Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Newbie
    Join Date
    May 2016
    Posts
    6

    Default Public IP behind Untangle

    I have multiple public IPs that will be used on devices behind Untangle and would like to use the FW capabilities on Untangle to control incoming and outgoing traffic for these servers.

    Has there been any changes in ver 14 that will allow me to accomplish this?
    I cannot use netting as the software in the server send out the IP of the local Nic to the clients.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,431

    Default

    Sure thats fine.

    Nothing specific changed with v14 specifically in this regard.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,568

    Default

    Yes, you can do this. There are three things you need to do to make it work:

    1. Give your servers a normal static address appropriate for your internal network.
    2. Assign the desired public IPs to Untangle's External interface
    3. Use Port Forward rules in Untangle to forward traffic to a particular public IP to the desired internal server IP. Even better if these rules are limited to only the specific ports you care about.

    Yes, this will result in NATing ("netting" ) the traffic to your servers, which you claim you don't want, but it should produce the results you need.

    Aside from this, the "NAT traffic exiting this interface" checkbox must be enabled on Untangle's External interface if want internet access to work generally in your environment. You may be able to put your servers onto a custom vlan or different network adapter in Untangle, and use Custom NAT rules to tweak things. But really, it's highly unusual for real servers to do what you're talking about.
    Last edited by jcoehoorn; 07-11-2018 at 01:08 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,583

    Default

    There are buckets of ways for Untangle to have public addresses inside it, all of them are dependent on how your ISP delivers the traffic.

    If you have three interfaces you can use one for External, one for Internal, and bridge the last one to External. You connect that bridged port to a switch with all your publicly addressed servers on it and feed them ISP IP details and watch them work.

    If the ISP is routing you a range, you can make Untangle route it without NAT by unchecking the NAT box on external and using NAT policies to specifically select the traffic you need to NAT.

    There are all sorts of ways to pull this off, but how to actually do it requires details we don't have in this thread.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,292

    Default

    Quote Originally Posted by mdru2000 View Post
    I have multiple public IPs that will be used on devices behind Untangle and would like to use the FW capabilities on Untangle to control incoming and outgoing traffic for these servers.

    Has there been any changes in ver 14 that will allow me to accomplish this?
    I cannot use netting as the software in the server send out the IP of the local Nic to the clients.
    This is my multiple ip public for dummys using untangle
    1-Assign in external interface all public ip address (netmask /32)
    2-Create 1:1 nat rules matching each public ip with each server private ip, let 1 external free for all other traffic (pat)
    3-Create port forward rules permiting only the needed ports
    JasonJoel likes this.
    The world is divided into 10 kinds of people, who know binary and those not

  6. #6
    Newbie
    Join Date
    May 2016
    Posts
    6

    Default

    I have 3 interfaces on the Untangle virtual appliance
    Internal interface is working as expected for port forwarding and internet access for any devices attached to the virtual switch(Internal)
    Internal Interface is assigned a static IP - /24
    External is connected to its own virtual switch(Ext.)
    External Interface is assigned a static IP - /23
    DMZ is bridge to the External Interface attached to a virtual switch(DMZ)

    The "NAT traffic exiting this interface" checkbox is enabled on Untangle's External Interface
    I have a server with a /23 IP address connected to the DMZ switch
    I cannot access the internet from the server in the DMZ
    I've tried using the actual gateway IP and the IP of the External Interface as the gateway
    Neither allows internet access

    There are no filters, port forwarding or firewall rules setup for the DMZ network

    My understanding is that this should work based on my current config but this is not the case.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,583

    Default

    If you're bridging to External, there's no need to clear that NAT box, that should have broken the rest of your network unless you made a manual NAT policy... which oddly enough is probably why your DMZ didn't work.

    So clear that NAT policy, and turn that NAT box back on, then go back and give your server on the bridged interface a full IP configuration as if Untangle wasn't there. Feed it an ISP address, ISP gateway, and DNS online somewhere. If that STILL doesn't work, it's because you're on VMWare and you forgot to tell the vswitchs to tolerate promiscuous mode.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Newbie
    Join Date
    May 2016
    Posts
    6

    Default

    Sky-Knight - You are absolutely right - forgot about promiscuous mode on my vSwitch. Server in DMZ network is now working. Can I use Port forwarding for connection to the server in the DMZ or would I have to use filter rules instead?

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,583

    Default

    If the server has a public address, there is no need to forward any ports. Anything going to that address will get to the server.

    What you'll probably want to do is put in a firewall rule that blocks everything destined to that public address sourced from the external interface. That way all inbound traffic is blocked, and you can put pass rules for the traffic you do want to pass above it.

    P.S. This is how things will be when we all to v6. All devices all public... all the time... general block at the bottom with pinhole rules and no NAT anywhere... oh it'll be so nice.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler bluechris's Avatar
    Join Date
    May 2016
    Location
    Athens, Greece
    Posts
    94

    Default

    Quote Originally Posted by sky-knight View Post

    P.S. This is how things will be when we all to v6. All devices all public... all the time... general block at the bottom with pinhole rules and no NAT anywhere... oh it'll be so nice.
    Oh nonono ... i hate even the think of it. Imagine all the crappy IoT devices that never get updates or anything old etc. Imagine your kids devices exposed to internet vulnerable to any kind of attack....
    I like to be hidden behind a NAT and i will try to keep it that way for as long i live for sure.
    f1assistance likes this.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2