the primary connection returns.
If you set load balancing with unequal connections, your users are very likely to complain because they will randomly get the "slow" connection (or, depending on settings, they might always get it).
Forcing the use of an interface
Whether equal speed or not, you can force the use of an interface for specific cases. Kerio calls this "policy routing" in their manual, but most of us would call it SNAT. This can be a bit confusing, mostly because the method of defining it is mixed into the same place that you would define what Kerio calls "Full Cone NAT", which also falls into the SNAT definition.
You should know that the definitions of SNAT used by different vendors vary. Wikipedia does a good job of explaining the various meanings of SNAT.
Kerio's manual implies that you can only do policy routing if you are configured for load balancing. That seemed odd to me, so I specifically asked support if policy routing would not work if links are configured for failover. Their response was that this is true, but the administration panels seem to allow this, so I'm still not certain. I don't have any way of testing that myself at the moment, but I'll update this article when I can.
To force an interface, you define a rule as you ordinarily would. For example, we might want to force VPN tunnel traffic to one interface. This might be to give it better performance or to prevent that traffic from interfering with traffic on our other interface. Whatever the reason, we define it by enabling SNAT and choosing a specific interface:
Note that you can select the "Allow using of a different interface if this one becomes unavailable". Obviously you'd have to have load balancing in effect for that setting to work.
There is a subtle distinction between locking down an interface and simply enabling SNAT with its default setting. In that default mode, you get a temporary lockdown, either per host or per connection. The load balancing selects the link and then locks it depending upon your choice of per host or per connection. The "policy routing" link above explains all that very well. Note this from their manual:
If you need to reserve a link only for a specific traffic (i.e. route other traffic through other links), go to Configuration → Interfaces and set the speed of the link to 0Mbit/s . In this case the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it.
More than two Internet interfaces
This discussion thread at the Kerio forum elaborates on that type of setup in the case of three Internet interfaces.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2014-01-24 Anthony Lawrence