Results 1 to 10 of 10
  1. #1
    Untanglit
    Join Date
    Dec 2008
    Location
    Ventura, CA, USA
    Posts
    25

    Default Two Untangle Firewalls connected via LAN License Usage

    I have a site that has two buildings, each with its own Internet access and Untangle firewall. Each building has its own class C IP subnet for local devices. Both firewall are in router mode. The buildings are connected via a fiber optic (LAN) link and the Untangle firewall in building B has a second LAN connected to the fiber optic link to the LAN in building A via the fiber optic link. (This is to allow devices in building B to access a server in building A at LAN speed.) (The building A firewall has an internal (LAN) interface with subnet 192.168.103.1/24 with static IP address 192.168.103.1 and two internal interfaces for wireless. The building B firewall has an internal (LAN) interface with subnet 192.168.101/24 and static IP address 192.168.101.1, an (internal Ė LAN) link to building A interface with subnet 192.168.103.1/24 and a static IP address of 192.168.103.2 plus two internal interfaces for wireless.) See the attached network diagram.

    Devices from building A (several 192.168.103.x devices) are showing up in the device list in the Untangle firewall in building B (causing it to exceed its license count). The default gateway (assigned by DHCP) to devices in building A is the IP address of the untangle firewall in building A. (The default gateway assigned to the devices in building B is the IP address of the untangle firewall in building B.) So, I expect the devices in building A to use only the Untangle firewall in building A to access the Internet.

    I donít understand how/why the devices in building A are using the Untangle firewall in building B (and causing the firewall in building B to exceed the license count).

    Am I understanding the device list correctly in that, if a device shows up in that list, the device has used the firewall (actually a licensed app) within the last 24 hours, so this problem is happening right now and the list is not from a long time ago when I switched the default gateway in building A so that Internet access went through building B (but then put it back when the Internet access in building A was restored)?

    Other than the default gateway setting, what would cause a device in building A to use the firewall in building B to access the Internet?
    Attached Images Attached Images

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    If an IP address transits an Untangle, and the session isn't bypassed... you burn a seat. Again, an IP transiting Untangle... this has nothing to do with going to the Internet, just PASSING THROUGH is enough. So that IP didn't use the far side Untangle for Internet access, it simply accessed a LAN resource in the other building.

    So by connecting two Untangles this way, you've potentially quadrupled your license requirements, because you now need twice the devices per Untangle.

    I suggest you use the closer Untangle for UVM filtration, and then create bypass rules on the far Untangle for the remote IP segment. That way, the farther Untangle will bypass traffic that's already been checked by the closer Untangle. This preserves the visibility of the Untangle logs where you need them, but since bypassed sessions don't count against your licenses it clears up the licensing problem too.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    Dec 2008
    Location
    Ventura, CA, USA
    Posts
    25

    Default

    Thank you Rob for your suggestions.

    My question is why is the traffic even transiting the far Untangle. Is there something in the close Untangle routing table that is sending the traffic out the inter-building fiber optic LAN maybe because it see it as a faster connection? (I don't see that in the route table.)

    I thought about bypassing the subnet for building A in the building B (far) Untangle, but the problem is that then traffic is not protected by the UVM. The real solution is the traffic should not be transitioning through the far Untangle to begin with.

    Yes, I want to use the closer Untangle for filtration, but the question is how do I force it to do that. (I though that by putting the default gateway on the devices to the IP address of the close Untangle it would do the filtering and then route the traffic out its WAN interface, not a LAN interface.) Maybe the traffic is being filtered by the close Untangle *and* being filtered by the far Untangle, that is, after the close Untangle filters it routes the traffic to the far Untangle, which again filters it. In that case, the bypass in the far Untangle will help, but it is putting extra traffic in the inter-building link and adding hops. So, again, the right way to solve the problem is to not send Internet traffic to the far Untangle to begin with.

    The only significant added route that I see in the close (building A) Untangle is for the building b subnet (192.168.101.0/24) to route to the interface that is connected to the inter-building link (192.168.103.2). I think that should result in Internet destine traffic going to the far Untangle only if the device uses a default gateway on the far subnet. I spot checked a few devices that are showing up in the devices list in the far Untangle and their default gateway is as I expected, they are not routing to the far Untangle by the default gateway setting.

    Here is the current routes on the close (building A) Untangle. Note that the 71.254.x.x, 74.32.x.x [not currently in use], and 192.168.254.x addresses are the ISPs. 192.168.101.0 is the far building subnet. 192.168.105.0 and 192.168.107.0 are local wireless subnets.

    = IPv4 Rules =
    0: from all lookup local
    100: from all fwmark 0xfe00/0xff00 lookup 1000
    32766: from all lookup main
    32767: from all lookup default
    50000: from 71.254.189.207 lookup uplink.1
    50001: from 47.139.44.169 lookup uplink.2
    50002: from 192.168.254.25 lookup uplink.2
    70001: from all fwmark 0x100/0xff00 lookup uplink.1
    1000000: from all lookup uplink.1

    = IPv4 Table main =
    68.238.64.12 dev eth1 scope link
    68.238.96.12 dev eth1 scope link
    71.254.189.0/24 dev eth0 proto kernel scope link src 71.254.189.207
    71.254.189.1 dev eth0 scope link
    74.32.0.0/12 dev eth1 scope link
    192.168.101.0/24 via 192.168.103.2 dev eth3
    192.168.103.0/24 dev eth3 proto kernel scope link src 192.168.103.1
    192.168.105.0/24 dev eth4 proto kernel scope link src 192.168.105.1
    192.168.107.0/24 dev eth2 proto kernel scope link src 192.168.107.1
    192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.25
    192.168.254.254 dev eth1 scope link
    199.201.128.0/24 dev eth0 scope link
    205.254.224.4 dev eth0 scope link

    = IPv4 Table balance =

    = IPv4 Table uplink.1 =
    default via 71.254.189.1 dev eth0

    = IPv4 Table uplink.2 =
    default via 192.168.254.254 dev eth1

    = IPv4 Route Rules =



    = IPv6 Rules =
    0: from all lookup local
    32766: from all lookup main

    = IPv6 Table main =
    fe80::/64 dev utun proto kernel metric 256

    = IPv6 Table uplink.1 =

    = IPv6 Table uplink.2 =

    If it makes any difference, the close Untangle (building A) is running WAN Failover (to select between the two ISPs). It is configured with interface names (not IP subnets). The two listed interfaces seem to be correct.

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,197

    Default

    assuming your diagram is correct, you have all traffic between Bldg A and Bldg B passing through Untangle B. So any Bldg A device which communicates with anything in Bldg B will show up in the Untangle B device list and consume a license.
    If you don't want that, either change the connection so that the inter-building link connects SwitchA<->SwitchB rather than SwitchA<->UntangleB<->SwitchB, or bypass all inter-building traffic (Config->Network->Bypass Rules).

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Untangle routes packets, based on its routing table. Unless you've got the links between buildings improperly marked as WAN interfaces, Internet bound traffic will not touch them. The default routes are to the ISP routers after all.

    If you did mark those interfaces as WAN interfaces, because you wanted to be able to fail over to the other building's WAN links in the event of an connection disruption, you just need to go tell WAN Balancer to use 0% of that link. If WAN failover's tests for the real WAN links fail, Balancer will be forced to use the 0% link, but otherwise it won't.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Dec 2008
    Location
    Ventura, CA, USA
    Posts
    25

    Default

    johnsonx42 you made me rethink my understanding of how Untangle works as a simple router. Yes, all traffic between the buildings is going through Untangle in building B; the two buildings have separate subnets and traffic between them must be routed. That is what the Untangle router/firewall is doing, routing (and hopefully just routing, nothing else). Connecting just the switches in the two buildings will not work because traffic between the two buildings needs to be routed between the two subnets (it needs layer 3, not just layer 2). (Actually, I believe that the switch in building B is a "layer 3" switch and *can* do routing, but I prefer to let switches switch and routers route, especially when I have a router right there.)

    I assumed (and now I question my assumption) that only traffic destined for the WAN (Internet) goes through licensed applications (such as Web Filter) and the devices in building A are not accessing the Internet, so do not need a license. johnsonx42, your comments made me think that all the traffic between the buildings is going through the UVM even though it is routing from one LAN interface to another LAN interface. Is that the way Untangle works?

    Devices in building A do not access any resource in building B. However, a management device in building B performs tasks such as inventory and patch management on devices in both buildings and return traffic from those managed devices in building A is routed through the Untangle in building B. So, am I now correctly understanding that traffic from LAN to LAN goes through the UVM and will need a license even though the traffic is not going to the Internet? I don't see how an application like Web Filter would apply, but Directory Connector (a licensed application) might. If my understanding is correct, is there a way to "bypass" LAN to LAN traffic, but still allow any traffic from building A's subnet that is destined for the Internet to go through the UVM; that is, not completely bypass building A's subnet? Config > Networking > Bypass is configured with very flexible rules that can have many conditions. If I add bypass rules such as:

    "Bypass LAN traffic from A to B" Source Address is 192.168.103.0/24 and Destination Address is 192.168.101.0/24 Action: Bypass
    "Bypass LAN traffic from B to A" Source Address is 192.168.101.0/24 and Destination Address is 192.168.103.0/24 Action: Bypass

    Will that do what is needed, that is, bypass traffic that is strictly between the two buildings, but not bypass traffic to/from the Internet that happens to traverse the intra-building link (probably because a device in building A gets configured with the Untangle address in building B)? (Yes, if Internet traffic goes over the intra-building link, it will need a license to use licensed applications in the UVM.)

    sky-knight I checked and the interfaces to link the two buildings are not marked as WAN. Your comments seem to confirm my understanding that, if the default gateway is set correctly in the attached devices, traffic destined for the Internet will go out the WAN interface on the Untangle in the local building. So, it looks like Internet traffic is not what is causing the license use.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Yes, any traffic transiting an Untangle server is subject to full UVM filtration and that consumes a license.

    So if you do not configure appropriate bypass rules, stations attempting to communicate with an Internal network that's beyond an Untangle router, will route through that router, and thereby transits the server, and burn a license. Your configuration will require both Untangle's to be transited, so any LAN to LAN communications on that level will burn two licenses.

    Going to "the Internet" isn't where the licenses is counted, it's just an IP address that causes a communication to move from one interface on Untangle to another one. It doesn't matter if it routes through, or bridges through, a license is consumed unless bypassed.
    Last edited by sky-knight; 09-06-2019 at 02:16 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Master Untangler
    Join Date
    Oct 2013
    Posts
    142

    Default

    I'd keep it clean and use the UT appliances exclusively for all internet-bound traffic and use the L-3 switch for inter-building traffic. That's what the L-3 switch is for and I don't think that operating it that way would cause it to lose performance doing L-2.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Meh... Untangle scanning LAN traffic requires some configuration but it's saved by butt more than once. You're not wrong through, scanning that LAN traffic is a heavy task.

    Though if it were my network, I'd abandon the 2nd Untangle entirely, as it's only connected to 1 ISP, and that ISP is the same as one at the main building. Now that I'm not paying that second set of access fees to that ISP, I have a single MultiWAN Untangle to worry about with a VLAN for the 2nd building. Virtually the same logical map, 1 Untangle to manage, I take the 2nd Untangle server and use it as a VRRP slave and on with my day.

    Lower monthly operating cost.
    Less management time consumed.
    HA situation upgraded.

    Not sure why it's setup this way, but I assume the OP has his reasons.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,197

    Default

    Quote Originally Posted by DarrylJR View Post
    If I add bypass rules such as:

    "Bypass LAN traffic from A to B" Source Address is 192.168.103.0/24 and Destination Address is 192.168.101.0/24 Action: Bypass
    "Bypass LAN traffic from B to A" Source Address is 192.168.101.0/24 and Destination Address is 192.168.103.0/24 Action: Bypass

    Will that do what is needed, that is, bypass traffic that is strictly between the two buildings, but not bypass traffic to/from the Internet that happens to traverse the intra-building link (probably because a device in building A gets configured with the Untangle address in building B)?
    Looks good to me, if you add them to both Untangles. You're just telling them both to ignore inter-LAN traffic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2