Setup Question - Integrate With Wireless

[bk1]

I am working with a site that wants to accomplish the following:
1) Use Untangle to filter ALL internet traffic from guest wireless network

2) Use Untangle with the AD connector to authenticate people who connect to the secured wireless network. There will be two racks setup, one that will allow a few extra sites over what the other rack will allow

3) Allow users that authenticate to the secured wireless network to access network resources such as our internal file server, printers, etc.

They currently have just the open source version of Untangle. They will be upgrading soon to provide the AD connector etc.

We are planning on using Ubiquiti Unifi units that have the capability of each AP providing a Guest network and a secured wireless network and then VLAN tagging the traffic from both.

So, I could use some help figuring out the best way to make this all mesh together. Someone on another forum said I would need a router (like a Microtik) to do the necessary routing of the traffic from the Unifi APs. They said that I should then put the Untangle box in transparent mode but I don't know if that will still work with the AD connector aspect of it.

So, that's where I'm at. Let me know if you need more info. Otherwise, let me know how you would suggest setting this up.

[sky-knight]

Untangle doesn't do VLANs. But, if the APs can handle the DHCP work, you can simple use aliases on the appropriate adapters to allow Untangle to communicate with both networks.

The downside to this approach, is any traffic from either VLAN won't be subject to the firewall, you'll have to use the packet filter to control access between the IP ranges. And there aren't any logs in there.

[Springs]

Untangle doesn't do VLANs. But, if the APs can handle the DHCP work, you can simple use aliases on the appropriate adapters to allow Untangle to communicate with both networks.

The downside to this approach, is any traffic from either VLAN won't be subject to the firewall, you'll have to use the packet filter to control access between the IP ranges. And there aren't any logs in there.

When I read this... "Doesn't do VLANs"
Does that mean it would strip out a VLAN tags as they pass if the UT box is in bridge mode?

i.e.
Router has a VLAN set up on a physical interface. Now something downstream would need to tag the packets. The WAP is set to tag clients connecting to the guest network with a VID of 10. So without UT in place... Every device that joins the Guest SSID gets an IP address in the VLAN range from the router.
So main network is 192.168.10.0/24
VLAN / Guest Network is 192.168.20.0/24

The router is providing the DHCP Pools. I have a rule on the router that prevents VLAN / Guest from accessing any resource on the Main network. I used a simple rule that states... If VLAN / Guest traffic is ! sent to WAN Action = Drop.

Now could I place Untangle in bridge mode with that system and have Untangle protect both networks?

[jcoehoorn]

The trick here when we say that "untangle doesn't do vlans" is that it doesn't directly manage or participate in vlans. It can still handle traffic for multiple vlans.

To make this work you'll need a layer-3 device in your internal network to handle the real inter-vlan routing. Layer-3 normally implies router, but you can buy "switches" that will handle this. You'll also need a vlan-capable dhcp service to be handled by your internal network, and not by untangle. Either Linux and Windows DHCP servers are more than capable of this.

Now your individual vlans will point to your layer-3 switch as their default gateway, which will in turn have untangle set as it's default gateway. Untangle in router mode will have an IP Address alias + a static route set up on it's internal interface for each vlan. At this point, everything should be working just fine.

[Springs]

So in my example above

Router --- Untangle --- DUMB Switch --- WAP

The router is set to have both LANs
LAN1 = Main 192.168.10.1 address /24 network and Pool
VLAN = Guest 192.168.20.1 address /24 network and Pool

Untangle would usually be in bridge mode with an address like 192.168.10.160

That would let it handle every device in 192.168.10.0/24

Is there a trick to tell it to also handle the VLAN traffic that would appear to it as 192.168.20.0/24.

[jcoehoorn]

No. You must have a smarter switch or router capable of making layer 3 decisions.

[sky-knight]

When I read this... "Doesn't do VLANs"
Does that mean it would strip out a VLAN tags as they pass if the UT box is in bridge mode?

Packets processed by the UVM will have VLAN tags removed. Packets bypassing the UVM will pass intact.

[bk1]

So, do I HAVE to put untangle in bridge mode? If so, does the AD integration etc still work?

I'm wondering if I have to have a router still or if I can do this with my VLAN capable switch and Untangle doing the routing:

Unifi APs -> HP Switch (VLAN) ->Untangle (routing) -> Internet

[bk1]

Does anyone know if my HP 1800-24G can do the necessary routing for this? I know it is VLAN capable but it seems like I would still need something to do the routing.

I'm trying to figure out if I will need a Mikrotik router as part of the solution for this.

Then, in Untangle, would I create two separate racks, one for those that can authenticate with AD and one for those that can't?

How does Untangle know to look for that authentication or not?

[bhackbarth]

The HP 1800-24G is a layer 2 switch. So yes it is VLAN aware, but no it cannot handle IP routes between VLANs. Need a layer 3 managed switch for that. Such a switch has an actual IP routing table and a default route. The Cisco SF300 / SG300 series can be configured to layer 3 and they are priced very affordably.