I spent a number of hours trying to get Kerio Control working as our firewall on our Proxmox OVH server. This guide will run you through the process. Please not I’m far from a networking expert it’s probably one of my weeks areas so there may be better ways to achieve this and i’ll leave that up to others, but this does work and was pieced together over a time mostly using guides that exist for pfsense and VMware.
So you will need the following:
- A server on OVH running Proxmox
- A set of failover IP’s
- Kerio Control software appliance image & licence or trail
- A xubuntu image
Once you have your server installed by OVH and Proxmox installed and working (which I won’t run through) you should order if not already done a set of failover IP address.
First off login to your OVH control panel and select you dedicated server. Then click on the Manage link next to your IP address.
From here you should see the address of your server and below this should see you set of fail over IP’s. Assuming were going to assign the first fail over in the range to our firewall in this case Kerio Control the first thing you need to do is assign a virtual mac address to the first fail over. You should also configure a DNS recored with your domain host to point to this IP address and once your DNS recored is active you can set a revers DNS record for the IP address to make everything nice and neat.
So you should end up with (these are example values so substitute for yours). A set of fail over IPs
- failover ips: 220.127.116.11/29
- A record: control.example.com -> 18.104.22.168
- reverse recored: 22.214.171.124 -> control.example.com
- mac address: 02:00:00:15:62:05
Now we need to create our selves a VM in proxmox. Configure a VM with these as your minim specs they are take from the Kerio website and relate to a VMware Virtual Appliance, but will work just fine for proxmox.
- CPU: 2 GHz
- Memory: 1.5 GB RAM assigned to the virtual machine
- Hard drive: 8 GB assigned HDD space for OS, product, logs and statistics data
- Network interface: 2 assigned virtual network adapters
When you create your Network interfaces you need to specify the Virtual MAC we generate in our OVH control Panel to one of the NIC’s this will be the public facing NIC and in my case I assigned this to the first NIC. The second NIC can just keep the self generate MAC address. Of course don’t forget to assign the boot media as the Kerio software appliance iso.
Now we need to create a second VM some basic settings will do this is a temporary machine which we are going to use to perform the initial setup of Kerio Control. The reason we do this is that the Kerio Control initial network configuration will not allow you to enter the required network settings to get in online, but you can set them from within the web admin. So to get to the web admin we need to do the initial configuration on the local LAN.
Once you have both VM’s configured start them both up. After a short time Control will come up with install screen which you need to run through once done you will get to the configuration screen and here we want to configure a local IP address for control on our second NIC.
Now that is done you can jump onto your xubuntu machine and set a manual IP address in the same network range. This will allow you to connect to Kerio Operator and perform the initial setup. The whole reason doing the configuration in this manor is to get the public fail over IP configured.
The first screen you should see should be the Configuration Assistant. You want to choose the top option: Configure Internet connection and the local network…
You will then be given the option to enter the settings for your public facing NIC you want to use the initial failover IP as your IP address the mask you want to set to 255.255.255.255 the gateway you want to set to the public IP of your physical server but you want to change the last octet of the address to 254 so assuming you public address for the physical server is 126.96.36.199 you want to make the gateway 188.8.131.52 then add in a DNS server and you should end up with something like the following.
Follow through the rest of the wizard and you should be now be able to access you Kerio Control from the outside world.
Any VM you now create in Proxmox will no pickup DHCP from the local LAN in Control. If you want to route on of your fail over IP’s to one of the VM’s so in my case I have a separate failover IP for Connect and another for Operator you need to first again add a virtual MAC to the failover IP you wish to make use of but instead of giving the IP a new MAC this time choose the option to use an existing MAC address an choose the MAC address of the first failover you generated. Essentially you are aliasing all the failover IP MAC address to the initial one. Once that is done you then need to create a traffic rule to route all traffic coming into that address to the local address of your VM. Also note that any traffic going out your VM will go out on the address assigned to Control so if you want the traffic to go out on the address it is coming in on you want to again set another traffic rule to say all out going traffic from this machine goes out on the desired address.