Untangle for more than 10000 hosts

[goredaimon]

Hello friends, how are you?

We are testing untangle as an option for our university. Currently we have about 10000 hosts and our internet is a 1 gbit connection with real ips and some fake ips using nat. We are using this server with these hardware specifications and untangle 1401:

1x - Intel(R) Xeon(R) CPU E5-2430 0 @ 2.20GHz (family: 0x6, model: 0x2d, stepping: 0x7)
96 GB RAM
1x - Ethernet controller: Intel Corporation 82572EI Gigabit Ethernet Controller (Fiber) (rev 06)
4x - Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
1x - Samsung SSD 850 EVO 500GB

We are using all the free apps with except vpns, intrusion detect and captive portal.

We notice a very slow performance and a lot of disk usage. The /var/log/messages and /var/log/syslog and growing so fast (more than 100gb by day) and the rsyslog service is using too much cpu.

So, after untag the firewall rules (pass, because the block ones I'm unable to untag), also changed bypass and other logs at the advanced option but the log is growing at the same way.

I found a problem with conntrack and I rise the limits for the:

net.netfilter.nf_conntrack_max = 524288
net.nf_conntrack_max = 524288

If somebody could help us to setup this correctly I'll be glad. We are very interest on the product.

Thanks

M.Sc. José Renato Castro Milanez
Analista de Tecnologia da Informação/TI Analist
Diretoria de Tecnologia da Informação/Information Technology Direction
Universidade Federal de Itajubá/Federal University of Itajubá
Itajubá - Minas Gerais - Brasil

[sky-knight]

Goodness, you need at least twice the CPU, and probably a RAID 10 made out of four of those SSDs to do this. Untagging firewall rules doesn't change anything, because that module logs everything anyway. rsyslog shouldn't be doing that unless you customized something... Which brings us back to the netfilter changes you made...

If you want to use Untangle you're going to have to get out of the terminal and stop customizing the OS. Those changes are unsupported because honestly, no one has any information on how the platform works with those modifications.

[dwasserman]

Maybe another option can be segment in 2 or 3 devices
1 for the edge whit routing, nat, vpn, firewall rules (or use your actual L3 firewall)
2 for antispam, pish, av for email, and all SMTP related (between your email server(s) and the edge in bridge mode)
3 for web filtering, web antivirus, SSL and app control (and here we put a full license, or call sales and negotiate)

A nice challenge ahead.

[goredaimon]

Tomorrow I'll upgrade to another hardware. It´s a big one and I´ll give some status.

Also, the error below I just solved with the sysctl tunning (net.netfilter.nf_conntrack_max = 524288 and net.nf_conntrack_max = 524288 at /etc/sysctl.conf). But after rebooting, the settings are not being applied.

[ 372.302981] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.303209] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.303367] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.303518] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.303530] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.305460] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.305886] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.306100] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.306155] nf_conntrack: nf_conntrack: table full, dropping packet
[ 372.306160] nf_conntrack: nf_conntrack: table full, dropping packet

[sky-knight]

That's what I like to call... a nonerror. It's in the logs, and it's frequent but does it actually mean anything?

There are some very large sites that do need to tune those values, and it is possible for them to be tuned. However, it's best to let Untangle support assist you while doing so, otherwise you risk breaking things. Untangle isn't Debian, and some of those settings don't quite do what they do on Debian.

[goredaimon]

The tunning is working like a charm! Without it, I got a lot of dropped packets!

If you are interest, it´s the same approach from pfsense/netgate firewall:

https://www.netgate.com/docs/pfsense...ork-cards.html