Help With where to place the untangle box

[Mark0]

I have just run up my 2nd untangle box, and i need to deploy it to a client that has the following setup.

They have 2 offices, office 1 has 2 x 48 port switches that connect to a Netgear FVX538 Dual wan port router, what i was wanting to know is can I put the untangle box in front of the switches but behing the router so all the traffic oing to the router and net gon through the untangle box so its all monitored, is this possible, we have some huge usage on one of the internet connections and we cant find where its being used from, so hopefully the untangle box will fix this.
I was hoping to be able to leave the router and all rules on it in place and just have the untangle box behind it,

[HomeNet]

I have just run up my 2nd untangle box, and i need to deploy it to a client that has the following setup.

They have 2 offices, office 1 has 2 x 48 port switches that connect to a Netgear FVX538 Dual wan port router, what i was wanting to know is can I put the untangle box in front of the switches but behing the router so all the traffic oing to the router and net gon through the untangle box so its all monitored, is this possible, we have some huge usage on one of the internet connections and we cant find where its being used from, so hopefully the untangle box will fix this.
I was hoping to be able to leave the router and all rules on it in place and just have the untangle box behind it,

If I'm following you correctly, it's looking like you'll want to deploy it in transparent/bridge mode and place it between the existing router and the switches. This will allow the Untangle box to filter traffic but not interfere with your route statements and whatnot being handled by the existing router.

I've never set these up in bridge mode but I'm sure it's in the wiki. Here's what it would look like.

02-06-08
0826 EST
Rob @ HomeNet

[mdh]

MarkO,

Welcome to the forums. If you have Untangle between the router and the switches, you will be able to see what's happening. That would be bridge mode. By using the Attack Blocker module, you will be able to quickly find out who the heavy user is because he will be throwing exceptions until he shuts himself down due to traffic intensity.

For reference, Attack Blocker gives devices a reputation based on comparison between connected devices. When a traffic burst occurs, the machine will show a high reputation, and traffic from that connection may be limited, dropped or even rejected if Attack Blocker considers it to be a threat. There are legitimate machines that will have high reputations, and you can tell Attack Blocker to accept them as legitimate so that their traffic will not be restricted. Then there are bit torrent users, game servers, streaming media servers and the mother of all downloaded DVD collectors. You'll have fun nailing him.

[Mark0]

Thanks guys I am going to look into bridge mode right now and see if I can get this up and going today.
With the actuall ip setup of this do i put addresses on the external and internal nic in the box and iff so what do i put the range that the site uses is 192.168.0.0/255.255.255.0
I was going to plug 1 lead that goes into the router now into the internal nic and then plug a new cable from the external nic into the router is that right.

[HomeNet]

Thanks guys I am going to look into bridge mode right now and see if I can get this up and going today.
With the actuall ip setup of this do i put addresses on the external and internal nic in the box and iff so what do i put the range that the site uses is 192.168.0.0/255.255.255.0
I was going to plug 1 lead that goes into the router now into the internal nic and then plug a new cable from the external nic into the router is that right.

Having never tried to set up an Untangle box in bridge mode, I'll take a guess. By all means - someone else jump in on this...

As far as I know, with other firewalls like this, the same IP is shared across both interfaces. Normally, you'd assign one of the interfaces with an IP on the same subnet as the rest of your clients. Think of your Untangle box as another PC in the network...the Untagle box would have a similar IP but would be further up the food chain as far as physical cabling goes. Evidently, in the config wizard, there's an option to set it for bridge mode. Nonetheless, if you site uses 192.168.0.X/24, then use that for this as well.

02-06-08
2016 EST
Rob @ HomeNet

[Mark0]

Chers amte I have just tested this inhouse and its very simple, bridge mode uses the 1 internal ip on the customers network just needs to be plugged in from the switch to the router.
I am hoping to find what i causing my customer to use over 2g per day.

[mdh]

MarkO,

Put a log on all streaming, P2P, NNTP, SOCKS, TOR protocols and see what happens.

[juank]

MarkO,


For reference, Attack Blocker gives devices a reputation based on comparison between connected devices. When a traffic burst occurs, the machine will show a high reputation, and traffic from that connection may be limited, dropped or even rejected if Attack Blocker considers it to be a threat. There are legitimate machines that will have high reputations, and you can tell Attack Blocker to accept them as legitimate so that their traffic will not be restricted. Then there are bit torrent users, game servers, streaming media servers and the mother of all downloaded DVD collectors. You'll have fun nailing him.

The Problem with Attack Blocker is that if you are doing NAT at another level, other than in UT, your attack blocker can get "confused" and start dropping real/good internal traffic. That happened to us and had to disable the attack blocker.

We want to put Attack Blocker back in production but we need to let UT do all the NATing (planning to do that next week).

[Mark0]

Hrmm well so far everything looks ok, I may have a problem with RDP Printing and the RDP Protocol and Printing Protocol are not blocked.
I will know more soon, the protocol blocker howerver is blocking flat out so i may need to see what it is.
Does anyone know if the protocol blocker will stop communication between 2 servers 2 (Standard Servers both domain controllers and so on)connected via a VPN from site 1 with UT box to site 2 ?