Hi

I am new to Untangle. I have set it up using the VmWare appliance, in bridge mode. The only path from the Internal network to the Internet is via the Untangle bridge. Before I loaded any appliances at all (including router) into the rack, I tested, and Internet access works fine. I then loaded only the Web Filter appliance, and configured it to block all porn, violence, gambling, etc. I then tried www.playboy.com, and voila .. naked women. I then set up a specific URL to block "playboy.com", but again, adorned bodies! The log shows all the http access as "passed".

Do I need another component, such as firewall or router, before the blocking action occurs, or do I have to direct the internal network to the IP address of the Untangle bridge in order for filtering to work? At present, the internal clients point at the gateway on the external side of Untangle.

Help! I am being corrupted by playboy :eek: , all the name of scientific research!

Peter

croc,

So you have a VMWare implant ... uh, install on your box. You should check your NIC mappings as we have documented in our wiki.

http://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

If configured properly, one NIC connects the Untangle external interface to the outside world, and the other connects Untangle's internal interface to your LAN. The ability to pass through directly should be non-existent. It sounds like you are bypassing the Untangle box completely. You could also try blocking all traffic at the Untangle firewall and see if you can still go to Playboy. Its important that scientific research carries on!

hi croc.
what's the ip address of vmnet2? is vmnet2 located on a separate switch? note that internal ip schema of untangle needs to be different from your vmware host network if you have the router module installed with NAT / DHCP enabled. also it needs to be on a different switch with the rest of the pcs that will be protected by untangle.

Traffic definitely passes through Untangle, as I can see it in the web Filter logs. Also, if I power down the Untangle VM, my internal PC's have no Internet access, and cannot ping the bridged gateway on the other side of Untangle.

I have no router module loaded into the rack, and I initially set up Untangle as bridged.

vmnet0 is on the south side of a firewall. The inside interface of the firewall is ip address 192.168.0.252. The internal ip address of Untangle is 192.168.0.253. The client PC is connected to vmnet3 with the client at 192.168.0.103, gateway 192.168.0.252.

When the Untangle is running, the client PC can ping both 192.168.0.252 and 253, and can administer Untangle by web browser. The client also has full access to networks on the north side of Untangle, including the Internet.

There is no router appliance in the rack, but the router is available in MyApps.

Peter

hey croc.
how many physical nic do you have on the vm host? vmnet0 needs to be mapped on nic#1 which will be on network side and nic# 2 ( which in your case vmnet3 ) to the pc that is on untangle's side. you can put a separate switch or use a crossover cable here.

The physical machine has three ethernet interfaces (eth0,eth1,eth2). It is running Ubuntu and VMWare server. Since Untangle doesn't handle dual WAN with failover, I have virtual machine running pfsense which sees eth0 (vmnet0) as the primary Internet link and eth1 (vmnet2) as the secondary Internet link. The internal network for pfsense is connected to a virtual switch (vmnet1). The external link from Untangle also connects to this virtual switch. The internal link from Untangle is vmnet3, connected to physical eth2, which is currently connected with a crossover cable to the client PC.

I attach a text diagram.

If I change the default gateway of my client PC to point at the Untangle IP address (192.168.0.253) instead of at the pfsense IP address on the other side of the Untangle bridge (192.168.0.252), then blocking does occur.

OK, so this solves the problem, but how do I prevent a smart user from pointing his default gateway past the Untangle bridge? I presume I would have to block this at the MAC layer in a firewall?

i would set untangle on router mode, enable NAT and DHCP and set it up on a different subnet. that way all pc will take the default gateway ( which is untangle ) to go out.

Richie

Thanks .. I'll try that, but it does raise questions about the bridge mode of Untangle if it is as simple as this to bypass all the controls?

Peter

Setting up untangle on a router mode is recommended :)
not sure why you need to change default gateway for it to work. your firewall should be your default gateway as untangle is on bridge mode.

i tried replicating it on our lab on a windows host vm with 2 nics.

untangle bridge mode running on windows vm host
vmnet0 --> Broadcom NIC
vmnet2 --> Liksys NIC

network >>>>> switch>>>>>>>vm host ( vmnet0 )
vm host ( vmnet2)>>>>>>>>>>>>>>> PC
crossover cable

Richie

In your lab setup, if you set the default gateway of your PC to point directly to the gateway on your lab main network, can you bypass the web filter controls in Untangle?

I will try setting it up in router mode.

Peter

croc
my default gateway is the firewall. outbound traffic has to go through untangle then to gateway and this can't be bypassed.

In my case, when I set the default gateway to the firewall then Web Filter didn't block any URL's.

I have now swapped to router mode.