Networking configuration - Transparent?

[joedr]

Untangle Community,

I have setup my Untangle as a non-transparent mode in conjunction with my Tomato Router.

Here is the setup:

---------------------10.0.0.*------------192.168.0.2-------------192.168.0.1
Internet Modem-> (WAN Port) Untangle (LAN Port) -> (LAN Port) Tomato -> Users (192.168.0.0/24)

There are two networks on this diagram. The one provided by the ISP to the Untangle and the private LAN provided by Untangle. I turned off DHCP on Tomato and used Untangle for DHCP. Then, when the users get the DHCP, they also get the gateway to point to Untangle. Tomato is not using the WAN port and has ben demoted to just a simple switch.

Problem: Three things got broken on this setup: OpenVPN (It is hardwire to the WAN port and I must used port 22 over TCP due to a restriction on where I will be connecting from and it is out of my control. So, the OpenVPN in Untangle does not work for me as it is hardwire to port UDP 1194.) , Dynamic DNS and QoS.


My thoughts are that maybe using Untangle as a Transparent Device might help but I have a few questions.




The proposed network will be:

Internet Modem-> (WAN Port: 10.0.0.*) Untangle (Bridged Port) -> (WAN Port: 10.0.0.*) Tomato (LAN Port: 192.168.0.0) -> Users (192.168.0.0/24)

So now the Untangle is behind the WAN port of Tomato. This will bring back to life OpenVPN, Dynamic DNS and QoS. The three are hardwired to the use of the WAN port.

Question:

1. Since Untangle is not not part of the LAN network and it is in a different subnet (The one behind the WAN port on Tomato and provided by the ISP).... Can I still allow unique IPs to bypass the Web Filter?

Meaning, Can I allow IP 192.168.0.4 to bypass the Web Filter using the "Edit Passed Client IPs" section using the second transparent option?

2. I assume that the port forward option must be changed to point to the WAN IP in Tomato and then forward the ports again in Tomato towards the final client. Dual NAT... Correct?

Thanks in advanced!

Joed

[jcoffin]

This network is double NAT'ed which will cause all types of issues and making the VPN and reporting on filtering much more difficult. What is the reason for the tomato router?

[joedr]

Wifi,Dynamic DNS and the ability of changing incoming port on OpenVPN.

[sky-knight]

Disable NAT on the tomato, use a static route on Untangle to get the packets to flow and double NAT goes away. This will also solve the need for double port forwards and the issues with IPs in the Untangle reports.

[joedr]

Thanks sky-knight!

I found the NAT enable/disable section (I believe) on Tomato under the firewall tab. It is called NAT Loopback and it is currently set to MASQUERADE. I also found under the Routing tab, that the routing mode is set to Gateway instead of Router.

Which one should be selected? Router or Gateway?

Also.... Should I enabled RIP on the routing section? It gives me the option to set it up for the WAN and LAN interface. Please refer to the attached pics!

I will look for a Tomato tutorial on the net. I am pretty sure someone already documented this. If you have a link handy, please post it and will follow the guide.

Again, thanks for the help! :-)

[sky-knight]

I'm not sure what settings are required, I have no experience with Tomato.

However, given the nature of the firmware, I think the language used in the Linksys configuration may be valuable. For Linksys, the "router" vs "gateway" option essentially means NAT "off" and NAT "on" respectively. So if the drop down said gateway, NAT was running, if it said router NAT wasn't running.

NAT loopback, is a different monster entirely. That setting should have no meaning if NAT itself is disabled.

Untangle is the one that will need the static route, not the tomato. Unless it in and of itself looses its default route when you turn NAT off, but I doubt it.

I've done what you're trying to do with a normal linksys router, it did work but in the end it was a more difficult configuration to maintain in comparison to having a three interface Untangle router. But I didn't have the requirement of a second router's services.

P.S. You can change Untangle's OpenVPN port, you just have to hack the configuration files for the clients manually, and use a port forward.

[joedr]

Thanks for the insight!

I will look into changing the OpenVPN on the UT box. I like the system's monitoring, usage and that the traffic gets recorded On the reports

I will keep looking for the settings in Tomato for the NAT off.

BTW, none of default settings on any of my home appliances work. I always have to tweak them! LOL!

[joedr]

I tried to change the OpenVPN port without success. After a reboot or the service restart, the default settings were placed back to the default 1194.

Also, I was not successful to remove NAT from Tomato as suggested. I guess that I need further reading. LOL. At some point I placed the UT in transparent and connected to the Tomato WAN port but I was not able to connect to anything past the UT WAN port. Meaning, I could ping and login to the UT but was not seeing anything past the box on the WAN port and therefore no access to the net. I was able to see all my private network from the UT thou.

I am pretty sure I missed something so I will keep looking! :-)

[sky-knight]

That's why I said you needed to use a port forward. Untangle won't allow you to move that port, but you can abuse NAT to forcibly move it. However doing this also means you'll have to manually hack the connection scripts for all clients.