Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Nov 2018
    Posts
    4

    Question Replacing Transparent ASA5505

    I have a large (/22) allocation of public IP's. Since I have so many, NAT'ing is unnecessary and only adds complexity. I have a VMWare server that hosts ~50 VM's from my public IP range. In order to get the IP space into my VM Server, I have two VLANS:

    50 - Outside
    60 - Inside

    I use a Cisco ASA in transparent mode between the two VLANs. This solution has worked great for a couple of years, but the ASA's are getting long on the tooth and I'd like to replace it with a software solution.

    Enter untangle, which I have installed in transparent bridge mode with the firewall app to accommodate my goal. However, I cannot seem to get untangle to function like the ASA does. I've googled and read numerous posts on transparent mode config and setups, and no combination of what I've read has really helped.

    The closest I've been able to get was this afternoon where I was able to ping a vm, but that was only after putting the vswitch in promiscuous mode (based upon a post I read). When doing that, it seemed as if I could access anything and everything, which is undesirable.

    My expectation is that I would put rules in the firewall module between the external and internal interfaces similar to what I have in my ASA.

    Any thoughts? Happy to provide more info as needed.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    You will never get the Untangle to function like the ASA, because it simply cannot. That isn't to say it can't be used as an effective replacement.

    You need Untangle to have an interface on the Outside VLAN, and the Inside vSwitch VLAN. Untangle needs an IP address on external that works on that Outside VLAN with full Internet connectivity. Untangle then bridges the inside VLAN to outside.

    Now, word of warning... there are a BUCKET of moving parts here.

    I suggest terminating the VLANs on VMWare and NOT passing tags to Untangle if you can help it, because that's just more complexity.
    You're going to need to ensure that promiscuous mode is allowed on both vSwitches. You also may need to enable forged transmits on both switches.

    If you get all that lined up, it'll work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Nov 2018
    Posts
    4

    Default

    Currently the External interface sits on VLAN50 and the internal sits on VLAN60. Since UT is a VM, both interfaces currently land in the same vswitch. As mentioned, I'm able to ping when the vswitch is in promiscuous mode, but from what I can tell, it seems like it's an ip any any situation. Even with no rules in the FW, I can ssh into a box sitting on VLAN60. I even put in a deny any rule between the two interfaces but no joy.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    Of course it does, because you plugged a switch into itself.

    You MUST use two vSwitches. As I said, terminate the VLANs on vSphere, that way Untangle is managing untagged packets. Otherwise, you've got untagged interfaces disabled under tagged interfaces, and if you screw up anything, and I mean ANYTHING in Untangle or VMWare's configuration BOOM goes your network.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Nov 2018
    Posts
    4

    Default

    I'm perceiving a little condescension in your response. I hope that I'm mistaken. I'm not new to networking, in fact I work as a Senior Network Engineer for a Global Pharma Company. What I'm hoping to find here is some constructive help toward understanding the untangle product and what's going on under the covers. Keeping in mind that with the ASA solution in place, the entire solution works great and has for 2+ years.

    The two VLANs are trunked into ESXI from a Cisco 3750 stack. So they do "terminate on VSphere," albeit on the same vswitch. I have no problem creating a new vswitch if that's the answer to my problem. However, this re-architecting was unneeded with the ASA in place. So it's the fundamental differences between the two solutions that I'm trying to figure out.

    Thank you for your input thus far. it is appreciated.

    I
    What switches are plugged into themselves?

  6. #6
    Master Untangler CMcNaughton's Avatar
    Join Date
    Feb 2015
    Location
    Denver, CO
    Posts
    108

    Default

    Sky-Knight is correct (as usual), and I don't think he was being condescending - just emphasizing some key points in his statements. In my experience (and something I tell all our customers/resellers who come from Cisco during on-boarding), the first thing you need to do coming from Cisco to Untangle is forget completely about trying to do an "apples to apples" switch from an ASA - this will be an "apples to bananas" scenario, tbph, because Untangle is an extremely different kind of device. 1) We're not a stateful firewall... 2) In transparent bridge mode, we will fail closed, 3) You're virtualizing a VLAN, in transparent bridge mode. This is just about our #1 least-recommended scenario for Untangle.

    You've got a pretty touchy setup there, so like Rob said, it can work (we have a lot of customers doing this) with the proper config, but any changes/failures will result in loss of network connectivity, as we're not a true "bridge".

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    If you take a peek at your logs on the Cisco you're likely to find Spanning Tree going absolutely nuts. That's due to the switch loop, because while logically this can work the way you've described, somewhere along the line it isn't. And where exactly is the fault? Is it in Untangle's configuration? The Cisco? VMWare? This is a hugely complex configuration, it's possible but it takes solid expertise on all three platforms to execute.

    That's why I suggested you simplify things. But, if VMWare is trunked into your core switches that might not be possible. But, I do still suggest that VMWare handle all the tagging, you shouldn't have a VLAN enabled NIC on Untangle at all. That's just more confusion, because you wind up with disabled NICs with child NICs that handle the tags.

    To make matters worse, as CMcNaughton points out Untangle isn't a true bridge. No Linux based bridge is, Linux broutes... So Untangle even as a bridge needs a complete routing table. And in certain circumstances will actually route packets too. Though, this would only be an issue if you were trying to get an IP range to transit the bridge, that wasn't present on the bridge to start with.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Newbie
    Join Date
    Nov 2018
    Posts
    4

    Default

    First off thank you to the both of you.

    I do think there are some assumptions about my configuration that are not accurate and if that's as a result my miscommunication, then I apologize. I do not have interfaces tagged in Untangle. They are connected to the same vswitch where each port group is tagged going into the vswitch. The physical uplinks are trunked to my core switch.

    The ASA connects physically to the core switch as well with an interface on VLAN50 and VLAN60. However, those are access ports, not trunk ports, so no tagging is taking place on the ASA either.

    There are no spanning tree errors in the core switch log as I am not tagging in untangle.

    So thus far, you've given me a few good nuggets to help me along. However, some of the comments have also made me thinking about reconsidering UT as a solution in this case.

    That being said, any further advice is appreciated and as previously stated, I'm happy to share additional info regarding my config if that will help.

    Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2