Additional Info

C is quirky, flawed, and an enormous success. (Dennis Ritchie)

If you ask "Should we be in space?" you ask a nonsense question. We are in space. We will be in space. (Frank Herbert)

This post tagged:


Kerio Operator in a separate subnet behind Control Firewall


A customer recently installed a Kerio Operator appliance behind a Kerio Control Firewall. Although his LAN is presently small enough that he could have put Operator and the phones on the same subnet as his computer network, he expects to grow, so Operator was put on a separate internal network. This avoids some traffic congestion (the firewall is still a choke point, however) and adds some additional security.

However, this does make things more difficult on the firewall configuration. The customer and I had set this up, and things were working, but then what seemed like minor changes were made and incoming audio stopped working. That is, if I called in, I could hear them answer but they could not hear me.

Obviously that wasn't acceptable.

I had to call Kerio to get this fixed. The basic issue was adding a source NAT translation for the outbound rule. Honestly, that confuses me. Yes, I understand source NATting conceptually, but earlier, without that rule, the customer was able to call me and we both could hear each other, and I don't quite understand why.

I found this at NAT and VOIP:

In addition, the way in which conventional VoIP protocols are designed is also posing a problem to VoIP traffic passing through NAT. Conventional VoIP protocols only deal with the signalling of a telephone connection. The audio traffic is handled by another protocol and to make matters worse, the port on which the audio traffic is sent is random. The NAT router may be able to handle the signalling traffic, but it has no way of knowing that the audio traffic is related to the signalling and should hence be passed to the same device the signalling traffic is passed to. As a result, the audio traffic is not translated properly between the address spaces.

OK, so it's like FTP - a new port is opened for audio. But if that's true, why doesn't it need full cone NAT as described at Use of Full Cone Nat in the Control manual - which even uses SIP phones as an example of where you'd need it!

It makes my head hurt. I could probably spend a few days tracing packets and maybe figure it out, but I lack the patience. For stuff like this, I'm willing to let the Kerio techs drive.

Here are some pictures of the basic setup. I've blocked out the public IP address used, but the rest is just internal IP's that are useless to a hacker. What you need to understand is this:

  • Customer has 5 public IP's, to
  • The office LAN is
  • An "Other interface" is defined on one port of Control with address
  • Operator is connected to a switch connected that port
  • The SIP phones are all connected to Operator through the same switch
  • Operator has the private address
  • Operator uses the public address (2d of his public IP's)

Operator has been configured as described. Note that "NAT enabled (Kerio Operator is behind a firewall)" is checked.


The Control side shows the rules as suggested by Kerio. Note that order matters and that two new services were defined: SIP TCP (because the built in rule is only UDP) and RTP, which is defined for the same UDP RTP port range as defined in the Operator setup shown above.


That's it. With this in place, the phones now worked as they should.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Operator in a separate subnet behind Control Firewall


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Fri Jun 14 22:06:41 2013: 12128   anonymous


think you ought to reconsider whether private address ranges are "useless to a hacker". as a firewall expert, you'd know that, though, wouldn't you?

Fri Jun 14 22:14:37 2013: 12129   TonyLawrence


"useless" in this context - no public ip's, you don't know who the customer is, so seeing those ip's in a screen shot is of no concern.

But I am NOT an "expert" at anything and have never claimed to be - quite the opposite, in fact.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us