Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untanglit
    Join Date
    Aug 2009
    Posts
    28

    Default Migrating from Kerio Control to Untangle

    Hello fellow untanglers. I have been given the task of migrating a client's network stack from a Kerio Control appliance to a new Untangle u50x. The basic setup is complete and now I have the pleasure of recreating all of the traffic rules.



    There are not many rules, but the verbiage is very different between these two firewalls. Basic port mapping seems straightforward, but I am struggling with the rules (all VoIP related) where the source is an IP address group, and there are multiple services involved. Some screen shots attached for reference.

    Screen Shot 2018-08-12 at 9.19.53 AM.png

    Screen Shot 2018-08-12 at 9.21.07 AM.png

    Any input is appreciated!

  2. #2
    Untanglit
    Join Date
    Oct 2017
    Posts
    15

    Default

    I run Kerio Control and Untangle together, both within their own Hyper-V VMs in a home environment. Kerio serves as the "front end" for all LAN and WLAN clients.
    One reason I do this is Untangle's lack of ability to alias groups of IP addresses, alias groups of services and resolve FQDN within rules.
    Other reasons I continue to use Kerio is familiarity (have used it for about 20 years since first published by M-T Software), excellent DNS forwarding service, simple bandwidth management, concise rule definitions (as shown in your screen grab), colour-highlighted logs and rules, and a pleasing interface. However, I stopped updating a few sub-versions ago because it's expensive, support is abysmal and it's now awkward to renew (since it was acquired by GFI). It's decline is further demonstrated by multiple patches needed for the last update and chronic problems users have updating AV and IPS databases.

    I started using Untangle about a year ago because the TunnelVPN app was just what I needed (I was using Kerio + pfSense for that as Kerio does not support OpenVPN). I found Untangle's data collection and web filtering excellent ... far superior to Kerio's. I also like its Application filtering app which was an expensive add-on for Kerio.

    Anyway, I think the only way you can duplicate your "Operator RTP" rule in Kerio is to explicitly list the IP addresses within the "nexvortex" IP address group in an Untangle rule. That's not a big deal as the addresses are static. Likewise, each service must be explictly defined within an Untangle rule (I think you can define multiple ports in a single Untangle rule).

  3. #3
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    You can't easily group port #s into a group, but you can use tagging to group IP addresses for use in firewall rules.

  4. #4
    Untanglit
    Join Date
    Aug 2009
    Posts
    28

    Default

    Quote Originally Posted by jbhur View Post
    I run Kerio Control and Untangle together, both within their own Hyper-V VMs in a home environment. Kerio serves as the "front end" for all LAN and WLAN clients.
    One reason I do this is Untangle's lack of ability to alias groups of IP addresses, alias groups of services and resolve FQDN within rules.
    Other reasons I continue to use Kerio is familiarity (have used it for about 20 years since first published by M-T Software), excellent DNS forwarding service, simple bandwidth management, concise rule definitions (as shown in your screen grab), colour-highlighted logs and rules, and a pleasing interface. However, I stopped updating a few sub-versions ago because it's expensive, support is abysmal and it's now awkward to renew (since it was acquired by GFI). It's decline is further demonstrated by multiple patches needed for the last update and chronic problems users have updating AV and IPS databases.

    I started using Untangle about a year ago because the TunnelVPN app was just what I needed (I was using Kerio + pfSense for that as Kerio does not support OpenVPN). I found Untangle's data collection and web filtering excellent ... far superior to Kerio's. I also like its Application filtering app which was an expensive add-on for Kerio.

    Anyway, I think the only way you can duplicate your "Operator RTP" rule in Kerio is to explicitly list the IP addresses within the "nexvortex" IP address group in an Untangle rule. That's not a big deal as the addresses are static. Likewise, each service must be explictly defined within an Untangle rule (I think you can define multiple ports in a single Untangle rule).
    Thanks for the input! I have not been a Kerio user for as long as you have, but it has been the most friendly UI I've yet encountered. Its too bad GFI seems intent on driving Control into the ground.

    :/

  5. #5
    Untanglit
    Join Date
    Aug 2009
    Posts
    28

    Default

    Quote Originally Posted by JasonJoel View Post
    You can't easily group port #s into a group, but you can use tagging to group IP addresses for use in firewall rules.
    Thanks Jason - Can you please describe this in a bit more detail? I have a rudimentary understanding of routing. If you can point me in the right direction I'd appreciate it.

  6. #6
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Tagging in Untangle is fairly straight forward. You can either:

    1. Make a tag rule to do it automatically based on a criteria like Device Table or Host Table (may not be appropriate for your use though) - Config -> Events -> Triggers.

    Or

    2. You can just open the DEVICES or HOSTS list and manually add tags to individual hosts. That is the easiest way if you have a fairly fixed list to put into a tag group.

  7. #7
    Untanglit
    Join Date
    Jun 2018
    Posts
    22

    Default

    It looks like you only need to reproduce your incoming rules for SIP / RTP. Untangle NG Firewall does not have service definitions however the input fields for the port and address have a syntax that enables you to define multiple values.
    So if you switch to the advanced view, you can configure two conditions, one for the source address and one for the destination port. These wiki topics describe the syntax for those fields:
    https://wiki.untangle.com/index.php/IP_Matcher
    https://wiki.untangle.com/index.php/Int_Matcher
    Note that in the section at the bottom "Forward to the following location:" you should leave the "New port" field empty.

  8. #8
    Untanglit
    Join Date
    Oct 2017
    Posts
    15

    Default

    Are you, perchance, the same BCarmichael who provided yeoman service at Kerio (and maybe at Tiny supporting WinroutePro, before that)? If so, good moves by both Untangle and you.
    CMcNaughton likes this.

  9. #9
    Untanglit
    Join Date
    Jun 2018
    Posts
    22

    Default

    Indeed it's me. Yes I was with Kerio since it was Tiny Software and now I'm here at Untangle with a few other former Kerio folks.

  10. #10
    Untanglit
    Join Date
    Oct 2017
    Posts
    15

    Default

    Well, ain't that a kick in the head.
    For reasons perhaps best understood by my analyst, I still have email threads about Winroute you and I shared from 2001. (I used a different nom de clavier then).
    Some other guy, too ... Jeff Ludlow, I think.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2