Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Newbie
    Join Date
    May 2009
    Posts
    8

    Unhappy Untangle, multiple subnets, and brouting

    Hi there,

    I have a test environment with Untangle set up now that I hope to base a production environment off of. I've been very happy with Untangle until now, I just can't seem to get this to work.

    I have Untangle set up in bridge mode right now. A workstation connected to the internal interface is configured as follows:

    IP: 10.4.0.2
    Subnet: 255.255.255.0
    Router: 10.4.0.1

    The Untangle's WAN port is set up as follows:

    IP: 192.168.1.145
    Subnet: 255.255.255.0
    Router: 192.168.1.1

    I have added 10.4.0.1/24 to the list of IP Address Aliases for the WAN port.

    I cannot seem to get the workstation to see the outside world. I can ping the Untangle alias (10.4.0.1) and the Untangle primary IP (192.168.1.145) but I cannot see any devices upstream to the Untangle.

    The Wiki article on Networking FAQ's (specifically the 3rd entry there) says that I can do this, but after following all the instructions provided I just cannot get the Untangle to route packets correctly.

    From the Untangle, I am able to ping the workstation (10.4.0.2) and the gateway (192.168.1.1) successfully.

    What am I doing wrong?

    Much appreciated,
    Landon

  2. #2
    Untangler
    Join Date
    Feb 2009
    Posts
    98

    Default

    I'm not really understanding your network settings but did you add a route?

    I think your WAN must change from 10.4.0.1/24 to 10.4.0.1/27 of /??
    Internal to your subnets? /21 ? http://krow.net/dict/subnet.html

    This is just a guess I really do not understand your network configuration.......

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Ping isn't handled by the UVM, that is moved around with the basic Linux bridge.

    So, your brouting configuration sounds correct. Can you ping all the way to something on the internet?

    Ahh and I see your problem on my second read through.

    Untangle bridges aren't routers, and you've assigned your UT bridge the same IP address that you have listed as a client for your network. You need to give Untangle an "unused" IP address on the other segment. IP addresses must be unique.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    who is 10.4.0.2's gateway?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    May 2009
    Posts
    8

    Default Followup

    Thanks for the replies everyone!

    SMNS, it may be that you have something to your subnet mask question, although I do not completely follow the wording you used. I have the WAN port configured to use 192.168.1.145/24 as the "primary IP address". Because the LAN port is in bridged mode, I added 10.4.0.1/24 to the "additional IP addresses" area of the WAN port, hoping that the UT would somehow bridge them together. I now realize I am probably going about this all wrong and need to set it up in a routing mode and not a bridge mode, but it seems all the UT box can do when in routing mode is NAT, which I can not make use of in my case.

    Sky-knight, I cannot ping to the internet. The highest I can ping is 192.168.1.145 which is the primary IP of the UT box (remember, the host im pinging from is at 10.4.0.2).

    Dmorris, 10.4.0.2's gateway is 10.4.0.1, which is the IP address I added to the list of additional addresses on the WAN port of the Untangle.

    I'm trying to get a hang of the concept of routing here, but unfortunately this test environment I am trying to use might just be too different than the actual live scenario I am trying to plan.
    Last edited by lbgaus; 06-29-2009 at 06:02 PM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Actually in advanced mode you can remove the NAT policy and move traffic around with static routes. The limitation here is that it's all basic destination based routing. You can't do any source based routes to make things easy.

    The UVM doesn't care... bridge, router, NAT or no... if the linux kernel has a way to get a packet from one interface to another... it goes through the rack to get there.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    May 2009
    Posts
    8

    Default

    Ok, well here's the real crux of the matter. I have servers at a datacenter that uplink to the net via a dedicated 100Mbit Cogent drop.

    As part of Cogent's routing policies, they give me a /29 block that serves as the "Cogent-routed IP block". The first IP in the block represents the network, second is the gateway, i have 5 usable IPs, and then the broadcast.

    I recently asked them for another block of IP addresses so that I can expand a little bit, but the issue here is that they only route this new block to the first usable IP in the above-mentioned range (the one immediately following the gateway). So, I basically have to bring in my own router to do routing for this second block of addresses, which I have not done as of yet. I'm trying to put together a poor-man's router to get this working, and it would be excellent to be able to use the Untangle platform for this.

    The resources hosted on this line do not require high-reliability, per se, but I am sort of at a loss for how to get this going, as I have never done this before.

    Any suggestions are appreciated. Thanks again for all your assistance.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    That seems highly irregular... if they provide a second IP block, but don't provide you a gateway within that block they have provided you NOTHING. All they have done is give you a list of IP addresses that don't do jack and you get to do your own ISP provisioning? I think you either misunderstand their directives, or you're getting ripped off.

    However, bear in mind that I have a pretty good idea how to get Untangle to work as a non-NAT router in this funky situation you've described... but rather than outline my theory I'm going to urge you to pester tech support some more. Because this situation seems very fishy to me.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    May 2009
    Posts
    8

    Default

    Thanks for your help with this, sky-knight.

    It isn't as bad as you think. The ISP allocates a /29 range to me that has a gateway with it. Any additional ranges I request are statically routed by the ISP to the first usable IP address in the original /29. So they make you use your own router if you have need more than 8 IP addresses (5 of them being usable), but they leave the flexibility of your configuration up to you.

    The additional ranges they give are good for nothing only if you don't put in a router on your end. Even though it seems it would be easy for them to do routing for me, they won't do it for some reason. Perhaps it's because I am getting a steal on a high bandwidth, high availability uplink, maybe it's more cost efficient to force me to do my own routing.

    I've been testing this whole scenario out with a bunch of virtual machines and I finally think I have this routing down. I even threw in a second Untangle for good measure and got that to work, giving me routing across three different subnets within my VM setup.

    I am about 99% sure now that when I take this live it will work very nicely. It's just that I have never had to do this before, so having to figure it all out can be time consuming and frustrating.

    Thanks again for all your help.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Yeah... the first time you butt heads with routing in general is a bit of an eye opener.

    Does Cogent give you an extra address for stealing one out of the first segment?

    Still, Untangle could work here... give UT's external the singular special IP address, give the internal an IP in the second block.

    Then, kick UT into advanced mode, edit internal and remove the NAT policy. Then under advanced mode go into routes and add a route with a destination of 0.0.0.0/0 and a gateway of the ISP provided gateway.

    At this point UT shouldn't be NAT'ing but has the ability to route traffic from behind it out and up the chain. It will also filter traffic traversing the device... but it won't do jack for the lead segment.

    I can't help but feel monowall would be a better choice here... you will end up needing the full features of a real "router". Untangle is a UTM and isn't really meant to live in this world.

    It can do the job.. but you're going to need to keep an eye on it as the UT will run out of resources in a HURRY with a full rack or two.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2