I have been on the forums, tinkered with the box, and talked to tech support and have the following problems. All in all it is a very nice product and hopefully addresses these issues but until then it just isn't really ready. It is just too inflexible.

1. Administrative Control - I have seen this touched on in a few places and it seems like it may be addressed. It would be really nice to have more fine grained control over a number of aspects. Spam filtering, spam learning, dhcp settings, routing, filtering, etc.

2. DNS/Split DNS - It would be nice if this ran a full fledged DNS service. Let the user choose if they want to host zones or only do forwarding. The really nice one would be if split DNS was enabled the same way Sidewinder does.

3. SMTP - Same deal, as I understand the only way to use this is a transparent proxy. I would rather see this being able to be used as a full fledged SMTP server for small/home business and a true SMTP relay for larger environments.

4. HTTP/HTTPS - Running the management tools on nonstandard ports would be better so it is possible to run a web server on the device itself. Again this would primarily be small/home business use.

5. VPN - I don't even know where to begin on this. No IPSec so my only option is to tell every other site that I need to connect with to ditch their expensive enterprise gear from Cisco or Sidewinder and buy Untangle so we can build secure tunnels. That is a quick way to get yourself laughed right out of a business deal. I was also told there is no VPN passthrough so not only can I not put a normal IPSec device behind it, I can't use VPN clients to connect to other sites.

The VPN structure alone pretty much excludes it from any real larger or enterprise functions and the lack of fine control is going to turn away places that have real IT administrators around. The lack of flexability in consolidation of services moves it out of the home/small business where the lack of control isn't so much of an issue. So it really can only serve a very small subset of business needs. The product definetly seems like a good start, but it needs some work to be able to be very functional outside of a very small scope of networking needs.

dragonbyte, thanks for taking the time to evaluate the Untangle. Sorry that we didn't meet or exceed all your expectations.

1) Untangle does provide the full shell access to your box. You can enable this feature by directly monitor keyboard and mouse into your box, and set the root password. Then you will need to enable support by config tab, and then support.

2) Currently we offer DNS forwarding.

3) Some users are integrating other apps with Untangle. As we go forward, email services might be an addon service module, or people in the opensource community might spin off and make their own. No limitations.

4) You can change the admin port by going to the config tab, remote admin, then access.

5) IPsec pass through is coming in 5.1. Also, the target market loves our VPN solution because it is easy to deploy. Many of our users tell us horror stories about setting up IPsec with major vendors that end in "o"

dragonbyte, thanks for taking the time to evaluate the Untangle. Sorry that we didn't meet or exceed all your expectations.

1) Untangle does provide the full shell access to your box. You can enable this feature by directly monitor keyboard and mouse into your box, and set the root password. Then you will need to enable support by config tab, and then support.

2) Currently we offer DNS forwarding.

3) Some users are integrating other apps with Untangle. As we go forward, email services might be an addon service module, or people in the opensource community might spin off and make their own. No limitations.

4) You can change the admin port by going to the config tab, remote admin, then access.

5) IPsec pass through is coming in 5.1. Also, the target market loves our VPN solution because it is easy to deploy. Many of our users tell us horror stories about setting up IPsec with major vendors that end in "o"

IPSEC is a PITA no matter what. SSL vpn's are where it's at and are steadily taking over from IPSEC.

1. I poked around here but it seemed like it wasn't using the standard configs. I specifically was looking at DHCP, DNS, and spamasassin. Is there a better place to do detailed administrative things for the untangle portion rather than the the standard /etc configs? Can you change the spam learning thresholds for example?

2. I was told that DNS is too intensive of a service to run on the untangle box without it setting off attack detection. This makes me very nervous about using the attack detection at all if it is that sensitive. Sidewinders utilize strikeback as attack detection/response but are designed to run single or split DNS.

3. It looks like it has exim4 running on the system so it can send emails, best as I can tell it shouldn't be too much of a nightmare to change the configs to act as a smtp host and then toss a pop3 daemon on there. I just couldn't get a solid answer on how the untangle portion would handle it. Single or Split smtp would be a great feature.

4. This I may have missed but I tinkered with this and only saw a way to change the SSL port, and not get it to stop listening on 80 to move it out of the way for Apache or something. Did I just overlook a setting?

5. I personally haven't had many problems getting IPSec tunnels to work, and have better luck with that 'o' vendor than most of the oddball vendors out there. I'm not going to say SSL is better or worse, just that not having the IPSec option makes it a REALLY tough sell given that everyone else is using IPSec and we can't just tell them all to go buy a new product. IPSec passthrough will certainly make it better for business use, but it would still be really nice to terminate IPSec tunnels on the untangle box.

I think overall it is a really neat product, but the IPSec passthrough thing is the nail in the coffin for me. With the exception of the port 80 thing (unless I just missed a setting) the rest of it seems reasonably easy to fix just digging in and tinkering enough. The problem is I am trying to reduce the workload in deploying that type of setup :)

dragonbyte,

I'll respond to a few items from your post. We do DNS forwarding currently, and the Untangle box is currently designed to operate on a dedicated machine. In the future, this could change. Anything that is legitimate traffic that is noted by the attack blocker can be defined as an exclusion, so that its functionality is not impacted by attack blocker. Sensitivity of the attack blocker is a relative term. All traffic is considered, and attack blocker will attempt to "tame" anything that stands out far above the average of all traffic.

As far as remote admin, you can change the SSL port from 443 to anything you want that is reasonable, but you already know that. It is always enabled on the internal network and can be setup to be enabled externally. You can disallow standard HTTP remote admin (port 80) from inside your firewall so that port 80 can be used for internal web servers. Web servers that are accessible from the outside can still come in on port 80 and be redirected via the Untangle router.

IPSec passthrough is coming.

I guess the real killer for me is the VPN issue and the dedicated system part. If Untangle was a standalone piece it would make it a great deal more flexible. VPN passthrough fixes the biggest problem, but it would still be nice to terminate site to site IPSec on the Untangle system.

It looks really nice and I would love to use it and deploy it for others, but those main things are what cause the biggest problems.

What is the timeframe on VPN passthrough?

heya dragonbyte
next release is slated at the end of the year / early next year :).

I have deployed just about every vendor of firewall/router from the cheapo OTS boxes up to the "o"vendor.

The VPN Passthrough issue/IPSEC endpoint is a biggie for me as well. Supporting about 15 remote offices in 7 different companies I use the point to point and client to point VPN all the time.

Untangle has some great features...as a SPAM filter it has surpassed expectations. Would be nice to have some granular control over the rulesets. I also couldnt find a whitelist section for the spam filter, probably just me though.

Untangle is very simple to setup and configure for the average user but geeks like to go the extra step.

any ideas on when we can expect the new version with pass through?
kenderkin

5.1 will have the pass through mode. As for whitelist, go to config tab, email, from safelist, and you have global and per user safelist.

First of all, I would like to express my admiration with the job developers of Untangle have done, but I have to agree
with dragonbyte - without IPSec support your firewall is not Enterprise ready. Even SMBs need it. I would use your firewall a year ago, if it had IPSec VPN. I'm using both OpenVPN and IPSec. I don't know who told you horror stories about IPSec, but I did not have any problems with it, it is *ROCK* solid in Linux. IPSec tunnels require extra effort during the initial setup, but after that I never touch them again. I have tunnels with CheckPoint, Cisco, Netgear, Sonicwall, SnapGear, Astaro, m0n0wall. I'm using OpenVPN for mobile users where it is possible, it is a great VPN, extremely realiable and easy to setup. I would use OpenVPN for network to network VPNs too, if it would be my choice, but most of the sites already have infrastructure in place and I have no choice, but be compatible with it and use IPSec.
Guys, you have a really good product, it is so close to be a real "killer", but without IPSec it can not be used in most of the businesses. IPSec paththrough is a very lame solution. You just have to have IPSec support on the firewall! Please!! I'm sure, that if IPCop can do it, than you guys can do it too.

This is a very nice solution for a inexperienced user. However, for someone with a healthy dose of clue, it can be a challenge. For example, it took an unreasonably long time to enable ssh access. While ssh is used to "Remotely Access" the server, it is not an option under "Remote Access." It is hidden in "Support" with only references to your support team, and no mention of ssh. Searching the forums leads to a lot of false starts before stumbling on the answer. I love the box in that I can set it up for unsophisticated users, and they can do most things without bothering me. However, there are many things it could do better. And, yes, it is in bridge mode behind a router that supports ipsec. (m0n0wall in most cases) It seems silly that to have a solid solution in a single box, I need to shove a viaC3 system with m0n0wall in a drive bay. :) However, that is an amazingly stable solution!

One of the features of the new version is going to be improved SSH with it separate from "support"

Lee,

I thought I'd make a few comments which you can take or leave as you see fit. Your first sentence sums up the intent of the Untangle server. I don't think it was really planned for use by the expert user, though several have gravitated towards it. ssh is not really something that the small business owner would want, need or even have in their vocabulary. As a result, access to it was worded in a way that would be more meaningful to them, and also be buzzword/acronym-free. Your experiences with Untangle and unsophisticated users show the intent pretty well. Judging by the comments you have made on the board since you joined, you are not a rookie, and people who are more seasoned have different expectations and paradigms that they frame products such as Untangle in. The user base has evolved (and continues to), and we also are evolving. Yes, there are holes - some of them glaring - and they're being taken care of in (for the most part) an orderly manner. Sometimes, what may seem like an easy thing to fix can take on different meaning when fitting that into a framework of the current development model, new features, and smooth transitions from the old to the new. We definitely don't want to break something in order to fix something else. I don't know if you have read on the forums that 5.1 is around the corner. A lot of effort is going in that direction. Keep reading, keep playing with the product, and share your comments and constructive criticism. We pay attention, and the best evolution of a product is when the product addresses the needs of the user rather than make the user adapt. Welcome aboard!

Thanks! I know that I might not be exactly in your target market. :) More like a reseller. :) But my daddy always said, "Never trust a carpenter with just a hammer in his toolbox." It may not be the best at everything, but Untangle is a fantastic tool for the somewhat savvy business owner that wants to manage his internet use. (Or a home user with difficult kids) I scope it, build it, install it, and configure it. He calls me when he needs help, and we call you and pay the $50 if I need help. :D (May I suggest a per incident support cost, and a reseller monthly support cost?)

However, it would be handy to have a "hackers quickstart guide" somewhere. (I might even work on that)

Lee,

The quickstart guide just came up today and I'm going to start working on it. We have quickstart guides, but a quickstart wiki to accompany it is the current plan...the most common questions get answered in one place, then the wiki/FAQ and forums take it from there.

You got me laughing with the last sentence of paragraph 1. I think you meant incident rather than indecent...I got this vivid vision of what would constitute indecent support, and I'm gonna leave it to your imagination as well.

lawl cyb0r

I looked through the documentation, wiki, forums, etc. - but couldn't find a feature roadmap anywhere, so perhaps one does not exist in the 'public' Untangle space.

Since it's been six months since the last post on this thread - I was curious if there was any additional consideration being made for IPSEC VPN capability native within Untangle (as in the open source, but FreeBSD based pfSense firewall/VPN/router) -- in addition to perhaps incorporating the open source version of the Cisco VPN client. Not only would it make Untangle interoperable with other environments - but it would allow organizations a transition path... replacing existing devices in phases or gradually with Untangle systems. In addition - for those sites with high performance considerations - IPSEC based VPN's considerably outperform OpenVPN based connections.

In one project supporting a government agency that I finished a couple months ago - we evaluated a number of open source firewall/router/VPN products including Untangle, pfSense and eBox Platform. We ended up going with pfSense because of the lack of IPSEC support in Untangle - which otherwise would have been our first choice.

Eric, I fully agree with you: IPSEC should be added as soon as possible, because it really "makes the difference" in some situations.

We too had to choose a different appliance for a customer for the same issue (we used Endian Firewall, Linux based and IPSEC ready...): we had to connect to hw routers and firewalls (ZyXEL, NetGear) and no one supported OpenVPN.

OpenVPN is really fantastic for mobile users (no NAT issues...) and, to some extents, can be used for site-to-site software UTM appliances connection...but no HW standard appliances use it!

Hope there will be some good news in the future...

IPSEC/L2TP/PPTP passthroughs are available. There isn't anything stopping you from putting a VPN service on a server and running UT in front of it. I agree this stuff should be in the VPN module but I see more than a few hurdles to overcome because of the unique way in which UT is deployed.

Gotta chime in and say I'd love to see an IPSec VPN Module too. Lots of clients I could utilize Untangle on at their mothership, where they have remote sites with existing boxes that do IPSec VPN.

IPSEC/L2TP/PPTP passthroughs are available. There isn't anything stopping you from putting a VPN service on a server and running UT in front of it. I agree this stuff should be in the VPN module but I see more than a few hurdles to overcome because of the unique way in which UT is deployed.

For that matter there isn't much reason you can't run IPSec on Untangle! Its just a linux box.
If someone does do it make sure to write up a howto.