Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Jun 2011
    Posts
    2

    Default Transparent Bridge not so Transparent

    First of all, sorry for the length of the post, but I wanted to convey all of the information I felt was relevant. We implemented an Untangle device for a client of ours simply for the spam filtering. Their setup is as follows:

    Co-Lo at ISP. Router managed by ISP. Two LANs (192.168.x.x and 10.0.x.x). Computers are on 192.168.x.x and Phones/PBX are on 10.0.x.x. ISP Router has two "LAN" ports with one plugged into the PBX and the other plugged into a Switch for the servers. The port going from the router to the PBX is plugged into the WAN port of the PBX and the LAN port of the PBX is plugged into the switch that the servers are connected to. All routing is handled by the managed routers. Most remote sites are connected via MPLS each with a different subnet (ie. PCs = 192.168.0.x, 192.168.1.x, etc and PBX = 10.0.0.x, 10.0.1.x, etc). Some sites connect to resources like OWA or RPC-HTTPS and Terminal Server over the internet. The PC subnet is on the default VLAN and the PBX is on VLAN 200. Everything was working.

    With the exception of the Untangle device installation, the current setup has been used for the past 2-3 months with no issues. We installed an untangle device (Untangle Branded PC built by Untangle) with all available updates applied between the Router and the Switch to intercept SPAM. The only installed app was the basic spam filter. NICs were set to bridged mode with the External port plugged directly into the router and the Internal port plugged into port 1 of the switch. Everything appeared to be working but onsite Tech had other obligations so it is possible not everything was fully tested. It ran over the weekend and seemed to do an excellent job with the SPAM. The site where the untangle device was installed is on the 192.168.0.x subnet for the servers and 10.0.0.x for the PBX.

    This morning, they informed us that they had issues printing from the Terminal Server to their local and IP pritners, accessing the call assistant website (10.0.0.3), and even accessing OWA. I attempted to get to the web interface of the Untangle device (192.168.0.10) from one of the servers but it would not display the page. I attempted to Ping the untangle device and it responded properly to pings. I attempted to ssh into the untangle device and it gave an error stating "No buffer space available."

    I went onsite and physically checked the untangle device. The IP was set correctly. It was using about half the available memory with very low cpu usage (ie 0-5%). Locally on the Untangle device, the web interface worked fine. I rebooted the Untangle device and it came back up. There was, however, no change in the connectivity issues. I also noticed that one of the servers was having trouble getting to the internet. There were no problems pinging either IPs or Names but sites would not pull up in IE, even after an IE reset. Some sites would partially open with missing graphics/formatting.

    We finally removed the untangle device alltogether. Nothing changed. Ran a repair on the NIC. Once that was done, prints started coming out of the printers at the remote offices (connected via the MPLS). Email through Outlook/Exchange appeared to partially work with intermittent connectivity issues. A user on the MPLS could access OWA but external users connecting over the internet still could not, even after resetting IE. The server was also still having issues connecting to websites through IE.

    The server was using the Broadcom Control Suite to create a team adapter. I removed the unused NIC from the team with no change. I attempted to delete the Team but this never completed. Disabled the Team using windows and attempted to set the static LAN IP address in the second NIC that was removed from the team. The IP never took. Rebooted the server and removed the Broadcom Control Suite. I was then able to set the IP address on the second NIC and everything started working properly.

    Now for my questions. First of all, should the untangle device work in this situation or are there issues relating to VLANs, MPLS, Subnets, etc that may cause issues when using it in bridge mode? Are there any known issues with the Untangle device and the Broadcom Control Suite and/or Teamed NICs? I might attribute the problem to the Broadcom software if it hadn't run for so long without any issue and only had a problem once the Untangle device was installed. Finally, are there any known issues with the Bridge not being completely transparent or not passing through all traffic with only the spam app installed?

    Unfortunately we don't have easy access to the Co-Lo and we needed to get things going so we had to remove the device. To eliminate hardware from the equation, I will have one of my techs modify the IP info and put this device on our network for SPAM. If anyone has any ideas what happened or what went wrong, any input would be greatly appreciated.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    You are dead on, Untangle is NOT transparent. It's a b-router, which means it needs a complete layer 3 configuration to do its job.

    Understand, linux's bridge is transparent. However, when packets are passed into the UVM they are destroyed, processed, and then reconstituted. The reconstitution process is handled by the local bridge interface.

    What does this mean?

    VLAN tags aren't put back on the packets, so if you're using them, Untangle breaks your network.

    Untangle's gateway is the only gateway on the packets moved, if you pass multiple IP ranges through a UT bridge, it will rewrite packets with an inappropriate gateway for the segment.

    Also, Untangle will need static routes so its routing table knows where all internal segments are.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jun 2011
    Posts
    2

    Default

    Thank you for clarifying. I think I am going to take a different approach. Since all we want out of this is spam filtering, I think I will just enable the second NIC on the server and redirect port 25 on the router to that IP address. Then I should be able to plug the untangle device between the switch and that NIC. Does this sound correct?

  4. #4
    Master Untangler Big D's Avatar
    Join Date
    Nov 2008
    Posts
    719

    Default

    Sounds like it will work fine. You will probably have to tell your mail server to listen for traffic on the second nic unless its listening for 25 on all NICs already. Another option could be to virtualize UT but sometimes simplier is better.
    The beatings shall continue until morale improves!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    As long as the UT bridge is on a network segment with a single IP space moving around, and the network sessions for the SMTP service are passing through Untangle. You will get the result you want.

    Furthermore, if you want to ensure the device is protocol specific, it is possible to create a general bypass rule to configure Untangle to ignore all traffic, then configure specific un-bypass rules to force Untangle to work with only SMTP, IMAP, and POP3.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2