By default, in packets sent from the LAN to the Internet the source, IP address will be replaced by IP address of the Internet interface of the firewall through which the packet is sent. This IP address translation method is useful in the general rule for access from the LAN to the Internet because it works correctly in any Internet connection configuration and for any status of individual links.

For a single leased link or connection failover, the following options have no effect on Kerio Control's functionality. If Kerio Control works in the mode of network traffic load balancing, you can select:

• Perform load balancing per host — traffic from the specific host in the LAN will be routed via the same Internet link. This method is set as default because it guarantees the same behavior as in the case of clients connected directly to the Internet. However, load balancing dividing the traffic among individual links may be not optimal in this case.

• Perform load balancing per connection — the Internet link will be selected for each connection established from the LAN to the Internet to spread the load optimally. This method guarantees the most efficient use of the Internet connection's capacity. However, it might also introduce problems and collisions with certain services. The problem is that individual connections are established from various IP addresses (depending on the firewall's interface from which the packet is sent) which may be considered as an attack at the destination server.

Packets will be sent to the Internet via this specific link. This allows the definition of rules for forwarding specific traffic through a selected Interface — so-called policy routing.

If the selected Internet link fails, the Internet will be unavailable for all services, clients, etc. specified by this rule. To prevent such situations, check to Allow using a different interface if this one becomes unavailable.

An IP address for NAT will be used as the source IP address for all packets sent from the LAN to the Internet.

• It is necessary to use an IP address of one of the firewall's Internet interfaces.
• Definition of a specific IP Address cannot be used in combination with network load balancing or connection failover.

Group Trusted/Local Interfaces (from the Interfaces section). This group includes all segments of the LAN connected directly to the firewall. If access to the Internet from some segments is supposed to be blocked, the most suitable group to file the interface into is Other interfaces.

If the local network consists of cascaded segments (i.e. it includes other routers), it is not necessary to customize the rule in accordance with this fact — it is just necessary to set routing correctly. 

The Internet Interfaces group. With this group, the rule can be used for any type of Internet connection.

This entry can be used to define global limitations for Internet access. If particular services are defined for NAT, only these services will be used for the NAT and other Internet services will not be available from the local network.

The Action must be set to Allow.

In the Source NAT section select the Default settings option (the primary IP address of the outgoing interface will be used for NAT). The default option will ensure that the correct IP address and Interface are used for the intended destination.