Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default Please Help: Untangle 8.1 OVF and ESX 4.1 in Transparent Mode

    I've read the Wiki page for installing OVF on ESX and failed once already because I bridged the vNICs on the same vSwitch without using VLAN, so eventually I crashed my network as looping started to occur.

    So this is my second attemp, please refer to the picture I've attached, hope you can give me some advice and suggestions.

    1. So basically, I have ONE vSwitch with TWO physical NICs binded together to have Load balancing and failover.

    2. Within, I have THREE Port Groups:
    - External (no VLAN) connects to Internet
    - Untangle DMZ (VLAN 21) - Useless as I will use Transparent Mode
    - Untangle Internal (VLAN 22) - where I put VMs that I want to protect behind the Untangle.

    Is the following concept correct?
    1. When I use Untangle in Bridge or Transparent Mode, I will ONLY utlilize two interfaces External (no VLAN) and Untangle Internal (VLAN 22), so these are the two vNICs Untangle VM will connect to. This leaves Untangle DMZ useless, so I can remove it from VMX or VM configuraiton GUI?

    2. I Understand I need to enable Promiscuous Mode in order to have Untangle to scan the network in transparent mode (ie, a sniffer that is), (side topic: Do I need to have Promiscuous Mode if I am using Route Mode?)

    I understand I need to enable Promiscuous Mode on Virtual Switch Level (ie, toppest level), which I DON'T WANT to due to security reasons (ie, VM behind Untangle can sniff the whole network right?), Can I enable Promiscuous Mode in individual Port Group Instead?

    If Yes, the ONLY Port Group need to have Promiscuous Mode enabled is Untangle Internal (VLAN 22) right? Where it is the Port Group all the VMs are going to connect to. I do not need to enable Promiscuous Mode in External (No VLAN), is this correct?

    Or I HAVE TO ENABLE IT on vSwitch level? but why? I thought individual Port Group will OVERWRITE the default setting, NO?

    But wait, no matter where I enabled the Promiscuous Mode (ie, vSwitch level or Port Group level), the risk is still here, can I say I am allowing all the VM to have the capability to sniff traffic on the network? If yes, this is absolutely NO GOOD in using Untangle as enabling Promiscuous Mode will open a big security hole in L2 (ie, enabling Promiscuous Mode will render my switch to a hub)

    3. FYI, the TWO PHYSICAL NICs (ie, vmnic8 and vmnic0) are connected to the same physcial L2 switch. VLAN 21 AND VLAN22 have been configured on this physical switch as well, also VMware VST VLAN tagging is used on the Port Group. I wonder if my current configuration will STILL create a loop that will crash my network again? (I don't see how it can, but really want to double make sure and confirm with you guys)

    4. Where is the management interface for Untangle going to be in this case? Do I need to create a new port group say Untangle - Management VLAN 23, and also add a new vNIC (probably just use the one for DMZ) and then connect to this Untangle - Management port group.

    many thanks in advance!
    Last edited by ctchang; 04-29-2011 at 01:16 AM.

  2. #2
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default

    Anyone please?

    Thanks!

  3. #3
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,279

    Default

    I will try to answer a few.

    Is the following concept correct?
    1. When I use Untangle in Bridge or Transparent Mode, I will ONLY utlilize two interfaces External (no VLAN) and Untangle Internal (VLAN 22), so these are the two vNICs Untangle VM will connect to. This leaves Untangle DMZ useless, so I can remove it from VMX or VM configuraiton GUI?
    Yes you can remove the DMZ Interface.

    2. I Understand I need to enable Promiscuous Mode in order to have Untangle to scan the network in transparent mode (ie, a sniffer that is), (side topic: Do I need to have Promiscuous Mode if I am using Route Mode?)
    Promiscuous Mode is required if you are going to bridge.

    I understand I need to enable Promiscuous Mode on Virtual Switch Level (ie, toppest level), which I DON'T WANT to due to security reasons (ie, VM behind Untangle can sniff the whole network right?), Can I enable Promiscuous Mode in individual Port Group Instead?
    To my knowledge you can only do it on the Switch Level.

    But wait, no matter where I enabled the Promiscuous Mode (ie, vSwitch level or Port Group level), the risk is still here, can I say I am allowing all the VM to have the capability to sniff traffic on the network? If yes, this is absolutely NO GOOD in using Untangle as enabling Promiscuous Mode will open a big security hole in L2 (ie, enabling Promiscuous Mode will render my switch to a hub)
    Yes Promiscuous mode has its flaws and Untangle them self promotes bare-metal installations.

    3. FYI, the TWO PHYSICAL NICs (ie, vmnic8 and vmnic0) are connected to the same physcial L2 switch. VLAN 21 AND VLAN22 have been configured on this physical switch as well, also VMware VST VLAN tagging is used on the Port Group. I wonder if my current configuration will STILL create a loop that will crash my network again? (I don't see how it can, but really want to double make sure and confirm with you guys)
    Untangle dose not support VLANS so it will strips the Vlantag.

    I always run virtual Untangles with at least 2 Vswitches.

  4. #4
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default

    Quote Originally Posted by WebFooL View Post
    I will try to answer a few.

    Yes you can remove the DMZ Interface.

    Promiscuous Mode is required if you are going to bridge.

    To my knowledge you can only do it on the Switch Level.

    Yes Promiscuous mode has its flaws and Untangle them self promotes bare-metal installations.

    Untangle dose not support VLANS so it will strips the Vlantag.

    I always run virtual Untangles with at least 2 Vswitches.

    Thanks for your reply.

    1. I think I am going to run Untangle in Route Mode as Transparent Mode is too dangerous for production.

    2. According to the Wiki of Untangle on ESX

    You will need to add new virtual NICs and connect them to the appropriate vSwitches. Warning! Two Bridged Interfaces to the same vSwitch will crash your ESX server. Each Untangle NIC should be connected to it's own vSwitch. Each vSwitch should be connected to it's own Physical NIC, or at least be separated by VLAN tagging at the physical NIC level.

    So ESX with VST VLAN tagging will work with Route Mode right? If your saying Untangle will strip out all VLAN tag, then it will not going to work?
    So the Wiki is wrong?

    But the picture showing in Wiki also has VLAN how come?


    Thanks again.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,412

    Default

    ESXi can tag packets on the way out, but Untangle will functionally strip off VLAN tags of packets processed by the UVM. That is, non-bypassed packets.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default

    Now I understood and checked back again with the Wiki, VLAN on Port Group or vSwitch indeed doesn't work, the document said clearly "Each vSwitch should be connected to it's own Physical NIC, or at least be separated by VLAN tagging at the physical NIC level. " (ie, on Physical NIC level and the picture attached above also confirmed this), so it was my mistake, sorry.

    Hello, so does this mean Promiscuous Mode can ONLY work on Virtual Switch Level, but not Port Group Level?

    Um...it's quite disapointed as I gradually found out Untangle on ESX has so many limitation (ie, no VLAN tagging, must enable Promiscuous Mode for vNic connecting VMs, must have Promiscuous Mode on vSwitch but not on Port Group).

    So I have decided to use Route Mode now to aovid the above limitation now.

    I don't have any more physical NIC to spare, so can I create an internal vSwitch (ie, WITHOUT NIC) for Untangle VM ?

    ie, External > Untangle External > Untangle Internal (which is on the internal vSwitch without NIC) and all the VM will be on this same internal vSwitch, which will be all protected by Untangle that is.

    This will work right?

    Thanks.

  7. #7
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default

    Anyone please?

  8. #8
    Newbie
    Join Date
    May 2011
    Posts
    2

    Default

    Today I installed 8.1.1 on ESXi 4.1 with a single vSwitch in my lab. When I put an interface on the port group that matched the VLAN to the vKenrnel, I lost vSphere management. Using the BMC I moved the Console to another VLAN and was able to get back in.

    Sofar my testing shows you can use a single vSwitch connected with a single NIC (I have dual, bonded for redundancy) via a Trunk to the Switch, using port groups with nothing else on them for Inside/Outside/DMZ. If the switch is layer3, you are G2G by creating a round on the inside thru a SVI to your internal VLANs and routing back to other port-groups/devices.

    I'm Not 100% sure if the blackhole I saw was related to the vKernel/Console only or if it would have applied to other VM's in a shared port group (i'll need to test).
    Last edited by DiscoBayJoe; 05-10-2011 at 11:42 PM.

  9. #9
    Newbie
    Join Date
    Apr 2011
    Posts
    8

    Default

    Update:

    I've got Untangle 8.1 OVF working under ESX 4.1 in route mode, the solution is very simple:

    1. Simply remove the last NIC in VM configuration, this will get rid of the DMZ NIC, leaving only External and Internal NICs. These two NICs are exactly what Route Mode requires.

    2. Assign External NIC to your external connectivity to the Internet, and Internal to a seperate Port Group (in my case it's VLAN 20 - Untangle)

    3. Reboot Untangle, now, you won't be able to use the default admin/passwd to login, it's ok, just reset it, after successfully login to the console, configure the statics IP for both External and Internal.

    That's all you need, simple and neat! Hope this helps!
    Last edited by ctchang; 05-19-2011 at 07:22 AM.

  10. #10
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,279

    Default

    I would say that 1. only is a fix if you are not going to us a DMZ.
    Route Mode requires at least 2 Nic. With the new 9.0 that is coming you can have up to 250 Nic's in Route Mode

    I don't see why nr 3 would be needed?
    There is no default admin/password you set it during the installation.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2