Installed [i think] but Webfilter is not doing anything

[RichB]

Hello all.
With the assistance of my Network Admin, I have Untangle setup im hoping correctly.
I can route web traffic through this server now, BUT Webfilter is not filtering. I see the TX/RX numbers increasing when i put web traffic through this, and it decreases when the web traffic stops.
Here is how i have Untangle setup. I am hoping someone will step in and say something if Untangle is not meant to work in this way.

I have a Cisco PIX Firewall. and a Cisco Catalyst Switch. Prior to Untangle The PIX was plugged directly into the switch. My Net admin suggested leaving the PIX plugged into our main Cisco Catalyst switch, and running the internal and external Untangle NIC's through the Cisco Catalyst switch.

Here are the setup details.
The Cisco PIX Default Gateway IP is 192.168.1.2
I setup the External Untangle NIC as IP 192.168.1.5, netmask of 255.255.255.0, the Default Gateway is aiming at the Default Gateway of the PIX [192.168.1.2], and the DNS is aiming toward our internal DNS servers [192.168.1.248 and 192.168.1.234]

I setup the Internal Untangle NIC as IP address 192.168.1.6 with the netmask of 255.255.255.0

Now, as a test I put a laptop on the 192.168.1.x network, with a static IP address of 192.168.1.7 but instead of our usual internal default Gateway IP, i used the IP address of the Untangle Internal NIC [192.168.1.6].

I am able to surf the internet on this Laptop, and i see the TX/RX spooling at the top of the Untangle Dashboard, but webfiltering is doing absolutely nothing, I know it works because when i tested the Untangle box in bridged mode in between the PIX and the Cisco Switch, everything worked fine.

Is this setup i mentioned above workable with the Untangle software?
I have as a test set Web Filter Lite to block Sports and Adult. Both of which are accessible through this setup.
Any advice would be appreciated.

[sky-knight]

You cannot route the same subnet on two sides of a router. So yes, it's installed completely wrong. I suggest you disconnect the device from the network, use the physical console to reconfigure the Internal interface. You want to change it from static, to bridged to external. While you're at it, check the DNS and DHCP tabs and make sure that both of those services are disabled. Once that is complete, you're going to "splice" Untangle into the network cable that connects your PIX with your Catalyst.

Pull the network cable from the PIX to the Switch out from the Switch, attach this line to Untangle's "external" interface. Please use the little green lights in config -> networking -> interfaces to make sure you've attached it properly! Backwards bridges don't work correctly. Once you've verified your PIX is attached to UT's External, attach another network cable to UT's internal and connect that to the Catalyst where the PIX used to be.

If you cannot get the External interface to light up when connecting to the PIX, you may need a small switch between the two devices, or use a crossover network cable. PIX is a bit dated, and in the end you may find that replacing that PIX with UT configured as a router may be the easiest approach.

And, please don't take this the wrong way. But a Network Admin that informs you to configure a router with the same IP subnet on both sides doesn't understand much about networks. Please make sure this was an error due to an unfamiliarity with Untangle, and not an unfamiliarity with networks. This sort of mistake raises many red flags in regards to competence.

Good Luck!

[RichB]

Thank you Sky Knight. I had it working as you described, prior to my above listed way of doing things, it is just that my network guy was saying that VPN would have no way of routing through the untangle box with the ability to see destination servers on our various subnets.
Do you think the Untangle server , setup in bridged mode would adversely affect the ability for VPN to work properly?

many thanks
Rich

[sky-knight]

VPN's terminated on the PIX will need to be bypassed, and if they use outside IP ranges will need static routes configured on Untangle.

Untangle bridges need a full layer 3 configuration!

VPN Tunnels terminated on Untangle require port forwards, and static routes configured in the PIX.