Needs some features before its really ready

[dragonbyte]

I have been on the forums, tinkered with the box, and talked to tech support and have the following problems. All in all it is a very nice product and hopefully addresses these issues but until then it just isn't really ready. It is just too inflexible.

1. Administrative Control - I have seen this touched on in a few places and it seems like it may be addressed. It would be really nice to have more fine grained control over a number of aspects. Spam filtering, spam learning, dhcp settings, routing, filtering, etc.

2. DNS/Split DNS - It would be nice if this ran a full fledged DNS service. Let the user choose if they want to host zones or only do forwarding. The really nice one would be if split DNS was enabled the same way Sidewinder does.

3. SMTP - Same deal, as I understand the only way to use this is a transparent proxy. I would rather see this being able to be used as a full fledged SMTP server for small/home business and a true SMTP relay for larger environments.

4. HTTP/HTTPS - Running the management tools on nonstandard ports would be better so it is possible to run a web server on the device itself. Again this would primarily be small/home business use.

5. VPN - I don't even know where to begin on this. No IPSec so my only option is to tell every other site that I need to connect with to ditch their expensive enterprise gear from Cisco or Sidewinder and buy Untangle so we can build secure tunnels. That is a quick way to get yourself laughed right out of a business deal. I was also told there is no VPN passthrough so not only can I not put a normal IPSec device behind it, I can't use VPN clients to connect to other sites.

The VPN structure alone pretty much excludes it from any real larger or enterprise functions and the lack of fine control is going to turn away places that have real IT administrators around. The lack of flexability in consolidation of services moves it out of the home/small business where the lack of control isn't so much of an issue. So it really can only serve a very small subset of business needs. The product definetly seems like a good start, but it needs some work to be able to be very functional outside of a very small scope of networking needs.

[gotkimchi]

dragonbyte, thanks for taking the time to evaluate the Untangle. Sorry that we didn't meet or exceed all your expectations.

1) Untangle does provide the full shell access to your box. You can enable this feature by directly monitor keyboard and mouse into your box, and set the root password. Then you will need to enable support by config tab, and then support.

2) Currently we offer DNS forwarding.

3) Some users are integrating other apps with Untangle. As we go forward, email services might be an addon service module, or people in the opensource community might spin off and make their own. No limitations.

4) You can change the admin port by going to the config tab, remote admin, then access.

5) IPsec pass through is coming in 5.1. Also, the target market loves our VPN solution because it is easy to deploy. Many of our users tell us horror stories about setting up IPsec with major vendors that end in "o"

[hescominsoon]

dragonbyte, thanks for taking the time to evaluate the Untangle. Sorry that we didn't meet or exceed all your expectations.

1) Untangle does provide the full shell access to your box. You can enable this feature by directly monitor keyboard and mouse into your box, and set the root password. Then you will need to enable support by config tab, and then support.

2) Currently we offer DNS forwarding.

3) Some users are integrating other apps with Untangle. As we go forward, email services might be an addon service module, or people in the opensource community might spin off and make their own. No limitations.

4) You can change the admin port by going to the config tab, remote admin, then access.

5) IPsec pass through is coming in 5.1. Also, the target market loves our VPN solution because it is easy to deploy. Many of our users tell us horror stories about setting up IPsec with major vendors that end in "o"

IPSEC is a PITA no matter what. SSL vpn's are where it's at and are steadily taking over from IPSEC.

[dragonbyte]

1. I poked around here but it seemed like it wasn't using the standard configs. I specifically was looking at DHCP, DNS, and spamasassin. Is there a better place to do detailed administrative things for the untangle portion rather than the the standard /etc configs? Can you change the spam learning thresholds for example?

2. I was told that DNS is too intensive of a service to run on the untangle box without it setting off attack detection. This makes me very nervous about using the attack detection at all if it is that sensitive. Sidewinders utilize strikeback as attack detection/response but are designed to run single or split DNS.

3. It looks like it has exim4 running on the system so it can send emails, best as I can tell it shouldn't be too much of a nightmare to change the configs to act as a smtp host and then toss a pop3 daemon on there. I just couldn't get a solid answer on how the untangle portion would handle it. Single or Split smtp would be a great feature.

4. This I may have missed but I tinkered with this and only saw a way to change the SSL port, and not get it to stop listening on 80 to move it out of the way for Apache or something. Did I just overlook a setting?

5. I personally haven't had many problems getting IPSec tunnels to work, and have better luck with that 'o' vendor than most of the oddball vendors out there. I'm not going to say SSL is better or worse, just that not having the IPSec option makes it a REALLY tough sell given that everyone else is using IPSec and we can't just tell them all to go buy a new product. IPSec passthrough will certainly make it better for business use, but it would still be really nice to terminate IPSec tunnels on the untangle box.

I think overall it is a really neat product, but the IPSec passthrough thing is the nail in the coffin for me. With the exception of the port 80 thing (unless I just missed a setting) the rest of it seems reasonably easy to fix just digging in and tinkering enough. The problem is I am trying to reduce the workload in deploying that type of setup

[mdh]

dragonbyte,

I'll respond to a few items from your post. We do DNS forwarding currently, and the Untangle box is currently designed to operate on a dedicated machine. In the future, this could change. Anything that is legitimate traffic that is noted by the attack blocker can be defined as an exclusion, so that its functionality is not impacted by attack blocker. Sensitivity of the attack blocker is a relative term. All traffic is considered, and attack blocker will attempt to "tame" anything that stands out far above the average of all traffic.

As far as remote admin, you can change the SSL port from 443 to anything you want that is reasonable, but you already know that. It is always enabled on the internal network and can be setup to be enabled externally. You can disallow standard HTTP remote admin (port 80) from inside your firewall so that port 80 can be used for internal web servers. Web servers that are accessible from the outside can still come in on port 80 and be redirected via the Untangle router.

IPSec passthrough is coming.

[dragonbyte]

I guess the real killer for me is the VPN issue and the dedicated system part. If Untangle was a standalone piece it would make it a great deal more flexible. VPN passthrough fixes the biggest problem, but it would still be nice to terminate site to site IPSec on the Untangle system.

It looks really nice and I would love to use it and deploy it for others, but those main things are what cause the biggest problems.

What is the timeframe on VPN passthrough?

[richie]

heya dragonbyte
next release is slated at the end of the year / early next year .

[kenderkin]

I have deployed just about every vendor of firewall/router from the cheapo OTS boxes up to the "o"vendor.

The VPN Passthrough issue/IPSEC endpoint is a biggie for me as well. Supporting about 15 remote offices in 7 different companies I use the point to point and client to point VPN all the time.

Untangle has some great features...as a SPAM filter it has surpassed expectations. Would be nice to have some granular control over the rulesets. I also couldnt find a whitelist section for the spam filter, probably just me though.

Untangle is very simple to setup and configure for the average user but geeks like to go the extra step.

any ideas on when we can expect the new version with pass through?
kenderkin

[gotkimchi]

5.1 will have the pass through mode. As for whitelist, go to config tab, email, from safelist, and you have global and per user safelist.

[mzsubs]

First of all, I would like to express my admiration with the job developers of Untangle have done, but I have to agree
with dragonbyte - without IPSec support your firewall is not Enterprise ready. Even SMBs need it. I would use your firewall a year ago, if it had IPSec VPN. I'm using both OpenVPN and IPSec. I don't know who told you horror stories about IPSec, but I did not have any problems with it, it is *ROCK* solid in Linux. IPSec tunnels require extra effort during the initial setup, but after that I never touch them again. I have tunnels with CheckPoint, Cisco, Netgear, Sonicwall, SnapGear, Astaro, m0n0wall. I'm using OpenVPN for mobile users where it is possible, it is a great VPN, extremely realiable and easy to setup. I would use OpenVPN for network to network VPNs too, if it would be my choice, but most of the sites already have infrastructure in place and I have no choice, but be compatible with it and use IPSec.
Guys, you have a really good product, it is so close to be a real "killer", but without IPSec it can not be used in most of the businesses. IPSec paththrough is a very lame solution. You just have to have IPSec support on the firewall! Please!! I'm sure, that if IPCop can do it, than you guys can do it too.