Chumley
08-07-2007, 01:56 PM
Heya Untanlgers,
I have just deployed my first Untangle firewall and found:
It is hugely lacking in its NAT abilities. Simply put, it cannot do a static 1:1 NAT where traffic coming FROM the protected host has its source IP changed to reflect the aliased IP you wish it to be from. This is a major failing...
Another major issue I have is the lack of IPSec support. The use of OpenVPN is cool etc, but without support for IPSec it has no interoperability with existing infrastructures (talking about site-to-site VPN here). I can't tell the client they need to replace every existing firewall just so they can use Untangle and it's VPN setup...it simply won't sell. Yes it has a lot of features built in that other commercial brands make you pay for, but for most SMB owners they are gee-gaws, not required. Most SMB owners I have met have bigger fish to fry and probably won't look at a single daily report. They want connectivity and interoperability, not being locked into one product or another. So while I personally like the packages, it still won't sell the box and installation costs to my clients without being able to slot into thier existing infrastructure.
Lastly, and probably related to the lack of true 1:1 NAT support, is this business of having to change the SSL port on the Untangle box to a port different than 443 so it won't usurp all 443 traffic to itself, even if it is destined to an aliased IP. This is more of an annoyance but it definitely does annoy. After changing the port I would need to add links to my clients "favorites" so he doesn't have to remember the port, because he can't simply use 'https://'. Anyone who works with the general non-IT oriented client knows what I am talking about. Its hard enough to get them to remember the simple damed 's' much less a port number and how to add it to a URL. Hopefully though, if they fix the 1:1 NAT issue this will go away too because SSL traffic to the static NAT will go through to the protected host....hopefully.
Sorry Untangle, but for now your product is, at best, a fancy home-office setup...and that only if you don't need to connect to an extant larger existing corporate infrastructure because it most likely uses IPSec for its VPN.
There may be more but after the two "show stoppers" of 1:1 NAT and IPsec (interoprability between firewalls) I have frankly stopped playing with it and moved on. If Untangle fixes these two issues I might look at it again though. No need to be hating :)
Salute!
Chumley
MCSE, CCNP, CCSE, CCA
I have just deployed my first Untangle firewall and found:
It is hugely lacking in its NAT abilities. Simply put, it cannot do a static 1:1 NAT where traffic coming FROM the protected host has its source IP changed to reflect the aliased IP you wish it to be from. This is a major failing...
Another major issue I have is the lack of IPSec support. The use of OpenVPN is cool etc, but without support for IPSec it has no interoperability with existing infrastructures (talking about site-to-site VPN here). I can't tell the client they need to replace every existing firewall just so they can use Untangle and it's VPN setup...it simply won't sell. Yes it has a lot of features built in that other commercial brands make you pay for, but for most SMB owners they are gee-gaws, not required. Most SMB owners I have met have bigger fish to fry and probably won't look at a single daily report. They want connectivity and interoperability, not being locked into one product or another. So while I personally like the packages, it still won't sell the box and installation costs to my clients without being able to slot into thier existing infrastructure.
Lastly, and probably related to the lack of true 1:1 NAT support, is this business of having to change the SSL port on the Untangle box to a port different than 443 so it won't usurp all 443 traffic to itself, even if it is destined to an aliased IP. This is more of an annoyance but it definitely does annoy. After changing the port I would need to add links to my clients "favorites" so he doesn't have to remember the port, because he can't simply use 'https://'. Anyone who works with the general non-IT oriented client knows what I am talking about. Its hard enough to get them to remember the simple damed 's' much less a port number and how to add it to a URL. Hopefully though, if they fix the 1:1 NAT issue this will go away too because SSL traffic to the static NAT will go through to the protected host....hopefully.
Sorry Untangle, but for now your product is, at best, a fancy home-office setup...and that only if you don't need to connect to an extant larger existing corporate infrastructure because it most likely uses IPSec for its VPN.
There may be more but after the two "show stoppers" of 1:1 NAT and IPsec (interoprability between firewalls) I have frankly stopped playing with it and moved on. If Untangle fixes these two issues I might look at it again though. No need to be hating :)
Salute!
Chumley
MCSE, CCNP, CCSE, CCA