Just Install Untangle to use as our main firewall

[sky-knight]

Untangle will strip VLAN tags, so depending on your configuration this won't work.

And, I've already told you "how". You have to remove the switch loop! Stop plugging both of your UT interfaces into the same vSwitch. You need to make a new vSwitch, the Untangle protected vSwitch if you will. Attach that vSwitch to Untangle's Internal interface (the second adapter in the VM list). Then attach Untangle's external to a vswitch that has a physical interface on it that can get online.

Once that is done you're free to start moving VMs to the protected vSwitch or not. Even if you are in router mode you SHOULD be "wiring" it this way. You're using IP level divisions to separate what should be separated on a switch level

This design is no different than a physical network. Internet -> router -> stuff -> Untangle -> protected stuff.

And don't forget that one or both switches involved with Untangle need to have promiscuous mode enabled.

[bangsters]

Uhmm... They are already separated by vlans. untangles nics are actually in two different vswitches. The concern now is the LAN side is in one vswitch the same as my internal servers which should be ok. But I have client servers in other vlans/vswitches, how do I protect those servers using the same untangle server? I don't want to deploy multiple untangle boxes for each client if there's no need to...

oh and thanks for all your input you've been very helpful

[sky-knight]

If they were separated via VLAN, you wouldn't have a broadcast storm taking things out. :P

It's so very easy to miss a "wire" when working with that stuff. It's hard to help you via forum because you need to understand this stuff yourself, otherwise without that understanding, and an insane attention to detail, your virtual network infrastructure will never work quite right.

If you want to use a single Untangle server to protect multiple VLANs, you're more in the position of wanting to use UT as a router vs the bridge anyway. Bridge mode is limited to a single IP space, routers can be manipulated to work with as many IP spaces as you want.

You don't have to have NAT in the way either, that's an option too. Again, it's understanding what you're doing on layer 2 and layer 3 that opens the door to successful integration here.

[bangsters]

they were. what i didnt realize was i was setting up untangle in the same vlan as my router which was causing the loop.

now that i got that squared, is it better to have untangle handle the vlans of all our ip blocks instead of vyatta? since that is the only way i can put untangle in front of all our servers including client boxes.

or anyone have a better plan?

UPDATE: If Untangle doesn't support VLANs, how can I accomplish this?