Migrating from Kerio Control to Untangle

[boy412]

Hello fellow untanglers. I have been given the task of migrating a client's network stack from a Kerio Control appliance to a new Untangle u50x. The basic setup is complete and now I have the pleasure of recreating all of the traffic rules.



There are not many rules, but the verbiage is very different between these two firewalls. Basic port mapping seems straightforward, but I am struggling with the rules (all VoIP related) where the source is an IP address group, and there are multiple services involved. Some screen shots attached for reference.

Screen Shot 2018-08-12 at 9.19.53 AM.png

Screen Shot 2018-08-12 at 9.21.07 AM.png

Any input is appreciated!

[jbhur]

I run Kerio Control and Untangle together, both within their own Hyper-V VMs in a home environment. Kerio serves as the "front end" for all LAN and WLAN clients.
One reason I do this is Untangle's lack of ability to alias groups of IP addresses, alias groups of services and resolve FQDN within rules.
Other reasons I continue to use Kerio is familiarity (have used it for about 20 years since first published by M-T Software), excellent DNS forwarding service, simple bandwidth management, concise rule definitions (as shown in your screen grab), colour-highlighted logs and rules, and a pleasing interface. However, I stopped updating a few sub-versions ago because it's expensive, support is abysmal and it's now awkward to renew (since it was acquired by GFI). It's decline is further demonstrated by multiple patches needed for the last update and chronic problems users have updating AV and IPS databases.

I started using Untangle about a year ago because the TunnelVPN app was just what I needed (I was using Kerio + pfSense for that as Kerio does not support OpenVPN). I found Untangle's data collection and web filtering excellent ... far superior to Kerio's. I also like its Application filtering app which was an expensive add-on for Kerio.

Anyway, I think the only way you can duplicate your "Operator RTP" rule in Kerio is to explicitly list the IP addresses within the "nexvortex" IP address group in an Untangle rule. That's not a big deal as the addresses are static. Likewise, each service must be explictly defined within an Untangle rule (I think you can define multiple ports in a single Untangle rule).

[JasonJoel]

You can't easily group port #s into a group, but you can use tagging to group IP addresses for use in firewall rules.

[boy412]

I run Kerio Control and Untangle together, both within their own Hyper-V VMs in a home environment. Kerio serves as the "front end" for all LAN and WLAN clients.
One reason I do this is Untangle's lack of ability to alias groups of IP addresses, alias groups of services and resolve FQDN within rules.
Other reasons I continue to use Kerio is familiarity (have used it for about 20 years since first published by M-T Software), excellent DNS forwarding service, simple bandwidth management, concise rule definitions (as shown in your screen grab), colour-highlighted logs and rules, and a pleasing interface. However, I stopped updating a few sub-versions ago because it's expensive, support is abysmal and it's now awkward to renew (since it was acquired by GFI). It's decline is further demonstrated by multiple patches needed for the last update and chronic problems users have updating AV and IPS databases.

I started using Untangle about a year ago because the TunnelVPN app was just what I needed (I was using Kerio + pfSense for that as Kerio does not support OpenVPN). I found Untangle's data collection and web filtering excellent ... far superior to Kerio's. I also like its Application filtering app which was an expensive add-on for Kerio.

Anyway, I think the only way you can duplicate your "Operator RTP" rule in Kerio is to explicitly list the IP addresses within the "nexvortex" IP address group in an Untangle rule. That's not a big deal as the addresses are static. Likewise, each service must be explictly defined within an Untangle rule (I think you can define multiple ports in a single Untangle rule).

Thanks for the input! I have not been a Kerio user for as long as you have, but it has been the most friendly UI I've yet encountered. Its too bad GFI seems intent on driving Control into the ground.

:/

[boy412]

You can't easily group port #s into a group, but you can use tagging to group IP addresses for use in firewall rules.

Thanks Jason - Can you please describe this in a bit more detail? I have a rudimentary understanding of routing. If you can point me in the right direction I'd appreciate it.

[JasonJoel]

Tagging in Untangle is fairly straight forward. You can either:

1. Make a tag rule to do it automatically based on a criteria like Device Table or Host Table (may not be appropriate for your use though) - Config -> Events -> Triggers.

Or

2. You can just open the DEVICES or HOSTS list and manually add tags to individual hosts. That is the easiest way if you have a fairly fixed list to put into a tag group.

[bcarmichael]

It looks like you only need to reproduce your incoming rules for SIP / RTP. Untangle NG Firewall does not have service definitions however the input fields for the port and address have a syntax that enables you to define multiple values.
So if you switch to the advanced view, you can configure two conditions, one for the source address and one for the destination port. These wiki topics describe the syntax for those fields:
https://wiki.untangle.com/index.php/IP_Matcher
https://wiki.untangle.com/index.php/Int_Matcher
Note that in the section at the bottom "Forward to the following location:" you should leave the "New port" field empty.

[jbhur]

Are you, perchance, the same BCarmichael who provided yeoman service at Kerio (and maybe at Tiny supporting WinroutePro, before that)? If so, good moves by both Untangle and you.

[bcarmichael]

Indeed it's me. Yes I was with Kerio since it was Tiny Software and now I'm here at Untangle with a few other former Kerio folks.

[jbhur]

Well, ain't that a kick in the head.
For reasons perhaps best understood by my analyst, I still have email threads about Winroute you and I shared from 2001. (I used a different nom de clavier then).
Some other guy, too ... Jeff Ludlow, I think.