Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Newbie
    Join Date
    Jan 2020
    Posts
    6

    Default Moving my Untagle box to the front line

    Hi all,

    First of all Happy New Year to everyone, I'm new on this forum but been using Untangle for Home for the last year or so in Transparent Bridge mode at home and it's been pretty good, the reason that brings me to the forum is that I would like to modify my current setup in order to use the WAN-Balancer option provided by untangle and use my 2 ISP in conjonction as currently Unifi is unable to support it and may not be able to fully support the 1Gig Fiber link coming in 6 months.

    Below is a diagram of my current setup:

    Capture décran 2020-01-05 à 21.32.55.png

    Below is a diagram of what I want to do:

    Capture décran 2020-01-05 à 22.08.47.png

    I would like to know the pros and cons of proceeding this way, and if I need to change anything specific in Untangle outside the standard stuff like the network interface IPs

    I'm running Untangle on an Dell R210 II server with 8Gig of Ram (which can be upgraded and Xeon 3,1Ghz Processor and currently I'm getting around 11Mb down and about 2mb up from my main ISP and around 7Mb down and around 900k up from my secondary so looking forward to getting Fiber in about 6 months when they will start to provide it around here but in the meantime if the Wan-Balancer can help me get a little more speed, I'm in.

    Currently on the Untangle box I have the 2 onboard NICs which are being used and PCI SFP+ card with 2 ports so a total of 4 ports available, my idea is to plug the 2 ISPs on to the Onboard card and use one of the SFP+ to link it to my 10G switch for Internet access and eventually the remaining SFP+ port for management.

    So I turn to you guys to know if this will work, I know some people may not like the setup as I want to keep my unifi stuff in place which will mean double NAT but hey, I don't mind the double NAT.

    Would you suggest setting up a DMZ on the ISP modem and plug the Untangle box to the DMZ port of the ISP modems?

    I'm currently able to use one of the ISP modems in bridged mode in order to get my public IP assigned directly to my router but cannot do that with the 2nd ISP and can only do DMZ on that one at best.

    I also run my own DNS server on a Synology box and would like to continue to use it, also I'm currently testing Pi-hole for ad-blocking but as Untangle seems to have this feature included I might as well use it and remove Pi-hole.

    Sorry, I know I've been way to long but I would really appreciate any piece of advise you guys could give me in order for me to move forward with this change.

    Thanks
    Last edited by aldiallo-Unt; 01-05-2020 at 02:12 PM.

  2. #2
    Master Untangler
    Join Date
    Oct 2017
    Posts
    138

    Default

    Won’t you have double NAT with the unifi pro in the mix as well? Why do you need it? I replaced my pro 4 with an untangle appliance.

  3. #3
    Newbie
    Join Date
    Jan 2020
    Posts
    6

    Default

    Hi Loudog2,

    I want to keep the internal routing on the Unifi, just a matter of preference to be honest, I know it's not best practice but I don't mind.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,181

    Default

    It's not a matter of best practice, it's a matter of it being recipe to blow up in your face. If you want the routing on the Unifi, then Untangle should be a bridge behind it. (As you have it now) But honestly even that isn't a good idea because two security systems will argue with each other in new and inventive ways at random intervals. Either the current or new proposed configuration is a recipe for baldness and gray hair.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler CMcNaughton's Avatar
    Join Date
    Feb 2015
    Location
    Denver, CO
    Posts
    113

    Default

    You don't need 2 routers NAT'ing traffic on your network - it's not just "not a best practice', it will cause problems with the filtering. I understand that the routing is on the Unifi, but it's a standard practice to just replicate those routes on the Untangle when it's being moved to the front. It's a best practice to avoid double-NAT'ing traffic with a device like Untangle, so you can have an accurate picture of your network/IPs/etc. and that Unifi device no longer seems necessary to me. Double-NAT'ing traffic will just always cause issues.

  6. #6
    Newbie
    Join Date
    Jan 2020
    Posts
    6

    Default

    Hi all,

    Thanks for your feedback, I know I don't "need" 2 routers, the reason I want to keep the unifi in the loop is the single management interface so based on your responses I'll be better off staying with the current setup if removing the one of the 2 was not an option, right?

    Ok, no let's say I remove the Unifi router, should I set the ISP modems ports connected to Untangle to DMZ?

    Should I leave the current Bridge mode setup from my main ISP on so that Untangle gets the public IP, unfortunately my 2nd ISP modem does not suport Bridged mode?

    Can I still run my internal DNS server for all DNS queries and also does the ad-bloking feature on Untangle be more accurate if place in the front line?

    Thanks
    Last edited by aldiallo-Unt; 01-06-2020 at 03:49 PM.

  7. #7
    Master Untangler
    Join Date
    Oct 2013
    Posts
    140

    Default

    Definitely drop the USG. With Untangle in full router mode, the former would have a diminished role and will just be an admin overhead.

    As far as the modem goes, keep them in bridge mode. If this is not possible with the 2nd modem, then putting Untangle in a DMZ would probably be the next best thing. It will still be NATted but at least most, if not all, TCP/UDP ports will be open.

    I also have four UniFi APs and I use a Cisco 3560G switch to trunk and do Layer-3 inter-VLAN routing. DHCP and local DNS is provided by Windows Server. Untangle is on a routed port on that switch and in its own subnet.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,181

    Default

    ISP routers? DMZ?!? Are we talking TRIPLE NAT now?

    This is starting to get a bit disturbing honestly.

    OP, if you want Untangle and simple, you need Untangle to have the internet IP addresses on its interfaces, and have it be the only router connected to the internet. That is the simplest, stable, and easiest to manage solution. So do whatever it is you have to do to get those ISP routers passing real addresses.

    Any attempt to mix and match in other routers must be under taken with great care, or else you make things ugly complicated. Ugly complicated leads to error, error is a security problem, and that defeats the purpose of using Untangle to begin with.

    The layer 3 switch and such can stay where it is, just now the VLANs terminate on Untangle (They probably are already). Untangle will need a static route for those remote internal networks. (It must already have it, or the bridge wouldn't work)
    Last edited by sky-knight; 01-06-2020 at 06:02 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default

    IMO, Ditch the USG, they suck ! Use untangle as a full firewall.

  10. #10
    Newbie
    Join Date
    Jan 2020
    Posts
    6

    Default

    Quote Originally Posted by sky-knight View Post
    ISP routers? DMZ?!? Are we talking TRIPLE NAT now?

    This is starting to get a bit disturbing honestly.

    OP, if you want Untangle and simple, you need Untangle to have the internet IP addresses on its interfaces, and have it be the only router connected to the internet. That is the simplest, stable, and easiest to manage solution. So do whatever it is you have to do to get those ISP routers passing real addresses.

    Any attempt to mix and match in other routers must be under taken with great care, or else you make things ugly complicated. Ugly complicated leads to error, error is a security problem, and that defeats the purpose of using Untangle to begin with.

    The layer 3 switch and such can stay where it is, just now the VLANs terminate on Untangle (They probably are already). Untangle will need a static route for those remote internal networks. (It must already have it, or the bridge wouldn't work)
    Hi all,

    @Sky-knight,

    Trust me if I could get any router/firewall that are not the routers provided by my ISPs, I would, the issue with the ISP Modem provided by 2 ISP work completly differently, one has the option to be set up in bridge mode but cannot be removed otherwise no internet (so bridge mode it is so the next machine gets the real public IP no minor issues here if I can't take it down). The modem router from the secondary ISP cannot be setup in bridged mode as this is not an option available on their hardware despite users asking for this option to be available but the ISP has several times stated that is not a "requirement" hence they won't do it, so easiest thinbg to do is to set it as a DMZ.

    That been said that 2nd router can be replaced with another modem if needed be, the only thing is thta you would need to use PPPOE in order to be able to connect to internet. and I must admit that is an option that I haven't explore yet but it would definetly be great if I could ditch both ISP's modems from the equation.
    Last edited by aldiallo-Unt; 01-07-2020 at 08:21 AM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2