Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default thoughts on Untangle as VLAN router?

    The basic situation is roughly 100 Wintel workstations and perhaps 20 Wintel servers (mix of physical and virtual) currently all on one subnet. Mostly your standard SMB services -- file sharing, printing, SQL, Exchange, etc. The plan is to put the servers and workstations on separate VLANs. Typically, a L3 switch would be used to route traffic between the VLANs, and this is an option in this case. We're contemplating instead using the Untangle appliance to do the VLAN routing for the reporting and security options. A lot of those 100 workstations are high risk from a security standpoint, and protecting the servers is a high priority.

    Has anyone actually done this in an environment of any size? What was the traffic level and what impact did it have on Untangle and what HW was Untangle on? For the security/protection reasons, we'd rather not do wholesale bypass rules. It looks like traffic to/from the servers currently averages 20-30mbps during working hours.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,712

    Default

    VLAN is just another interface. The only limit is 254 interfaces on Untangle 120 devices does not sound like a large environment as long as your hardware is matched to your usage.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,948

    Default

    Quote Originally Posted by ntguru View Post
    A lot of those 100 workstations are high risk from a security standpoint.
    In this situation, I'd add a third vlan to segment out those less trusted workstations. Maybe also a fourth the inevitable wifi incursion.

    Untangle is certainly capable of routing traffic between those vlans, but I'd be very careful about how I provisioned the server, to ensure enough bandwidth on the internal interfaces. For example, if you have 100Mbps internet service, than a 1Gbps internal interface is plenty in normal situations. But when you add intervlan traffic into the mix, suddenly a file transfer from a fast SSD server to a work station (or several similar but slower transfers) can saturate the 1Gbps link, and that will cut off internet traffic, too. You also need to sure you have enough CPU and RAM resources to keep things moving.
    Last edited by jcoehoorn; 12-11-2018 at 10:01 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  4. #4
    Master Untangler bluechris's Avatar
    Join Date
    May 2016
    Location
    Athens, Greece
    Posts
    181

    Default

    I had the same question some months ago here in the forum and i did some tests.
    What i saw is that file transfers between different vlan that normally where at 90-100mb/s they went at half speed. Maybe the culript was that the company is full vmware and untangle also is virtual.
    My original plan was to not only make vlans to segment the servers from users but also to segment every company department ending up to 20 vlan including the basic. My switches was smart layer 3 (hpe 1950) and had the ability to route 8 vlans only.
    So since i wanted to upgrade the connections between the servers to 10gb mainly for faster backups and vmotion we bought from eBay a HP 5820 (JG219A) that are sold for 600$ and are full layer 3 routers with 24 sfp+ ports and that was the best decision i made lately since now the routing is at line speed and i can have also ACL's to control everything.

  5. #5
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    Quote Originally Posted by jcoehoorn View Post
    In this situation, I'd add a third vlan to segment out those less trusted workstations. Maybe also a fourth the inevitable wifi incursion.

    Untangle is certainly capable of routing traffic between those vlans, but I'd be very careful about how I provisioned the server, to ensure enough bandwidth on the internal interfaces. For example, if you have 100Mbps internet service, than a 1Gbps internal interface is plenty in normal situations. But when you add intervlan traffic into the mix, suddenly a file transfer from a fast SSD server to a work station (or several similar but slower transfers) can saturate the 1Gbps link, and that will cut off internet traffic, too. You also need to sure you have enough CPU and RAM resources to keep things moving.
    We will eventually add more VLANs as they upgrade their network HW. Regarding saturating a gig port -- wouldn't that be an issue even in a "flat" network and where QoS/etc comes in? Haven't thought it all the way through so maybe I'm missing something?

  6. #6
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    Thanks for the info, bluechris. I had read your thread prior to posting but missed the half normal transfer speed part. FWIW, with both VMware and hyper-V, I've seen similar throughput issues, especially if the interface/virtual interface is handling dot q tagged traffic.

    In this particular case, having app layer visibility to inter-vlan traffic is desirable -- otherwise we would do the default option and use existing L3-capable switching to route between vlans.

    At this point, I think we'll try first with Untangle handling VLAN routing and can fall back to L3-switch-based VLAN routing if Untangle doesn't work.

    Quote Originally Posted by bluechris View Post
    I had the same question some months ago here in the forum and i did some tests.
    What i saw is that file transfers between different vlan that normally where at 90-100mb/s they went at half speed. Maybe the culript was that the company is full vmware and untangle also is virtual.
    My original plan was to not only make vlans to segment the servers from users but also to segment every company department ending up to 20 vlan including the basic. My switches was smart layer 3 (hpe 1950) and had the ability to route 8 vlans only.
    So since i wanted to upgrade the connections between the servers to 10gb mainly for faster backups and vmotion we bought from eBay a HP 5820 (JG219A) that are sold for 600$ and are full layer 3 routers with 24 sfp+ ports and that was the best decision i made lately since now the routing is at line speed and i can have also ACL's to control everything.

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,948

    Default

    Quote Originally Posted by ntguru View Post
    Regarding saturating a gig port -- wouldn't that be an issue even in a "flat" network and where QoS/etc comes in?
    In a flat network, where everything is on the same vlan, your switch will move packets directly between devices according to it's ARP table, and Untangle won't see the internal traffic at all. On a multi-vlan (routed) network, traffic between different vlans has to move through the router (Untangle) to get placed onto the proper vlan.

    This is why my own network has a separate layer-3 switch (which, being layer-3, is really a router) handling inter-vlan routing for internal traffic.
    Last edited by jcoehoorn; 12-12-2018 at 01:17 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Quote Originally Posted by jcoehoorn View Post
    In a flat network, where everything is on the same vlan, your switch will move packets directly between devices on the same vlan, and Untangle won't see the traffic at all. On a multi-vlan (routed) network, traffic between different vlans has to move through the router (Untangle) to get placed onto the proper vlan.
    Exactly this and to expand on it a bit more, so if you have segmentation, and you have need of transiting those segments all of a sudden you've got Internet like constraints, as that single gbit port floods.

    So if the OP wants to segment via Untangle that's fine, but he needs to be certain that the various segments don't need to talk to each other much, otherwise bad things will happen. Or at very least the net admin needs to be aware of those limits so he can move vlan interfaces to different physical NICs to spread out the load. And not just the load, modules such as the new IDS module do not care where the traffic flows, it's subject to control. So you can have some very unexpected issues crop up if you aren't careful.

    Or you deploy a proper switching system, which is honestly easier and often less expensive.

    Untangle is designed to be on the edge of your network aimed at the Internet, it can operate your core too, but you must be careful while doing so.
    Last edited by sky-knight; 12-12-2018 at 11:36 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2