Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,289

    Exclamation needed a reboot.

    I changed the names & subnets on a few interfaces, and saved.

    I looked at port forward existing rules, and the new names were not reflected.

    The port forward rules were not working.

    I rebooted.

    Things started working again.
    If you think I got Grumpy

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,799

    Default

    You didn't need a reboot, what you needed was a ctrl+f5.

    The browser cache gets me very time I do that... and I mean it... EVERY TIME.
    f1assistance and Jim.Alles like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,289

    Default

    yeah, and I am struggling to troubleshoot the port forwarding anyway, so that was a convenient scapegoat.

  4. #4
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Quote Originally Posted by Jim.Alles View Post
    yeah, and I am struggling to troubleshoot the port forwarding anyway, so that was a convenient scapegoat.
    A bit unrelated but would part of the side effects of doing this break untangle certificates with the clients? I thought about doing this exact same thing but wondered how much of a hole I would dig myself into.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,799

    Default

    Untangle shouldn't ever be breaking certificates, if you're getting a certificate error that means block page. And, to be clear... that means working certificates.

    And if you've got TCP 80 / 443 forwarding to a web server, you'd best use policies to push that ingress traffic into a dedicated rack that only has the firewall module in it, and perhaps intrusion prevention. If Web Filter, either virus blocker, or Threat Prevention see that ingress web traffic they're going to scan it, and block it, and you're going to lose hair chasing intermittent reports of busted website. Not to mention if said sight is publicly indexed, run the risk of knocking your own SEO.

    TLDR, Ingress public services all require special consideration. And never forget Untangle modules do not care about direction of traffic. The Spam Blockers are the only exception, and even they are configurable on this point.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,289

    Default

    Well, I would guess it would. I might need to pay attention to that eventually, for delivery of block pages.

    Since the local IP addresses are included in the certificate?

  7. #7
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Quote Originally Posted by Jim.Alles View Post
    Well, I would guess it would. I might need to pay attention to that eventually, for delivery of block pages.

    Since the local IP addresses are included in the certificate?
    Not 100% sure. My concern is if you change the IP you get connection (cert) failures to the Untangle admin interface and have to fight with the browser. Also VPN clients. Did you already do your ip change and did any of this happen?

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,289

    Default

    I am fairly certain OpenVPN certificates are going to be stable through this process, Its certificate is dealing with a specific sub-net, and the rest is routed, anyway. I don't normally VPN into here though; haven't checked it.

    The ones I mucked with were VLANs. My main Internal Network didn't change, and I still have the lock icon on my browsers, no pain.

    I don't normally allow access to the admin GUI from Wi-Fi. You are making me work to test this.

    NGFW is not happy.

    SC verifi.png

    Neither is Firefox, although it does have an old certificate. I needed to clean that mess up, anyway!

    Well Firefox is a lot more informative than I am used to.

    risk.png
    Last edited by Jim.Alles; 05-25-2020 at 05:19 PM.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,799

    Default

    Quote Originally Posted by propellherhead333 View Post
    Not 100% sure. My concern is if you change the IP you get connection (cert) failures to the Untangle admin interface and have to fight with the browser. Also VPN clients. Did you already do your ip change and did any of this happen?
    The OpenVPN module maintains its own certificate authority and chain, it has nothing to do with the admin UI's SSL cert.

    If you change any of the IP addresses on the Untangle server, you can in some cases wind up where the self signed certificate isn't valid for that IP address anymore. But, since it's self signed you just get the same error you had before. You can generate a new certificate to get one that has the new IPs of Untangle listed (it gets ALL of them), but again... same error because the cert can't be verified. If you use a real cert, it also won't work on IP address unless you stuff in those as names.

    So yeah... all of this applies... but yet it also doesn't.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,289

    Default

    sure I get the error on blocked sites, but at least the Admin GUI is at peace with me.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2