Just Install Untangle to use as our main firewall

[bangsters]

Hi. New to Untangle so please bear with me as I ask a few noobish questions

Untangle is behind our router. We have an IP range 4.3.2.0/27. How do I pass these IPs to untangle? I cannot define the full block in untangle's WAN side since .1 is being used by the router. So I assume I have to put in the range 4.3.2.2 - 4.3.2.30. If I do this, does the WAN side have to be static or bridged?

Will it work as a bridge if untangle is not in a separate vlan?

[johnsonx42]

Assuming you want Untangle to route all traffic for your network, you just assign 4.3.2.2/27 to the External interface of the Untangle, and set the default gateway to 4.3.2.1. Any additional IP's you wish to use with Untangle you assign them as IP address aliases on the External interface. I always specify additional addresses in the same subnet as /32's, like 4.3.2.3/32, however I've seen one of the UT guys say it also works if you specify them with the same netmask as the primary network, like 4.3.2.3/27.

This setup of course means that all servers will have LAN addresses; port forwarding and NAT rules would be needed then to map any private IP's to specific public IP's.

If you have servers that have WAN addresses on your 4.3.2.0/27 network, but also want their traffic to pass through Untangle, you'd need to add a 3rd interface as a DMZ. The DMZ interface is bridged to the External (WAN) interface.

The diagrams on this page should be illustrative: http://wiki.untangle.com/index.php/I...er_as_a_Router

If I've misunderstood your configuration or you need more advice, you'll certainly need to draw up a simple network map and explain careful what you want Untangle to do.

edit: also, please be clear - where is the 4.3.2.0/27 network? is it on the WAN side of your existing router, or on the LAN side? my advice above assumes it's on the LAN side of the existing router.

[sky-knight]

The IP Alias configuration for Linux is an IP/Mask pair to be used in individual IP communications. So technically, the aliases should have the same mask as the primary IP. Because individually you need them to be in the same IP range as the gateway.

That said, /32 works because Untangle is smart enough to use the gateway it already has defined anyway.

[bangsters]

Thanks!!

Does this mean if I have a /24, I would need to put in all 254 useable IPs in the alias area? Is there a way I can do range like 4.2.3.2 - 4.3.2.254? Or even cidr 4.3.2.0/254?

I want all IPs of a certain block to go through the firewall as I nat those IPs to our webhosting servers and domains.

Any suggestions?

[sky-knight]

No, you have to put them all in... one... at.... a.... time...

I've got a customer with a /25 on their external, 126 usable IPs in the range, 1 reserved for ISP gateway... and 92 others that are configured on external. With appropriate NAT policies and port forwards...

I'm facing having to configure a new box by hand because the customer very understandably will not upgrade the production unit, and they are attempting to move to new hardware.

Before anyone asks UT support is on it, we're just having a very strange issue with backup/restore that I've never seen before. We'll get through it, it's just a matter of time.

In your case I suggest you forgo all this sillyness... bridge DMZ to external, and use the public addresses directly on the web servers. This gets rid of the pain of NAT, all the configuration headache that goes with it, yet still allows the full defenses of Untangle to be utilized.

[bangsters]

Thanks and Thanks!!!

Yea I might just get rid of NAT... and set WAN interface to bridge.

If I set the interface as bridge, do I still need to add the IPs one at a time? Since they're already configured in my router?

No, you have to put them all in... one... at.... a.... time...

I've got a customer with a /25 on their external, 126 usable IPs in the range, 1 reserved for ISP gateway... and 92 others that are configured on external. With appropriate NAT policies and port forwards...

I'm facing having to configure a new box by hand because the customer very understandably will not upgrade the production unit, and they are attempting to move to new hardware.

Before anyone asks UT support is on it, we're just having a very strange issue with backup/restore that I've never seen before. We'll get through it, it's just a matter of time.

In your case I suggest you forgo all this sillyness... bridge DMZ to external, and use the public addresses directly on the web servers. This gets rid of the pain of NAT, all the configuration headache that goes with it, yet still allows the full defenses of Untangle to be utilized.

[johnsonx42]

do your webhosting servers already have the public IP's assigned to them? if so, then yes, just bridge the DMZ to External and keep the same IP's. that's the easy way.

edit: no, in bridged mode you just set the IP you want Untangle's external interface to use. everything else just passes through the bridge.

[bangsters]

do your webhosting servers already have the public IP's assigned to them? if so, then yes, just bridge the DMZ to External and keep the same IP's. that's the easy way.

edit: no, in bridged mode you just set the IP you want Untangle's external interface to use. everything else just passes through the bridge.

Thanks!! If I set untangle as a bridge, say my router has .1 IP. Untangle has .2 IP. Everything else is passthrough. But how do I get all traffic to get filtered by untangle? On my other servers, do I set the gateway to .2 or retain them ast .1?

[sky-knight]

ISP -> Untangle -> Switch with stuff on it.

Doesn't matter if it's a router or a bridge, all that changes is how you configure the devices behind Untangle.

Traffic is passing through Untangle because it has no choice but to do so because Untangle is physically wired in the way.

Using bridge mode just means the ISP's IP space isn't being terminated at the Untangle, and passed through to the servers. The servers would be configured as if Untangle isn't there at all. They use the ISP gateway, they use Internet IP addresses.

[bangsters]

ISP -> Untangle -> Switch with stuff on it.

Doesn't matter if it's a router or a bridge, all that changes is how you configure the devices behind Untangle.

Traffic is passing through Untangle because it has no choice but to do so because Untangle is physically wired in the way.

Using bridge mode just means the ISP's IP space isn't being terminated at the Untangle, and passed through to the servers. The servers would be configured as if Untangle isn't there at all. They use the ISP gateway, they use Internet IP addresses.

Thanks.