Hardware requirements is grows up with increasing the number of active connections, number of active users and speed requirements.


3. Installation of program.

Run the Setup.exe for program installation, read licence agreement and do steps instructions for setting program up.

Setup is asking for replacement of files by new version files if installation is made over old existing version. After extracting necessary files the program module of firewall is started and installed required driver for operation system. On 64 bit OS starting from Vista you need to switch to the Test mode of signing drivers at the first start of installer, reboot computer ("Test mode" message will appear), restart setup again and to sign drivers before their installation.

Then you needed to go to the About page to enter registration data (user name, e-mail address and program serial number), after that to choose "Verify key and generate activation request" from context menu of registration data list.
The message "key is valid" is appeared if key is entered correctly.
Now you can copy activation request to clipboard and send it to support e-mail support@rusroute.com or send activation request later.

You probably need administrative right for correct firewall working (It is need to mention while manual firewall restart).

It is need to tune configuration and activate the key.

Predefined configuration is consist of example for local area network (network adapter name is HomeRealtek), network card (Internet) connected to ADSL modem, satellite DVB-card (DVBSat, VPN connection name SatGate) and reserved Dialup connection (UTK). Setting up configuration for particular application is consist of using firewall rules Wizard, editing lists and rules, adding users, changing billing schemes, and other optional changes.

It is possible you need to disable or tune standard Windows firewall for some TCP servers correct working on your router, because of standard Windows firewall is sometites changing port numbers of TCP packets passing through it.

4. Activation of program.

4.1. What gives the activation of demo-version of program.

Activation of demo-version of program is gives you opportunity to use program within 60 days (with comparison of 30 days without of activation) with aim of evaluate it accordance for you. But you need to make activation before 30-days period is expired.

4.2. What gives the activation of full version of program.

Activation of full version of program is really turns on availability of concurrent working those number of users for witch program was purchased(it is defined by pair: serial number and activation code).

4.3. Activation.

For activation it is needed to send activation request to support e-mail support@rusroute.com. Activation request is generated by RusRoute program in time of verifying key in About page. The text of letter with activation code obtained from support team is need to copy to clipboard and paste through context menu in the same "About" page, then choose menu item "Verify key and activation code". On success you will see appropriate message and number of users available in system.

5. Licence agreement.

The licence is defined by serial number and activation code. The type of licence is defined by number of users concurrently working in system. The originality of user is defined by its IP address. Therefore we means the number of users is number of authorized IP addresses in system. Note: if login to RusRoute system was made on firewall computer from local address 127.0.0.1 (throw web interface), then this user is correspond to some number of IP addresses (IP addresses of all network adapters on computer). This fact is need take into account for defining the number of users for purchased program. Similarly, if authorization of user working on firewall computer is automatic by address of firewall then while any activity any IP address of firewall the automatic login for user for this address is made if this address still not used in system. Usually the number of local IP addresses of firewall is not much (less than 3-5).

END USER LICENCE AGREEMENT

The present licence agreement is public offer and it is consist of all main conditions of Your (the next is «User») use of program “RusRoute firewall” (the next is «Program») for computer.
The author - citizen of Russian Federation, Moiseenko Andrey Alekseyevitch (the next is «Rightholder»), in accordance with current agreement, the holder of exclusive material copyright for program “RusRoute firewall”, including User manual for it in hardcopy and/or electronic copy is obligate to give to User (direct or through authorized third hand) unexceptional right for using Program, with restrictions of installation rights and starting Program in accordance of set up by current Licence agreement the rules and conditions (the simple unexceptional licence).

The order of acceptance of offer (Licence agreement)
The current offer (licence agreement) is considered is accepted by User in case of observe one of two the follow conditions:
1) By pressing by User «Accept» button while setting up the Program and pressing «Install» is means unquestioning agreement of User with current agreement rules.
2) The fact of ordering, payment or receiving by User unexceptional rights for using Program on conditions current offer (agreement) from Rightholder or authorized third hand people is means unquestioning agreement of User with conditions of current licence agreement.

The order of transferring and costs of unexceptional rights
In accordance of current Licence agreement User must in 30 days from accepting offer to give from Rightholder (in direct way of through authorized third hand people) unexceptional rights for using Program. The moment of transferring to User unexceptional rights is consider the moment of set Rightholder's (or third hand people making right transfer) hand on a document the accordance statement. The user must to pay fixed fee for giving rights, the amount of fee is defined by conditions of Licence agreement with party, making rights transfer. In case of giving by User the right cancellation (not to giving rights in time specified) the current Licence agreement is considered not to be consummated.

The rules of using the Program
The user have rights to use Program in the any country of world in accordance with conditions of current Licence agreement if the User observe the next rules:
1. Decompilation and/or modification of Program is prohibited.
2. To lease or rent, temporary use of Program for others is prohibited.
3. To split Program by parts to use it on different computers is prohibited.
4. The using Program with purpose of creation data or code of malicious program is prohibited.
5. The using Program with conflicting of laws of Russian Federation is prohibited.

The User have rights
To use Program for evaluation purpose in 30 days from it first start (install).
To Make copy of program under condition that the copy is aimed for archiving goals and for replacement legal obtained distribution in case when the original is lost, removed, or stand unsuitable for using. The copy mention in this paragraph can not be used for other purposes and must be removed in case if the using of Program by User is ceased to be rightful.

Rights disclaimer
Rightholder is not guarantee the usability of Program while breaking conditions described in User manual, and in the case of violation of User the conditions of current Licence agreement.
User is take himself the risk of accordance of Program by his wishes and needs, as soon as risk of accordance the conditions and value of giving rights by his wishes and needs.
Rightholder and/or his pairs are not to account for any damage or loss of profit, independently of cause of their appearance, (including, and not restricted by this, special, fortuitous, incidental or indirect damage, profit loss, interrupting commercial or production activity, business information loss, negligence, or any other loss), appeared in case of using or impossibility of using Program.

Final rules
Period of validity of conditions of current offer (Licence agreement) from 01 July 2008 to 01 July 2010 y.
In case infringement of author's rights for Program, the violator takes civil liability, administrative responsibility and criminal liability in accordance of laws of Russian Federation or other countries.


6. Program dialogs description.


6.1. "About" page.

Picture

In this window you can see the product name, its version, copyrights, web-site of program, registration data of user (user name, e-mail address, serial number), program working mode, number of active users and serial number and activation code check status.

Using double click of mouse or pressing F2 key you can change registration information of user.

It is showing context menu by pressing right mouse button on the list. In menu you are offered step by step register the program. The registration info can be entered as soon as setup is finished or do it later. You can change this data later. You can delay sending activation request and entering activation code. For example, you can make this after reboot and set up minimal program configuration: lists, users, rules.

6.2. Settings page.

Picture

You can see the global settings of programm in this window sutch as process priority, Kernel mode TCP optimization, default TCP congestion control and avoidance algorithm, Anti-SYN flood settings, Shapers settings, blocking of TCP scan attacks and specific VPN client setting. You can see here the memory size used by RusRoute.

Turning on the kernel mode TCP optimization is allowing to reduce rapidly processor usage because of that the part of TCP packets handling is moved from user mode to kernel mode.

Turning on strict limits for TCP shapers is for handling strict speed limits instead of not strict mode when RusRoute is trying to use full bandwidth of root shapers for subshapers.

6.3. "Network info" group page.


6.3.1. Network adapters.

Picture

Here you can see the list of network adapters of operation system, both existed and inactive and removed. Some adapter characteristics is shown too. Phonebook entries are shown here too.

Adapter characteristics are parameters as name (form network places properties), Mac address, IP address, subnet mask, type/status, real name, Mac address of peer (for WAN connections), IP address of server (for WAN connections).

In the case the serial number is not right or expired or driver is not installed correctly, adapter name is defined as , what give no possibilities to work.

You can refresh adapter list, for example, if you have renamed some adapter.

6.3.2. Routing table.

Picture

Here is standard for operation system routing table. It is shown in list way with the next fields: IP address, mask, gateway, interface (adapter name, for local loopback is "null nic"), metric.

This information you can update manually by pressing "Update" button as in previous page. Usually it is not need because of operation system starting from Windows XP are setting notification events about routing table changes.

6.3.3. Arp table.

Picture

The Arp (Address resolution protocol) table is shown in this window. It s also called as MAC addresses table. There are dynamic and static records in it for mapping IP addresses to correspondence MAC addresses of network adapters. RusRoute has its own Arp table in addition to Windows Arp table. You can see in last two columns if the record of table exists in RusRoute and/or Windows Arp table.

For protection of network attacks of IP spoofing inside local network, you can add static records to the table. It is easy to do by creating *.bat file with commands type as
arp -s ...... and setting this file to run at Windows startup. You can copy the contents of bat-file lines to clipboard from this Arp table page by pressing right mouse button and selecting appropriate menu item.
You can see the more information about arp command in Windows documentation and by using command arp /? from a command line.

6.4. "Lists" group page.

Here is the lists are using for firewall rules. Every list is sortable by some fields. You can sort list by pressing on header button.

6.4.1. Adapters lists.

Picture
Here you can create or modify adapters lists. For this the right mouse button on existed elements and context menu are used.

6.4.2. IP addresses lists.

Picture 1
Picture 2

Here you can create and modify IP addresses lists. For this the right mouse button on existed elements and context menu are used. The dialog for choosing element type and writing down element value is used. The elements of every list can be the next types:

• "Firewall IP" - any IP address of firewall,
• "IP address" - address, typed by hands,
• "Subnet" - subnet, assigned by IP address and subnet mask,
• "IP range" - IP addresses range from start to end (the arithmetic comparison is used),
• "DNS name" - dns name of host, for example, "www.microsoft.com". Firewall is working directly with IP addresses, therefore it is importent to define IP address(es) by domain name for working. If not to do this soon by unchecking "Resolve now", you can resolve them for all domain names from lists by selecting appropriate context menu item from parent window.
• "Include list" - merges list with other list.

Network protocols list with the next fields: name, IP protocol, (port) source, (port) destination, bi-directional (for UDP and PING), filter, filter data, broadcast.

Supporting filters for the next protocols: FTP(both active and passive modes), IRC, PING, HTTP. For HTTP filter you can use filter data settings such as caching.

6.4.4. Time table.

Picture

You can configure here the time table lists for using them in parameters of firewall rules. The according rule will be active while connection attempt in time interval specified only. The rule will be ignored in the other time, but the alredy lived connection will be active up to closing.

6.5. DHCP servers.

Picture

You can create DHCP servers on any Ethernet adapter. DHCP servers are used not to set up IP addresses and other network parameters on every computer of connected network.

You can set up here direct map between particalar MAC address of network card and IP address, which to allocate.

6.6. Servers for TCP transmission congestion control and avoidance algorithms.

Picture

You can configure external TCP servers with different algorithms of TCP transmission control, such algorithms are named TCP congestion control and avoidance algorithms too.
The idea and implementation are based on that fact, that RusRoute can redirect both incoming and outgoing TCP connections to the other IP addresses and ports. If you start virtual machine with the Linux operation system with using freeware VirtualBox 3.0.8 package for example http://www.virtualbox.org/ or more powerfull and free VMWare Server http://www.vmware.com/ (or set up Linux on the stand alone computer connected to RusRoute firewall server with analogous network connection settings), than redirecting TCP packets (for incoming connections) to the virtual Linux machine at first, witch is setting up specific congestion control and avoidance algorithm and is making simple redirection of that connection data in a client-server sockets application backwards to IP address of RusRoute telling IP addresses and port numbers of source and destination in the first 12 bytes of connection (for further identification), than that Linux is the main who is a connection superviser for incoming conenctions. The "incoming" is means here the primary level TCP connection (see RusRoute firewall special rules settings for explain). The similar way is for outgoing connections: RusRoute firewall is connecting to a Linux server transferring the first block of parameters - IP address and port to where to connect by Linux application, which will be sent by Linux to using the other network interface to be intercepted and redirected by RusRoute to the real end point address, using simple IP and port substitution. In the case of connect is successful the Linux server is returning code 0 (4 bytes, dword) as the first data, RusRoute is extracting that data and the other data are transferred transparently in both directions. In the case of connect error the server is sending successive 4 bytes - error code, 4 bytes - error message length (must be the less then 512 bytes in current implementation), the error message of the given length, and closing the connection. RusRoute is making TCP Reset reply to initiator of connection which leads to the "Connection refused" reaction, unless the connection was not closed before by time out. The error message is displayed in RusRoute common log window for diagnostics.
Client-server application for making such network interconnection is distributed with source codes, it can be compiled both for Unix (Linux) and for Windows too, i.e. You can make the experiments of TCP stack substitution by stack of other Windows OS, for example, the TCP stacks of Windows XP and 2003 Server are differed from the new Microsoft TCP stack first introduced in Windows Vista and implemented in Windows Seven and 2008 Server too. You can download source codes of program from
http://www.rusroute.ru/cgi-bin/download_cctcp.cgi location.
The conditions of using - as a part of RusRoute distribution in accordance with RusRoute licence agreement.
The compiled binaries for Windows and Linux are placed in Data\cctcp folder of RusRoute installation folder.
Connect to author of RusRoute, please, in the case You need to use the library or part of source codes for other implementations or aims, the uncommercial using can be approved.
For optimization, simple using and interraction RusRoute with Linux skipping RusRoute driver, I am connecting the virtual machine by two virtual network interfaces.

You can create such network adapters by adding host-only adapter by VMWare virtual networks manager, I am setting fixed MAC addresses for Guest network adapters too.
I am unchecking the check box from RusRoute driver network adapter settings for one host-only adapter.
The second adapter is creating by the same manner, and network interface with default routing to RusRoute IP address is turn up.

The next improvements of work can be achieved by traffic splitting for incoming and outgoing connections to a different virtual adapters (for eliminating speed limit of 100 Mbits/sec divided by two, because the same data are received and sent in both direction usually, and maximal speed can be limited by 1/2 factor).
For that you can add one more network adapter for direct data transfer (with RusRoute driver unchecked in the adapter settings) and one more host-only adapter for virtual routing. You should to create additional routes in this case.
For example, we have 2 adapters for direct communication with the names of VMnet1, VMnet2 and VMnet8(unused), and 2 for routing with the names of VMnet3 and VMnet4, (you can add VMnet5 for local tests).

Than making IP address assignment on VMnet1
192.168.21.0/24 :
192.168.21.1 - for RusRoute
192.168.21.2 - for Linux
(usual network)

On the VMNet2 -
192.168.22.0/24 :
192.168.22.1 - for RusRoute
192.168.22.2 - for Linux
(usual network)

On the VMnet3 -
192.168.23.0/24 :
192.168.23.1 - for RusRoute
192.168.23.2 - for Linux
and routes
1.0.0.0/16 with 192.168.23.1 gateway,
0.0.0.0/0 (default) for 192.168.23.1 gateway (it is not strong required, it is using for possibility of making linux network connections to the Internet if they are need)
              
On the VMnet4 -
192.168.24.0/24 :
192.168.24.1 - for RusRoute
192.168.24.2 - for Linux
and a route
1.1.0.0/16 to a 192.168.24.1 gateway


Configuration files for my installation of ASPLinux 14 are the next:


/etc/sysconfig/network-scripts/ifcfg-eth0 :

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.21.255
HWADDR=00:50:56:00:21:02
IPADDR=192.168.21.2
NETMASK=255.255.255.0
NETWORK=192.168.21.0
ONBOOT=yes
NM_CONTROLLED=


/etc/sysconfig/network-scripts/ifcfg-eth1 :

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth1
BOOTPROTO=static
BROADCAST=192.168.22.255
HWADDR=00:50:56:00:22:02
IPADDR=192.168.22.2
NETMASK=255.255.255.0
NETWORK=192.168.22.0
ONBOOT=yes
NM_CONTROLLED=


/etc/sysconfig/network-scripts/ifcfg-eth2 :

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth2
BOOTPROTO=static
BROADCAST=192.168.23.255
HWADDR=00:50:56:00:23:02
IPADDR=192.168.23.2
NETMASK=255.255.255.0
NETWORK=192.168.23.0
ONBOOT=yes
NM_CONTROLLED=


/etc/sysconfig/network-scripts/ifcfg-eth3 :

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth3
BOOTPROTO=static
BROADCAST=192.168.24.255
HWADDR=00:50:56:00:24:02
IPADDR=192.168.24.2
NETMASK=255.255.255.0
NETWORK=192.168.24.0
ONBOOT=yes
NM_CONTROLLED=


/etc/sysconfig/network-scripts/ifcfg-eth4 :

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth4
BOOTPROTO=static
BROADCAST=192.168.25.255
HWADDR=00:50:56:00:25:02
IPADDR=192.168.25.2
NETMASK=255.255.255.0
NETWORK=192.168.25.0
ONBOOT=yes
NM_CONTROLLED=


/etc/sysconfig/network-scripts/route-eth2 :

1.0.0.0/16 via 192.168.23.1 dev eth2
default via 192.168.23.1 dev eth2


/etc/sysconfig/network-scripts/route-eth3 :

1.1.0.0/16 via 192.168.24.1 dev eth3


/root/cctcp/cclist.xml is supplied with the sources,
the template can be generated by command 
./cctcp.out -writeconfig


/root/cctcp/cctcp (starts the compiled cctcp.out file) :

#!/bin/sh

cd /root/cctcp

/etc/rc.d/init.d/network restart

killall -9 cctcp.out

./cctcp.out -system "`uname -a`" >/dev/null &
#./cctcp.out 10077 -system "`uname -a`" >/dev/null &
              

In /etc/rc.d/rc.local I was add the lines

setterm -blank 0
/root/cctcp/cctcp


You are need to start cctcp.out program compiled with the root access rights for using all of available TCP stack modifications of Linux.
The current Linux kernels are supporting the next TCP algorithms:
"reno", "bic", "cubic", "highspeed", "htcp", "hybla", "illinois", "lp", "scalable", "vegas", "veno", "westwood", "yeah". 

You can make here HTTP caches with specific name and size for not to download again for every computer the same upates from the Internet and pages, pictures and other content which was not modified on the web server since first request was made. You can subst the server reponces for some requests matched by mask specified by your data files (we are recommnded to prepend the HTTP/1.1 header to a resource data file with out of "Connection: " and "Proxy-Connection: " fields; you can use "%" in such headers as a parameter of "Content-Length: ", "Last-Modified: ", "Date: ", "Content-Type: " to authomatically its defining by value. If RusRoute program will not found the header, than it will insert some standart "HTTP/1.1 200 OK" header) You can select "skip" to go to the next cache mask comparison or "no" for not to caching that request.

You can do some actions with the cache sutch as "Add new custom URLs", "Remove incomplete", "Cleanup cache". This page is showing cache statistics too.

6.8. Filters data.

Picture

You can set up here variable parameters of filters with specific name. The example is the using of caches of HTTP, transparent HTTP to HTTP proxy connection converter (which is work in conjunct with cache, even if caching fucnction is disabled).

6.9. Billing shemes.

Picture 1
Picture 2

Here you can create and edit different billing shemes, that is the rules with accordance them the ballance of a user is changes. Billing is different by days, days ranges, days of week with intersection of time intervals in these days.

If you set up traffic cost 1.000 per megabyte then such billing sheme is encountered traffic in megabytes with munus sign. If 1024.000 than is in kilobytes, if 1048576.000 than in bytes.

The value of cost can be set up negatively, in this case traffic encountering is making without of minus sign, but minimum allowable balance value is missing the sense.

The edition of billing records is slightly uncomfortably, because it is needed not to forget to press "Apply" button after making changes in record.

6.10. Journals.

Picture 1
Picture 2 (report)
Picture 3 (report)
Picture 4 (report)

While creating of journal you specify its own name, period of writing its data to the disk and billing sheme.

When the records are stored up, you can generate the reports for selected period and users who was active in this period. This reports you can export to Excel.

That is from specific rule draws a conclusion is to write data about packet to specific journal or not, that is possible cases than undefined in what journal is this information to be written (while appearing packet not to belong for any connection for example). In this case information about packet is written to journal "Unknown" if it exists.

6.11. Users.

Picture

In the main window of user account list you can see their short description and activity (background changes the color), IP address(es) from witch user has been entered to the system and current balance.

You can do logout for every or all users or batch set balances (for example, in the start of each month).

6.11.1. User info dialog.

Picture

The main user info is consist of its login name and password, using when he is entering to the system. Login is made through web interface on port 10000 of firewall of protocol http. For example you can using link http://127.0.0.1:10000 for login from firewall, but for LAN computers you can use something as http://192.168.100.1:10000 , if address of firewall is 192.168.100.1. In the last case you need to allow access from unauthorized users' IP addresses to firewall on port 10000 TCP.

You can use special Win32 Application RRClient.exe for entering to RusRoute system. Picture In this case protected login is used, RRClient makes test request every 2 minutes to support (keep alive) connection. In the case of 5 minutes inactivity of RRClient.exe (for example, if network cable is detached from client's computer) RusRoute makes disconnect of user working from that IP address. You can send text message from RusRoute to user on the UDP port 10007, witch is to be shown by RRClient.exe. RRClient is need to be configured to working with server. New record is described by address of server, port (10000), gateway (optional, this gateway is to setup up default gateway with metric 20), startup page (optional), witch is opened on successful login to the system. At first it is need to load (update) keys from server. This key is a public key, generated in the page "VPN role". RRClient (by your wish) save on the disk user name and password for connecting to the RusRoute server , encrypting data on the key related to serial number of system partition.

Additional information about user is its full name, id, "Disabled" featute, "Automatic relogon at restart" feature, fixed IP address(es) from witch user is working without of entering login and password, allowed IP address(es) from witch login through web interface is allowed, idle timeout (in minutes) for exceeding that automatic logout is performed, balance, minimal allowed value of balance when user work is still allowed, batch set balance option with its value, TCP connections limit option and comment.

You can increase or decrease a balance of user by some value if you specify this value with sign + or - and press button "Add".

Minimal allowable balance is set up by entering appropriate value and pressing button "Set".

6.12. Shapers.

Picture

Shapers is an option of the algorithm of managing priorities and speeds of receiving/transmitting useful data of TCP protocol. It is works on socket layer and do not drops packets or worse quality of connection.

Every shaper is described by four parameters: weights and maximal speed limits for transmitting and receiving. The exception is root shapers for witch definition of weights are absent.

Shaper weight is priority of current connection or group of connection with comparison of other connections and group of connections on the same layer.

Max speed is a simple speed limit for connection.

For shaper tuning you need to set up maximal speed limits for root shapers (near to real limits). Than for child shapers for default user, anonymous, selected users and simple subshapers specify its weights, entering for maximal speeds either simple big values or values of additional restrictions.

For shapers to be active you need to specify their using in protocols list while edition particular rules. In the case of using one the same shaper for all protocols of rule you can use the default shaper only. The usual name of shaper in the rule protocol list - <some_name>.user

The speed of particular connection can be changed dynamically by adding shaper speed limit conditions. The conditions can be defined as a arithmetical expressions in the style of C/C++ with using calls of the next functions:

• RuleConnections(RuleName) - returns the number of active connections, allowed by given rule name.
• ShaperConnections() - returns the number of active connections, attached to this shaper.
• ShaperConnections(recursive) - returns the number of active connections, attached to this shaper and its subshapers.
• Time(Connection/SinceShaperAttached/AllShaperConnectionsRecursive) - returns the time since connection is established/since shaper is attached (in the case of conditional jump, for example)/time since shaper is created.
• V(Connection/SinceShaperAttached/AllShaperConnectionsRecursive, Send/Recv/Send+Recv, 120s/120m/120h/183d), Traffic() with the same arguments - for obtaining average speed or data transferred size for particular connection since it is established or attached to a shaper, or sum for all connections of given shaper, for sending or/and receiving data in a given time interval or for the all period if parameter is missed. The time can be given in seconds, minutes, hours or days, the maximal allowed data values are given in the above example.
• url(InCaseSensitive, "http://*.iso", "*.rar") - the comparison of URL address string of HTTP-request with template mask with using of symbols '*', '?', where '*' is meaning the arbitrary number of any symbols (>= 0), '?' - any one symbol. The InCaseSensitive parameter is using for making comparison with out of taking the care of registers of symbols.
• host("download.maasoftware.*", "rmail.maasoftware.*", "rmail.rusroute.*") is similarly to a host name.
• false, true - boolean false and true.
• break - the equivalent of true but the other shaper conditions are not calculated in that case.

• "(" - Opening paranthesis
• ")" - Closing paranthesis
• "*" - Multiplication
• "/" - Division
• "%" - Modulus
• "+" - Addition
• "–" - Subtraction
• "<<" - Left shift
• ">>" - Right shift
• "<" - Less than
• ">" - Greater than
• "<=" - Less than or equal to
• ">=" - Greater than or equal to
• "==" - Equality
• "!=" - Inequality
• "&" - Bitwise AND
• "^" - Bitwise exclusive OR
• "|" - Bitwise inclusive OR
• "&&" - Logical AND
• "||" - Logical OR.

Numerical expressions - integer numbers (qword) with the next possible modificators

• "B/s", "KB/s", "MB/s", "GB/s", "TB/s" - for speed
• "B", "KB", "MB", "GB", "TB" - for traffic volume
• "s", "m", "h", "d" - for the time. The time can be given in a union of values with out of explicitly given of '+' operator, 2m30s is means 2*60+30 seconds for example, and in a form of XX HH:MM:SS - XX days, HH hours, MM minutes, SS seconds, the first zero parameters can be discarded.

The conditional jumps between shapers can be used for changing parameters of a given shaper (weight, speed limit).

Shapers are working good on fast channels.

6.13. Cron tab page.

Picture
Picture 2 (Cron tab record settings)

Cron tab is for starting some actions in program at certain time (periodically, by shedule).
You can see on the picture 2 how to set new user balances automatically at the start of each month.

6.14. Firewall rules.

Picture
Picture 2 (special options)

Firewall rules are described by

• name
• list for source adapter
• list for source IP address
• user names
• list for destination adapter
• list for destination IP address
• protocols (with possibility to set shaper for every protocol)
• journal
• special options
• action
• additional comment.
• the rule can be Splitter type for switching between alternatives for xmit packets for typical using (union) some data transfer channels for VPN UDP traffic.

Special options is

• possibility to redirect to special IP address and port (for example, you can setup operation system for client's computers with option of DNS server IP address is IP address of RusRoute firewall and make firewall rule to redirect DNS requests of users to external DNS server of provider),
• NAT - Network address translation - the technology allowing to work for users of your local network as from the only IP address, gives you by provider for working in the Internet. Appropriately, the rules describing connection set up from local network to the Internet usually must have such option set. If you are using NAT for LAN than it is desirable to use the same technology for connections from local RusRoute firewall to the Internet for avoiding collisions with port numbers. In the current version NAT is working for protocols TCP(FTP, etc), UDP and PING. Usual routing is working for the same protocols with additional for ICMP protocol. For other IP protocols incoming packets are simple accepting or sending by firewall.
• Xmit (send) through adapter or gateway - in the case of using some default routes you can select here adapter or gateway for transmitting packets to external network (it is useful for sat Internet if you wish to routing mail protocols (POP3, SMTP) on usual, more protected channels). Use Xmit to specific adapter and optional gateway for changing default route.
• keep source adapter - helper option, some times is useful for knowing though what adapter is to send replies. In some cases firewall can ignore this option.
• don't duplicate Broadcasts on VPN adapter - send to VPN channel or send to Bridged LAN only.
• broadcast retranslator.
• Anti-SYN flood protection for blocking attacking incoming tcp packets for connection establishment, parameters of protection are set up in Settings page.
• TCP connection limit - set ups the limit of number of simultaneously working connections per rules with the same name.
• user is on final IP - points to that fact is identificator of user is to be found for destination point of packets, not for source. It is useful for LAN servers offering their services for Internet.
• when logged on user on final IP - rule is active when logged on user on final IP address.
• reverse NAT - for servers, for example, FTP, witch belongs to inside LAN for accessing to it from Internet.
• TCP congestion control and avoidance algoritmhs for primary connection (connection from initiator) and for secondary connection (for responce servers).
• disable this rule - to ignore rule from consideration of appropriate rules for connection.

In this page group you can see the settings related to making virtual private network (VPN).

6.15.1. VPN role.

Picture

Here the main VPN settings are described:

VPN type:

• Stand alone router (no VPN) - the VPN functions are disabled.
• Primary VPN server - RusRoute starts on this computer the TCP server on the port 10005 and UDP server on the port 10005 for serving VPN clients requests. Enter valid user name and password for current computer is to be visible as VPN client, and simple enter 127.0.0.1 for address of the server
• Secondary VPN server - RusRoute makes VPN connection to primary or the other secondary VPN server entered below, with entered parameters of user name and password, and starts TCP server on TCP port 10005 and UDP servers on the port 10005 (VPN server) and on the port 10004 (VPN client) for accepting connections of other users through current server (which named by secondary server) to primary server. The conveniences of using secondary servers is in that to connect two remote office with virtual network, they are starting secondary VPN server in the second office, which split loading on the VPN network in that way, that if two VPN users are connected to the same secondary VPN server are exchanging by messages that their messages are routed directly from one client to the other through their secondary server, not through primary VPN server.
• VPN client - usual VPN client, connected to primary or secondary VPN server, uses TCP connection to VPN server and creates UDP server on the port 10004 for receiving VPN packets. UDP connection is not used in the case of special option in the "Settings" page is selected ("TCP only VPN"). This can be useful for compatibility cases, but VPN is working very slower and VPN control connection can be overloaded with this option is turned on.

VPN network (information obtained by VPN adapter while using DHCP service):

• Virtual IP address of VPN client
• VPN network mask.
• Gateway - optional, here you can set virtual address of some VPN client for using it as default gateway (for example, for remote access to Internet from other remote network). Possible, in this case, you will need to set up routes with help of system program route.exe or special RusRoute firewall rule options for correct access to Internet (for VPN connections). See also: route /?

The other settings:

• VPN adapter - please, select VPN adapter from list. VPN adapter is added to system while RusRoute setups.
• LAN IP range to VPN Bridge - in case of using VPN adapter as real adapter, not virtual Ethernet adapter added to system while RusRoute setups, and if network of such real adapter is using allowed IP addresses (network 10.1.0.0, mask 255.255.0.0), then you can set here ranges and lists of IP addresses, which will be accessed for other VPN clients and their networks as Ethernet bridging. For example, you can set here 10.1.2.0-10.1.2.255,10.1.1.11 for one VPN client and 10.1.3.0-10.1.3.255 for the other. In this example, users form IP addresses 10.1.2.0-10.1.2.255 and 10.1.1.11 can exchange data with users from addresses 10.1.3.0-10.1.3.255 and other VPN clients too as they are located in the same Ethenet segment. You can use special firewall rules options for setting duplicate incoming broadcast features to local VPN client and to attached bridged LAN. See "Special" firewall rules settings.
• User name - enter user name for entering to virtual protected network. Only users, who are allowed in its accounts on primary server to work as VPN clients or secondary servers, can enter to VPN network.
• Password - the VPN user password.
• Server IP[:port] - IP address or domain name of server, optionaly colon and TCP port number for connection, if it is differs from default value - 10005. We are recommending for local primary VPN server to enter address 127.0.0.1 here.
• Save password - is to save password in config (in weakly protected text), otherwise the password is asked on each connection.
• Generate new server keys - to create new keys (public and private) for using in users authorization and transferring temporary key of user to server. This you have to done before first use of primary VPN server. In the case of discrediting of key you have to stop primary VPN server (enter to stand alone router mode (no VPN)), generate the keys, launch VPN server again. It is not need to generate keys for VPN users.
• Export/import of public key - can be the safest way of transferring public key from server to client (if, of course, you are trasted to courier or the other method of further transferring of key). You can verify the keys by fingerprint.
• Status - status line to show connection to server status or progress of keys generation.

Here is show of the list of all connected VPN users. You can select the most typical actions with their IP addresses: ping, ftp, the view by Internet Explorer and explorer, viewing of remote desktop, copying of IP address, name and DNS name to clipboard. In the case of using "DNS" filter for a DNS protocol, than you can resolve IP address of VPN user with the name "user" by special DNS name "name.vpn". RusRoute will respond the appropriate request with returning VPN user IP address.

6.16. Connections.

Picture

Showing TCP connections with parameters such as protocol, address, port, user name, speed of receiving/sending on primary(1) and secondary(2) levels, length of data transferred and rule name.

6.17. Logs.

The most useful and interesting records about processes in network and inside RusRoute firewall.

6.17.1. Http logs.

Picture

It is showing parameters of requests of http protocol (it acts only for that protocols, which have set up filter type HTTP).

6.17.2. Ftp logs.

Picture

It is showing some commands and their parameters for ftp protocol (it acts only for that protocols, which have set up filter type FTP).

6.17.3. Dns logs.

Picture

It is showing the information about DNS queries and answers (it acts for that protocols, which have set up filter DNS).

6.17.4. Common log.

Picture

The most reach log of firewall working.

Messages are displayed in the English profferably.
For example, message "Reject ... connection ... by rule: Default blocking rule, protocol: Unknown" is mentioned that there are no rule found in your rule list from the first rule to the last which is matched by current packet or connection, and as a result that packet/connection was blocked.

7. Technical support of the program.

Technical support of the program is making by e-mail: support@rusroute.com,
and in forum http://www.rusroute.com/cgi-bin/f.cgi
of site http://www.rusroute.com/.

Author is interesting in you suggestions for improving the quality of work of program and new ideas to be implemented.

The other programs you can see at http://www.maasoftware.com/.