Page 1 of 5 123 ... LastLast
Results 1 to 10 of 48
  1. #1
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default Untangle disapointment no ipsec or HA.

    There are two major features missing from untangle which make it impossible for me to recommend it those are ipsec support and clustering. These features are available on monowal, pfsense, and other open source competitors.

    IPSEC: this is the defacto standard right now site to site vpn connections. Currently I cannot connect a untangle firewall to a cisco asa/pix, a sonic wall, a watchguard, or a checkpoint. These constitute the vast majority of business installations. OPENSSL is great but it's not widely supported. open source should be about interoperability and open standards. Currently I can't even install untangle for a remote user looking for a package with a site to site vpn to work. Years ago I had to build some linux firewalls because I had no budget, manipulating iptables and openswan isn't rocket science.


    HA. This is also supported by the majority of distributions and for good reason. Using commodity hardware has it's draw backs in terms of the reliability of equipment. We aren't talking about nonvolatile flash here, and highly engineered power supplies. We are talking about entry level motherboards (dual core atoms), mechanical hard drives, and power supplies. VVRP and CARP are well understood protocols. You already have a mechanism to backup configs, presumably this can be used to restore a config onto a second piece of equipment. A more elegant solution using drdb or similar should also be possible. I really don't care about the state table, I just don't want no internet for 10 hours, while I spin up another untangle box.

    TOday I looked through the forum. Posts requesting these features go back years. They have been ignored, and I think it's totally embarrassing. Honestly I don't care how good the applications are. I don't care what nice new whistle you want to add. These features are absolutely critical. You can say that you are targeting small businesses, that's fine (but these are the features they are looking for). These are the features they have regularly asked for. They are not terribly difficult to implement, and they should be made a real priority.
    Sorry for the rant

  2. #2
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,362

    Default

    Thanks for the rant. I'm glad your very first contribution to this community is this. Thanks for that.

    Yes, we have been asking for these features for a while, and no, they have not been implemented as of yet, but good things are coming. Sooner than later. I echo your passion for IPSEC and HA, but the reality is that the devs have to keep the wide base of users happy, and HA especially, doesnt cater well to small business.

    I've tried openswan and strongswan integration. It's easy to install and get going, the problem is routing the tunnel through the UVM, which is a nightmare. Configuring a gui is also a nightmare. If its so easy, take a crack at it and us know if you have any success. I'm more than willing to help you test and troubleshoot along the way.

    As for HA, I have my own ideas that I am not going to share here, but if you'd like to talk about it my # is at the bottom of the post.
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,482

    Default

    Thanks Jim, that needed said. And I simply want to add, you aren't standing alone.

    Untangle is the definitive UVM on the market. Not because of the product, but because of the people that are supporting it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by dell4242 View Post
    They are not terribly difficult to implement
    Great! I look forward to merging your patch.

    In all honesty, if you're looking for HA and IPSec, there are likely better options than untangle for your organization anyway.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,482

    Default

    HA can be achieved currently by placing Untangle within a VMWare cloud. There are also pass-through interface options that can be used as well.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    I believe we need a sub forum:
    Why Untangle is not what I want.
    The world is divided into 10 kinds of people, who know binary and those not

  7. #7
    Master Untangler
    Join Date
    May 2008
    Location
    Bryan, TX
    Posts
    260

    Default

    Quote Originally Posted by dwasserman View Post
    I believe we need a sub forum:
    Why Untangle is not what I want.
    Or a Wiki entry like this.
    http://devwiki.pfsense.org/WhypfSenseSucks

  8. #8
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,565

    Default

    Quote Originally Posted by Coldfirex View Post
    This longtime complaint always cracked me up...
    "PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. Fix in progress for 2.0. "

    First, it's been addressed for quite a while now.
    Second, I can't think of many...any for that matter..places where several people on the same LAN will do a PPTP out to the same destination server via PPTP DUN. If several people at location 1 need a connection to location 2 that much...do it right, setup a full time router to router tunnel.

    Back on topic..to the OP...for a first post, why not put this post in the correct forum..."Feedback", eh? Instead of in the "installation" forum..which quite frankly a lack of a feature or two has absolutely nothing to do with. I agree with wanting IPSec...over the past two years I've expressed the need for this so we can utilize Untangle at existing SMB clients of ours. High Avail I really don't see much of a need for, Untangle is aimed at SMB, not enterprise. Reliability and uptime is up to you and how you implement it, quality of the hardware that you use for it, and what you put in place for backup.
    Last edited by YeOldeStonecat; 08-05-2010 at 06:13 AM.

  9. #9
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Talking Making friends on the internets

    Thanks for all the answers.
    Apparently I've made a lot of people happy. .

    If you don't like where this is in your forum, please y feel free to move the thread, or even remove it.

    To be honest I'd love to recommend your product The features are great but not having ipsec support means I can't implement it anywhere. I think it's a cop out to say you are only going for small businesses. Small businesses need these features.

    If you had these features locked down, you would have a much broader base. In general it sounds like no one disagrees with this, in principle. No one has said ipsec is worthless, or not worth doing, rather that it's been difficult to pass this through the uvm. In fairness I have no experience with the uvm, just iptables. Out of curiosity, how did you pass openssl through the uvm for site to site connections? Could this be mirrored for open swan?

    It's true that you can put this on a vmware Cluster, but this assumes that you feel comfortable running a firewall on a virtualized environment, and have made a significant investment into a san, vmware with ha, and virtual center. This doesn't sound like a small business environment to me. No matter how hardened you think vmware is, I personally wouldn't run a firewall on vmware in a production environment. I don't want vmware interfaces on the public internet at all. I want a dedicated firewall.

    Currently the only way I would consider putting this into the environments I work with would be as a transparent bridge with a bypass card. It looks like that's the current way people are implementing it, with pfsense or similar on the front end. I don't think pfsense should be in the equation personally.

    As far as ha goes, there are a number of products aimed at smbs that have this, probably the majority. Even at the entry level the asa 5505 can do this with the security plus license. Do you know of any hardware that you can currently put your product on that's more reliable than an asa? They start at $350. I support hundreds of these and the failure rate is as close to zero as you can get (I can't remember a hardware failure). I don't have to shut them down to change a hard drive or a fan, they just run. Still costumers buy ha (even smaller costumers). Why do you think that is?

    If you are running untangle as a router/firewall it's your primary life line to the internet. It goes down so does email, remote sites, remote access. You're totally sol. How many costumers do you have that would take this risk?

    Honestly I'm not trying to start a flame war here. I'm just stating my experience. IMO this is why people aren't recommending your products. This is why they can't implement untangle, or even consider it. If these two features where there, you would have a lot more potential costumers. If you don't want companies with these requirements to consider your products, I apologize for trying to bring it to your attention.

    thanks

  10. #10
    SMR
    SMR is offline
    Master Untangler SMR's Avatar
    Join Date
    Feb 2010
    Location
    Iowa, United States
    Posts
    201

    Default

    Quote Originally Posted by dell4242 View Post
    Thanks for all the answers.


    Honestly I'm not trying to start a flame war here. I'm just stating my experience. IMO this is why people aren't recommending your products. This is why they can't implement untangle, or even consider it. If these two features where there, you would have a lot more potential costumers. If you don't want companies with these requirements to consider your products, I apologize for trying to bring it to your attention.

    thanks
    I recommend Untangle as often as I possibly can. For those that require HA, have a cold spare, (Every small business I know can survive without the internet for 10-15 minutes if necessary and... wait for it... Untangle is for SMB!). If you need IPSEC, put it on another machine behind the UTM. Untangle seems to exceed very well in the things that it does do. The things that it doesn't do, well... it may suck but it doesn't mean you can't get around it. Using programs to compliment each other rather than putting them all in one basket is something that far makes me easier to sleep at night anyway.

    There are very easy ways around all this all while still using Untangle. If you aren't satisfied with that answer, maybe you'll be best suited in another camp and then, as development time permits, Untangle may be able to add even more functionality. Until then I would much rather have them keep focusing on what they deem is the next step in their program... and if they add anything, the one thing I would love is a central management server for multiple Untangle devices.... but that isn't here yet, so I'm not bitching. If I want it bad enough, I'd go and do it myself... beauty of open source! Until them I'm at the gracious mercy of Untangle devs... and I will gladly wait patiently.


    These threads are starting to get tiring to read....
    Sam Reeves
    Disclaimer: I know nothing.. There, that should satisfy any doubt you had!
    "on the outside, I was an honest man, straight as an arrow. I had to come to prison to be a crook." - Shawshank Redemption (1994 film - Andy Dufresne)

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2