Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    May 2015
    Posts
    3

    Default Configuration startup - unpingable server?

    My current setup:

    Exterrnal router > Untangle Server > DC Server > Clients
    UT: (Ext: 192.168.1.14) DC: (Ext:192.168.2.2)
    UT: (Int: 192.168.2.1) DC: (Int:192.168.0.1) Clients: (Int: 192.168.0.0 /24)


    I have read up about the internal clients not being pingable, this is due to a route not being setup. I will be setting this up soon.

    The filter is being applied to the DC server, and through the server, it is filtering all the clients... (this is to be fixed soon)
    The Untangle also picks up the DC (192.168.2.2) as a source of traffic

    But before I setup the route. I have a slight issue with the fact that the untangle server (192.168.2.1) cannot ping the external ip of the DC Server (192.168.2.2)

    The DC Server can ping the untangle server




    Is there any reason why the untangle box cannot ping the DC server?


    Take it easy on me as I am a newbie at Untangle
    Last edited by reb3lz; 05-05-2015 at 07:21 AM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    DC has Windows firewall on which prevents ping response on external interface.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,935

    Default

    By "DC", you mean domain controller, meaning a Windows Server? If that's the case, the firewall in Windows servers now block pings by default, and have since Server 2008. You need to set the firewall to allow incoming ICMP Echo requests.


    While I'm here, this also looks like you're doing triple(!) NAT. In an ideal setup, you put the device upstream towards the internet from Untangle into bridge mode, so that Untangle's external interface gets a public-routable address. Depending on your ISP connections, you may even be able to entirely replace your external router with Untangle and have one less device to worry about.

    On the other side, there's no good reason to route the internal clients through the DC. I presume there is a switch somewhere for the clients. You should Turn off DHCP on Untangle to avoid conflicting with the DC, and connect the switch directly to Untangle's internal interface. The DHCP server on the DC should be configured to hand out addresses in the same range as Untangle's internal IP and use that IP as the default gateway. Then the DC can be just one more device on switch/client network. You're looking for a network map more like this:
    Code:
    ISP ---> UT External Interface (public routable IP address) 
    
    UT Internal Interface (192.168.2.1) ---> Switch
    
    Switch ---> DC (192.168.2.2)
           ---> Clients (192.168.2.0/24)
    If you are unable to put the External router into bridge mode, you should probably put Untangle in bridge mode instead. You'll still want to make most of the other changes, that now include disabling any DHCP service on the external router. You'll end up with a network map like this:
    Code:
    Router---> UT External Interface (192.168.1.14) 
    
    UT Internal Interface (bridged to 192.168.1.14) ---> Switch
    
    Switch ---> DC (192.168.1.15)
           ---> Clients (192.168.1.0/24)
    Last edited by jcoehoorn; 05-05-2015 at 08:07 AM.
    Jim.Alles likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  4. #4
    Newbie
    Join Date
    May 2015
    Posts
    3

    Default

    Oh wow, I was expecting a quick short reply from the forums... , jcoehoorn, you've given me a full lesson.. thank you very much for your patience.

    I will look to play around with this on the weekend when I'm off work. And make the recommended tweaks and fixes.

    FYI: I am using Server 2003, not that I expect it makes much difference, but I thought I'd just throw it out there.

    Again, thank you very much, I wll let you know of any updates.

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,935

    Default

    You are aware that Server 2003 is End of Life in July, right? This is a big deal. It means no new security updates, even when critical vulnerabilities are found. The time to upgrade that machine is now. Wait, scratch that. The time to upgrade that machine was last year.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Yeah they said the same thing about XP but updates are still showing up. That being said, once 2003 is dead I expect that entire update engine to go away, which will finally actually kill XP.

    I've got some 2003 left in service, but they are all not online, and in noncritical roles. Use of a 2003 DC is incredibly inadvisable as it barely supports Windows 8 clients joining the domain. And if your domain functionality level isn't 2008 or better, you're missing 2/3rds of the group policy objects that actually matter.

    For crying out loud you can barely use IIS on 2003 anymore because of the new TLS protocols not being supported.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    May 2015
    Posts
    3

    Default

    Quote Originally Posted by jcoehoorn View Post
    You are aware that Server 2003 is End of Life in July, right? This is a big deal. It means no new security updates, even when critical vulnerabilities are found. The time to upgrade that machine is now. Wait, scratch that. The time to upgrade that machine was last year.
    It's quite an old basic setup, but I have used the information that you provided and corrected my random earlier configuration.

    This is now working and running fine as required, superb advice

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2