Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Newbie
    Join Date
    Feb 2012
    Posts
    1

    Default Advanced Port Forwards - Source Interface after 9.2 auto update

    Hi,

    Our Untangle box seems to have done an auto update to 9.2 (svn20120216r31181) over the weekend.

    Today we've had a number of connectivity issues, like not being able to connect to our internal web server from inside the organisation but external users being able to connect without problems.

    We have multiple external IP addresses and advanced port forwarding turned on to divert traffic destined for these multiple addresses. A number of the rules have a Source Interface defined (as well as destination addresses set), to allow External OR Internal forwards. For example, our internal webserver has a port forward rule as follows:

    --------

    Source Interface: External or Internal
    and
    Destination Address: 203.59.<hidden>.<hidden>
    and
    Destined Local
    and
    Protocol: TCP
    and
    Destination Port: 80,443

    Forward to:
    New Destination: 192.168.1.10

    ---------------

    Set up like this, anyone trying to browse our webserver either inside or ourside the organisation had success.

    Prior to this latest update, the Source Interface options of External, Internal, VPN etc were checkboxes, so multiple interfaces could be specified as per the 'before.png' attachment below.

    As of today's update, the options have changed to option buttons, so only one can be selected at a time, either external OR internal, not both, as per the 'after.png' attachment below.

    It seems that our selections have all defaulted to External only now, so all our internal forwards have now broken.

    With the Webserver example above, as a workaround I have now removed the Source Interface option completely so it forwards regardless of the source and this fixes the problem.

    Is this a bug that is going to be fixed, or is there a reason it now only allows one source interface?

  2. #2
    Newbie
    Join Date
    Jun 2010
    Posts
    11

    Default

    We are seeing the same issue after update. Rules that used to permit traffic from multiple interfaces are suddenly restricted to one, breaking existing services. This interrupted access to multiple servers at our site when the auto-update applied this morning.

  3. #3
    Master Untangler
    Join Date
    Feb 2009
    Posts
    145

    Default

    That is a feature :/

  4. #4
    Untangle Ninja dbunyard's Avatar
    Join Date
    Nov 2008
    Location
    Westerville, Ohio, USA
    Posts
    1,059

    Default

    "Fix Source Interface matchers in Port Forwards, Bypass Rules, and Packet Filter Rules. (#9892)"

    Source
    Dan

    You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Welcome to the forums!

    I see you missed the announcement thread Dirk made regarding this issue.

    I'll summarize, the source interface matcher hasn't worked correctly in quite a while. The logic behind what you're trying to do makes sense, but Untangle simply didn't work that way. If you ticked internal and external you've actually selected all odd and even interfaces, which is to say... everything.

    Given the nature of your situation I'm going to suggest you simply remove the source interface match entirely. If you have a DMZ or other interface you don't want the forward rule to work for, I suggest you make a firewall rule that prevents access.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Jun 2010
    Posts
    11

    Default

    Finally was able to reach support by phone (the update breaks the Live Support rack app too). They referred me to:
    http://forums.untangle.com/announcem...w-details.html

    Apparently the source interface matching has always been broken, although some of the examples given ex: "A matcher with External and Internal checked matches DMZ (but not External or Internal)" can't be correct as we had working rules that used Ext+Int and they functioned for those interfaces.

    The 'solution' to this was to remove multiple matches, no warning. Customers who rely on automatic Untangle updates to keep signatures, etc current should have known better.

    Sorry for the tone, but a slew of pages first thing in the morning from Untangle sabotaging my network does not a happy admin make.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Fair enough, but changes do happen. Automatic Updates refers only to a version upgrade, it does NOT refer to signatures and such. I have been on these forums for four years telling admins to TURN OFF automatic upgrade. Not so much because the changes per release break things, but because for the sake of uptime an Admin must manage the changes! You need an opportunity to take a look at the change log, make some decisions, push that button when you have support, and test things.

    That is not a process that can happen at 2am in random intervals.

    Now, if Untangle would just stop pushing out a version a month... that's what's wearing me thin. You must remain current!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,201

    Default

    Quote Originally Posted by BrianD View Post

    The 'solution' to this was to remove multiple matches, no warning. Customers who rely on automatic Untangle updates to keep signatures, etc current should have known better.
    Automatic Untangle updates are not required to be on for signature updates.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangler plupien79's Avatar
    Join Date
    Feb 2011
    Posts
    45

    Default

    It also seems to have broken Xbox Live

  10. #10
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,201

    Default

    Quote Originally Posted by plupien79 View Post
    It also seems to have broken Xbox Live
    I suggest opening a new thread and describe what is "broken".
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2