Windows Re-Router Forum

[chuckjuhl]

This issue is what brought me to the forums. The re-router technology sounds like a good fit to many networks I manage. These networks generally have one server for domain and exchange services and a second server providing file services, Sharepoint services and Searchserver services. These are relatively small networks (under 25 users) at research facilities (quite a few sites). The current servers are dual Xeon with 4gb ram, 32-bit OS. The second server (file server) generally has low CPU utilization and plenty of available resources. It would seem that the rerouter technology would be a good fit and would allow us to eliminate a bunch of old Sonicwall appliances with expiring subscriptions.

Supporting the re-router technology on Windows Server OS's would seem to me to be very practical - especially given the move toward quad-core and dual quad-core processors in servers and the move toward server consolidation through virtualization.

Any insight on this issue will be greatly appreciated

[sky-knight]

This is one issue where I hope the Untangle engineers can prove me wrong. Windows 2003 and 2008 have more secure network stacks than XP. Both OS's boast improvements to protocol security along with Vista. It is going to be difficult to custom craft arp packets in these environments because of those changes.

The following article on raw sockets within XP Sp2 and Vista outlines some of the early changes in this regard. Things are actually more strict now within the User mode driver framework.

http://msdn.microsoft.com/en-us/library/ms740548.aspx

When you add in the other difficulties applied by the VMWare player... it is a very tall order.

At this point the best option I have for these environments is to use ESXi server, and a standard install. It takes some creative cabling but you can get a working Untangle within a VM operating on the same server. Granted, this solution does nothing for existing installations.

Again, I pray someone can pull it off. I've tried on my 2003 and 2008 SMB servers as well as my 2008 standard server and I can't get the darn thing to even see a network connection.

[jonathan.penrose]

If you have a server with the horsepower, we've found that things work fine with VMWare server and 2 dedicated NICS, especially for smallish networks.

This is, per my understanding, officially supported by Untangle?

We have done some testing with Xen and HyperV and are hoping for official support on HyperV.

[chuckjuhl]

If you have a server with the horsepower, we've found that things work fine with VMWare server and 2 dedicated NICS, especially for smallish networks.

Hmmm. Not such a practical solution IMO.

1. With 100+ sites in the US and UK, visiting each site to install a additional nic's is not practical or cost efficient. The Win version of unTangle with re-router can be installed remotely with very little assistance need by the on-site staff.
2. This would also require the purchase of 100+ VMWare server licenses. Again, not really practical in this situation.
3. This requires quite a bit more server resources than the Win version requires. the idea is to leverage existing underutilized resources.

I'll look into the difference between the network stacks in XP and server 2003, but off the top of my head, I can't see why that would be an unsurmountable problem. We use virtual VPN solutions (like Hamachi, Leaf Networks), on Server2003 boxes without issue.

I would be interested in knowing if this is really an issue with the network stacks, or if it is a permissions issue or something else altogether.

I have got it to work on a Server2003 test machine, but only when running the VMWare player in the foreground. and it seemed slow as heck. It took significantly longer for the workstations to access the internet when it was running.

Have any of the developers commented on this subject?

[jonathan.penrose]

Well, you have to make the call whether it is worth it, but like the core Untangle iso, VMWare Server is available free.

Keep in mind that the re-router technology only works in Windows XP for now. By the way, it uses VMWare Player for deployment.

We are going to be using this technology to provide instant network protection for our clients, while we build a dedicated box for them.

The threat level of web based infection has increased so dramatically this year that we are telling our clients that a solution like this is no longer an option, but a necessity.

Seems to me, at least, that the protection Untangle provides is well worth the cost of visiting the sites. :-)

[AxiomPartners]

We are hoping to use rerouter version as a sales tool only. Our testing has not proven the rerouter version to be completely stable. Even as a sales tool, it may not be stable enough. We are encounering issues with Internet access on the network within 24 hours of implementation. It seems to work fine at first. We have tested on various machines.

Restarting the XP box solves the issue temporarily. It is like something times out (no screen saver or power setting time out).

If someone can help get this working consistently, it would be appreciated.

[bratsadtar]

This is one issue where I hope the Untangle engineers can prove me wrong. Windows 2003 and 2008 have more secure network stacks than XP. Both OS's boast improvements to protocol security along with Vista. It is going to be difficult to custom craft arp packets in these environments because of those changes.

Security is something that is proven -not claimed. 2000/XP boasted claims too,time has proven that was wrong. Remembering back, the rumour was Microsoft just copied/used somebody elses, when they were released.

[sky-knight]

Ok fine, adjustments made to the networking stack in Vista/2003/2008 under Microsoft's "Trustworthy Computing" initiative are causing issues with Re-Router support on those platforms. These adjustments are meant to secure the system.

[lucidtek]

Using rerouter on a laptop on a wifi hotspot right now can lock the whole network up. If they get it working with wireless, you could actually highjack wifi traffic. Maybe that's why the new network stacks mess with ReRouter technology.

If one was to plug into a University network, or some other quasi-public Ethernet capable network, right now, in theory, couldn't they hijack the whole subnet? Yeah, I know that you're not supposed to allow admin privileges, etc, but all you have to do is bring your laptop, unplug the client, and if the network isn't really tight with the permissions, I can see this being at least a nuisance.

Does anyone else see ReRouter as a potential misused tool?

[sky-knight]

Oh yes if you do a look there are several rants on the subject from myself. And, there are more from others as well.

Also, the product doesn't work on wireless adapters thanks to the wireless drivers not liking the bridging done by VMWare. Or, perhaps this is an intentional limitation in the VMWare player to prevent this sort of thing.

The entire system runs on a hack. And the fact that it is even possible is highlighting a fundamental security issue ethernetworks have had for years.