Untangle with SME 7.x

[atmlogic]

I have a client with SME Server 7.x running as router/firewall, dhcp, mail, ftp, and www services for about 40 users. They are mostly looking for the content filtering (e.g. blocking social networking sites) however I am sure everything else the basic UT server provides will be great as well.

Here is my question... how, and where do I put the UT server? The SME is pluged directly into the DSL modem (static IP)

I am guessing the UT box should go in its place, setting the static IP, but then what IP do I give the LAN side of UT, (I am 'guessing' something outside of the scope for the LAN side of the SME box, then just redo the SME's static IP to whatever the LAN side of the is...?

e.g.

Ext IP-64.123.123.123
UT
LAN-IP 10.0.0.2

Ext-IP 10.0.0.10
SME
LAN-IP 10.0.0.100-200


DNS and gateway for the SME would be 10.0.0.2 right?
UT box would have to forward ports 21,25,80,445 to 10.0.0.10 right?

After that, just turn in on and watch the magic?

Thanks, hope I explained that close enough.

[hlarsen]

well do you want to replace the SME box or keep it doing DHCP and all that?
you can always just put Untangle in bridge mode behind it and not have to change anything on the SME box.

[mrunkel]

If you want to protect both the users and use the anti-spam and want reporting, you'll need to do some reconfiguration.

If you don't care about reporting, then you can just place the Untangle into bridge mode and assign it another external IP. Everything stays the same except you plug the Untangle's external interface into the DSL mode and plug the cable you unplugged from the DSL modem into the internal interface of the Untangle. And you're done.

If you don't have another IP or want reporting on users activity, Untangle will need to perform NAT and be the default gateway for your network.

Assign your public IP to the external interface of the Untangle. Assign 10.0.0.1 to the untangle's internal interface. Have it start providing DHCP and DNS for your network. Assign the SME box a new internal IP and plug it into the network, turn DHCP and DNS off.

Forward the ports you've listed except for ftp you'll need to forward other ports as well (there is a big thread in the forums about how to get FTP working). Also, It's pretty poor form to expose 445 to the Internet.

[atmlogic]

Ok... so, I don't have a 2nd IP, however I don't care about reporting.

SME MUST stay since that's what is doing all the mail, webhosting, ftp, etc at the moment. (As well as DHCP, file shares, etc)

I want content filter, spam filter etc (all the free stuff ) from untangle. Don't care about reporting (however I can still see the spam right? e.g. see what its stopping, and letting go?)

Don't care if it shows who tried to get to what website as long as its blocking it, and the #1 reason they want this unit is to block social networking sites.

If I put it in bridge mode, plug the dsl into the UT, and the UT into the SME and the SME into the Switch... are we all good to go with the above?

Some other (non UT users) told me I would be double NAT'd with that config? Is this correct?

Will I have to forward ports to the SME box in this case, or just simply throw it in the stream and watch it do its majic ;-)

[sky-knight]

If you put UT outside of SME, you will need a second public address to configure the bridge with. Your only other alternative is to put Untangle in router mode, give it your current public IP address, and have it do NAT to the outside of the SME server. From there that server will NAT to internal. And the port forwards you'll require are rather intense.

There is no magic here, your solution is too integrated and there is very little room to maneuver. The only "easy" way to meet this objective is with two public addresses.

Also, please read up on what a bridge is vs what a router is. Bridges don't route, and don't do NAT. So double NAT with a bridge is rather impossible.

[atmlogic]

OK, so, short version is... I leave it in Bridge mode, I put it between the SME and Switch, and it will do content filtering, but no spam filtering right?
The SME is the router as it sits now, from what I am seeing here the only other (reasonable) fix would be to get a SOHO router, put the port forwarding in place, turn on DHCP, (turn off on the SME), and put the UT between the SOHO router and the SME. Then I would have spam and content filtering correct?

[atmlogic]

On thing I really don't understand is how two public IP address will solve anything? I have only installed UT's as a Bridge, and between the 'Router' (e.g. Cisco ASA) and the switch... After that, I just turned them on...and they worked as expected, (And... Sorry Rob, but I do feel it was a little bit like magic do to the simplicity of it)
In this case however the SME is the Router (and FTP, eMail, Web, etc server) I feel the UT box HAS to be ahead of it in bridge mode, or somehow I have to convert the SME from Server-Gateway to Standalone... Another trick I have never done.

[johnsonx42]

I'd suggest you really should just put UT in as your router, and reconfigure SME. Yes, that means you need to do a little fiddling with SME, but once it's done you won't have any further hassle with it and your setup will work as it should. Every other option is will have inconvenient consequences.

The idea of putting in a SOHO router in ahead of both UT and SME accomplishes nothing; UT can route better than a SOHO router, so why add yet another device?