Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie
    Join Date
    Feb 2019
    Posts
    6

    Default Untangle in bridge mode with VLANs, LAN to WAN works, WAN to lan not

    Hi all,

    I've just installed an Untangle device in bridge mode between my router and core switch. I do make use of VLANs so according to the guide found on the untangle wiki, I created the VLAN interfaces in Untangle, bridged them, turned on the WAN load balancer and created the route rules. So far everything works, every VLAN is able to access the internet, also the VLANs can communicate with each other.

    However, in one of the VLANs I do have a webserver running, which is accessible from the internet (it's configured by port forwarding in my router). With untangle between the router and core switch the webserver isn't accessible from the internet anymore. I assume it has something to do with the routing tables. Within the load balancer you tell untangle how to route the VLANs to the WAN, but I'm not sure if this also covers the traffic the other way around. Do I have do add rules in Untangle so traffic coming to the external (VLAN) interface gets routed to the correct internal (VLAN) interface? If yes, where do I need to add those rules and how should such a rule look like?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,043

    Default

    There is routing, and then there is source routing... the two are not the same.

    The former defines the routing table Untangle's IP stack will use to send everything. The latter is basically just a policy rule to control traffic to a specific gateway, you're sort of abusing it to get multiple bridges to operate. Because that's the reality here, you don't have an Untangle bridge, you have an Untangle series of bridges, one for each IP range.

    So, where is your web server? If it's on an IP range directly known by Untangle, that is within an IP scope Untangle has a configured interface for, routing was setup for you. If it is not, if there is another router behind Untangle, you need to create a static route that will push traffic destined for that IP range, to the appropriate gateway. (Config -> Network -> Routes)

    Again this only applies if Untangle doesn't have an IP in the Web Server's IP range. If Untangle does have an address in that range, you've got issues on layer 2, check your VLAN configuration.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Feb 2019
    Posts
    6

    Default

    My web server is sitting in VLAN 123, the same VLAN is also configured in Untangle as a VLAN Bridge Interface. Outgoing traffic from that same VLAN to the internet and other VLANs does work, so you would think my VLAN configuration is functioning correctly. Also if I remove Untangle completely the web server comes available again, also an indication which make you think the VLAN are working just fine.
    I could try to add a static route to see if that fixes the issue, but regarding to your answer that route should already be known to Untangle?
    Last edited by Mars79; 02-06-2019 at 11:06 AM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,043

    Default

    VLAN 123 is part of it, but nowhere near all of it. VLANs are layer 2 divisions, I'm talking about layer 3, they are not the same thing, you need both to work. And while IP Networks are often directly correlated to a VLAN, they aren't exclusively so.

    But yes, if the web server can access the Internet, the port forward on your NAT device should be all that's required to get things back to it.

    However, beware... Untangle's filters aren't directional, traffic transiting the bridge is subject to the filters as configured. Which is to say, you're providing content control against your own web server. In my experience, that's a great way to have Untangle buckle under the load of protecting every device on the planet.

    Can Untangle ping your web server? If so, it sounds like IP level connectivity is working. You could try some bypass rules, just two of them, destination address, IP of web server, and source address IP of web server. Those two will exempt everything going to or from the web server from filtration. If you slap those in and things work, then you've got a firewall rule, application control policy, or something else in your Untangle configuration that's blocking the traffic.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Feb 2019
    Posts
    6

    Default

    Yes, Untangle can ping my web server. Untangle is also able to ping devices in other VLANs so that indeed is confirming (like you wrote) IP level connectivity is working.

    Like you suggested, I added two bypass rules, and things started to work. I guess I will start with disabling all modules, remove those bypass rules and see if things keep working. Then one by one enabling the modules, if logic serves me right, the module responsible for blocking the traffic should present itself.

    Any suggestions for further troubleshooting?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,043

    Default

    Nope, you've got the correct process down. If it works after bypass, then you've got something blocking.

    Once you power down the offending module things will spring to life, and you'll know what report to dig into to figure out what's going on.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Feb 2019
    Posts
    6

    Default

    Things are getting stranger, I've disabled the modules, but no luck so far. All modules are disabled except for the WAN balancer and things still don't work. Then I tried playing with those bypass rules:

    I have two:
    Destination address --> ip of webserver
    Source address --> ip of webserver

    If I disable both: not working
    If I enable both: working
    If I disable destination address: not working
    If I disable source address: working

    Any idea what's going on here?

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,043

    Default

    That is indeed strange, bypass source address means web server's access to the world. It has nothing to do with incoming sessions.

    What's the internal IP address of that web server, and its mask?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Feb 2019
    Posts
    6

    Default

    IP of server: 192.168.123.30
    netmask: 255.255.255.0

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,043

    Default

    Ok, just ruling out a subnet issue, if you're on a /24 that's kinda hard.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2