mDNS (external)

[datstma]

To update you would need to monitor for updates and wget the newer versions and install them manually. Keep copies of your config files too. Then check after any upgrades. Not really that hard.

And unless you have a commercial subscription working on the command line is no longer a threat. You don't have support anyway.

I agree, however, lazy me uses ansible, so it's not that much to maintain. And there's no need to monitor for newer versions, only thing that could mess the "old"-ones up would be if Untangle's next version should have an upgrade, non-backward compatible libc -core-package. But, since Debian's distro's are basically always backward compatible linking-level (ldd), I can't remember when if I ever had that problem. But I appreciate your concern, thank you! :-)

[jcoffin]

Well, actually what I said was the the two packages downloaded from Debian's official Buster repo gets their dependencies satisfied with the packages that are in your Untangle repo. :-)

You literally said it was from our repo which is incorrect as Untangle repo is a subset of Debian.

It's just two packages using Untangles own "distro" dependencies

You do perhaps realize that this rather pointless discussion wouldn't have to exists if you guys at Untangle invested some quality working hours in adding the features that your paying customers has been asking for... for many years... just sayin ;-)

We prioritize features implemented based on the greatest need. Everyone thinks their need should be a priority.

[datstma]

You literally said it was from our repo which is incorrect as Untangle repo is a subset of Debian.

We prioritize features implemented based on the greatest need. Everyone thinks their need should be a priority.

I realize, that you are trying to "win an argument". Please don't condescend your other customers needs in public, it's bad PR. Next time, say something like "we value your opinion and will take into consideration". And once again, read what I actually wrote, again... I wrote (as you quoted btw) "...packages using Untangles own "distro" dependencies". The word "literally" actually means that you interpreted it word for word, which you for some strange reason then decided not to do. The packages, i.e. the two downloaded ones, has dependencies. These dependencies are managed by the package manager called APT. When installing the two packages (that you downloaded) the package manager (APT) checks which dependencies the two packages has, it then checks with its own repository cache (i.e. Untangle's repo) and finds out that the dependencies can be satisfied by packages available in the Untangle repo. Yes, I'm over-explaining ;-)

Now, the "clever" response from you next should be -"we value your opinion and will take into consideration" ;-)

Cheers!

[jcoffin]

Actually I'm not trying to "win", I'm just clarifying for other forum readers that this is a mod and it may have upgrade issues in the future. Have a great weekend.

[some dude]

We prioritize features implemented based on the greatest need. Everyone thinks their need should be a priority.

The request for a mDNS reflector is currently the 4th highest ranked item in the Untangle NG Firewall Feature Requests List.

As of today, it has 566 votes. Many of the comments (mine included) are requesting the Untangle product management team to provide the community with a better response on both IF as well as WHEN this feature will be implemented as a supported feature. Currently, the tag is simply "Under Consideration", this is a non-answer. The request has been up since August 2018, how much longer do you need to "consider"?

Please ask your product management team to provide the community (minimally) with a "Date for a Date", meaning "a date when we will have a more definitive answer about IF and if so WHEN this feature is planned for inclusion in Untangle Firewall NG". If that's not possible at this time, how about a "date for a date for a date", you can see where I'm going.

Based on my own research before purchasing a Home Protect Basic license, as well as the specific comments on this feature request, your main competitors in this space all include support for an mDNS reflector:
- pfSense / OpnSense
- Sophos UTM
- Ubiquiti UDM / EdgeRouter / USG

This is a feature that is absolutely necessary for the seamless function of modern networks in many small/medium business as well as home use cases. Every day that passes, more and more IOT devices are being installed in our networks, ease of use is one of the many reasons why this is the case. mDNS is a big part of why these devices achieve the ease of use that is resulting in their market success.

That same ease of use is the reason why many of us have chosen to put Untangle NG Firewall at the center of our network security.

The fact remains that these IOT devices should be isolated in separate VLANS (which Untangle supports quite easily) except without the mDNS reflector service many of the key use cases for these devices are flat broken.

For your users that are unwilling to forego either the IOT devices entirely, or the ease-of-use that mDNS affords when used with these devices, we have three choices:
1. Abandon Untangle NG Home Protect entirely and switch to a competing platform that has prioritized support for an mDNS reflector, based on their customer need (which many of us also have, just look at your own feature request list).
2. The solution described in this thread: manually add the mDNS reflector service at the Untangle OS shell, in a manner that you correctly state is not supported by Untangle. That said, many of your Home Protect Basic users don't have direct support from Untangle as that is a non-trivial additional expense.
3. Run the mDNS reflector externally from Untangle in a VM or on a lightweight appliance such as a rPI.

For option 1, you've lost a customer (you are already driving away potential customers to other solutions by not supporting this feature).
For options 2 and 3, your users end up taking on an additional setup and maintenance burden that we don't have with competing solutions.

So, how about it, can the Untangle Product Management team please give the community more feedback on this highly requested (and highly needed) feature other than "under consideration" and "we prioritize features on the greatest need".

I'm a relatively new customer (just a few months), this is my first forum post, I love Untangle, it has been rock solid and I've barely scratched the surface of what it can do. I'm in the process of implementing VLANS, which is the reason why I searched for this solution, so I can continue using my AppleTV, HomeKit, ChromeCast and other IOT devices seamlessly as well as securely.

[Armshouse]

@Some Dude: First of all, welcome to the forums! Before I reply, just want to make it known that I'm a home user too, I don't resell Untangle into businesses or anything like that. I'm not a network engineer either, so forgive or point out any errors!

The request for a mDNS reflector is currently the 4th highest ranked item in the Untangle NG Firewall Feature Requests List.

As of today, it has 566 votes. Many of the comments (mine included) are requesting the Untangle product management team to provide the community with a better response on both IF as well as WHEN this feature will be implemented as a supported feature. Currently, the tag is simply "Under Consideration", this is a non-answer. The request has been up since August 2018, how much longer do you need to "consider"?

I hear your frustration, but maybe the fact that request has been on the list since 2018 without being added is all the answer you need? That's not to say that Untangle shouldn't just say "It's never gonna happen" if that's the case, but the truth is that it might... someday - who knows.

What we need to remember is that Untangle's overwhelming customer base is enterprise and education. So their time is probably being spent working on things that those customers want to see in the product. I should imagine that customers like that (who are spending thousands on licences) have a direct line into the ear of an account manager or real person at Untangle. Perhaps the feature request list is not the only way that what gets done soonest is decided? Just because something is number one, two, three or four on the list, it doesn't mean that it's actually anywhere near being the top on the list of things to do. But yes... to anyone who is interested in those features, Untangle could do a better job of sharing their plans. Do they do a worse job of that than any other company who lets you submit feature requests? I don't know. I'm also not saying that home users don't matter; just that most companies will probably focus on what the majority of their users are asking for - and I don't think Untangle's home users are their majority. To be honest though, if I had to choose, I'd rather Untangle focused on features and improvements that made my network as secure as possible - the kind of features that enterprise customers want in their NGFW.

If you want to stick IoT devices into a separate VLAN (I've done that too...) then you're kinda saying that putting those devices in their own broadcast domain is a good way to go. If you then realise that now they don't work as intended and you look for a technology to essentially break the separation you put in place, then maybe a VLAN isn't the best answer for those devices? If you're worried about them being attacked and accessing the rest of the devices on that network, then a VLAN is not the only option you've got to stop that.

Based on my own research before purchasing a Home Protect Basic license, as well as the specific comments on this feature request, your main competitors in this space all include support for an mDNS reflector:
- pfSense / OpnSense
- Sophos UTM
- Ubiquiti UDM / EdgeRouter / USG

In my humble opinion, Untangle beats all of those on the factors that matter in an NGFW way more than mDNS support; so if that's the price I have to pay, so be it. Deep down, that's probably why you went with Untangle too, but sure... there's always room for improvement.

This is a feature that is absolutely necessary for the seamless function of modern networks in many small/medium business as well as home use cases. Every day that passes, more and more IOT devices are being installed in our networks, ease of use is one of the many reasons why this is the case. mDNS is a big part of why these devices achieve the ease of use that is resulting in their market success.

Indeed. And I too had the same grief trying to get certain IoT devices to play nice over VLANs. I wanted to see how the pros do it and I reached out to a few of my colleagues that install high-end home cinema/automation systems etc. The answer was basically if something needs to be controlled from within a VLAN, then they provide a means of doing that from within the VLAN. So that might be a dedicated control/touchpad, dedicated PCs or rPIs etc etc. mDNS works fine and is easy, convenient in a home setup, but it's considered a workaround.

...ease of use is the reason why many of us have chosen to put Untangle NG Firewall at the center of our network security.

The funny thing is, "ease of use", "plug and play", "user-friendly" etc, etc are typically the things that go hand-in-hand with something being less secure. As you've seen... Security tends to get in the way of things "just working".

The fact remains that these IOT devices should be isolated in separate VLANS (which Untangle supports quite easily) except without the mDNS reflector service many of the key use cases for these devices are flat broken.

Should they be in their own VLAN? Im not attacking you here... Like I said, I've done the same with my IoT devices. I only have one (ChromeCast) that is useless if not in with my trusted devices, but it's not hard to lock that down. Since you mention "the key use cases for these devices" I think it's fair to say that use case was probably never intended to be across VLANs and if it was, then many like Amazon, Philips, Ubiquity have figured out how to make their apps work by essentially going out and in again.

As I said earlier; Untangle could probably do a better job of keeping the wider community in the loop. And you're right, people can vote with their feet and their dollars too. But in all honesty, if you're looking for a grown-up security product that gives you everything Untangle does, in the way that it does it, (and crucially) at that price - you'd be hard-pressed to find somewhere better to spend those dollars - mDNS or not.

[sky-knight]

mDNS is actively removed from all of my networks, as it has zero place on any of them... it represents a HUGE security fault, and is actually designed to be abused. I have similar issues with uPnP. Since Untangle is a security product, implementing it must be done extremely carefully, lest Untangle be blamed for a poor configuration down the line.

How about demanding IoT devices that are actually maturely designed and don't need to rely on broken, easily exploited technology? Google is a huge offender here, ChromeCast specifically is HORRIFIC. You'd think a company that runs networks as large as Google's would know how to engineer things properly... sadly they very much don't.

Also, don't get me started on the products you listed as alternatives... We'll be here until doomsday.

Finally, Armshouse is correct. Untangle prioritizes features that get them paid, that means they focus on education, then corporate needs. Home users are an afterthought, a marginal customer base. Untangle does seem to be angling to support them more though, but Untangle also has historically had limited resources. So I guess we'll see how the next decade goes. But, and I'll be more blunt... it all boils down to how much Untangle can EARN while selling Home subscriptions. Even the mere potential of earning, will drive investment. Does it exist? I have no idea... I can tell you my own attempts to monetize that entire market have met with nothing but dismal failure.

[cholzer]

mDNS is actively removed from all of my networks, as it has zero place on any of them... it represents a HUGE security fault, and is actually designed to be abused. I have similar issues with uPnP. Since Untangle is a security product, implementing it must be done extremely carefully, lest Untangle be blamed for a poor configuration down the line.

In a corporate network, the IT department might be able to ban IoT devices (or manage them in a secure way that requires a lot of manual work so that they can still do their job) - but that does not work for home networks where a "mostly secure, home user friendly" solution is needed.

Maybe IT professionals simply don't care about those of us who use Untangle in a home network, but let's not forget that Untangle is actively licensed and advertised for home use - there are 2 different Home subscription plans now.

So since we cannot avoid IoT devices in at least one environment that is supported by Untangle, putting IoT devices on a separate VLAN + mDNS at least seems "more secure" than not doing that, right?

So unless you have a better idea I do think that Untangle should finally add that highly requested feature (among many others).

Also this is an honest question, if there is a better solution I want to know about it because I want to move the IoT devices in my home onto a separate VLAN while not breaking/degrading the user experience / their function.

[sky-knight]

Actually... it isn't "supported by Untangle".

It's SOLD by Untangle, but support specifically is booted to these forums. Where people like me help with volunteer time.

This is semantics, but it's very important to understand. I don't speak for Untangle, but I will reiterate... they're going to invest in changes that are likely to get them paid more. That means more attention to larger customers than smaller ones... UNLESS the home sub becomes so absurdly popular it cannot be ignored. It's a high volume, low margin product! If the volume gets high enough, you'll see investment made!

I just just once again reiterate, it's not easy to get that volume.

[donhwyo]

If the volume gets high enough, you'll see investment made!

I just just once again reiterate, it's not easy to get that volume.

As far as I can tell there is no marketing effort to home users. Without marketing it will never grow. Word of mouth is all I have ever seen for untangle, home or otherwise. Well other than their junk mail. lol