Hi donhwyoOriginally Posted by donhwyo
Most of them are, but I have wired my master bedroom and den which have some TVs and Rokus attached to a managed switch. I do plan on setting up those devices on a separate VLAN just to be on the safe side. Advices to separate my IoT devices from my trusted network is what spurred my recent research into firewalls.
Correct.
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
I am using some Netgear managed switches along with 2 recently acquired TP-Link EAP225 access points so I don't think I will have that functionality. Even if I did, I'm concerned that might cause some issues trying to communicate with multicast, but I'm not sure about that. I plan on setting the IoT devices where they can't initiate any connections from their VLAN to my private VLAN, but the private VLAN can initiate connections to the IoT VLAN. I think this might require some multicast stuff to be opened up for everything to "just work", but again I'm not certain yet.
Thanks everyone for your help.
On another similar question to bypassing, I've seen the battle(non)sense video stating that you don't need the Firewall app since a byproduct of NAT is that it takes care of this by blocking all incoming connections by default. Does this make sense for a home network?
Yes... and no.
NAT isn't a firewall, but is often used as such, which is rather silly... but it's better than nothing.
For Untnagle, it's an understanding problem because Untangle will only translate stuff going to a WAN interface by default. So internal traffic passes with real local addresses, completely unimpeded. If you want to apply control to that with the firewall app you can do so, BUT you need to know like all Untangle Apps the Firewall App only processes TCP and UDP packets. So you slap in your block all, then go to test with a ping and find... wait the ping still works!
Now... ping is a TERRIBLE test of a firewall rule, because it's simply not the same type of traffic. But this event happens... and then people find their way to the forums. Untangle has a 2nd firewall, known as the filter that can handle more traffic types as it's a direct configuration of IP Tables. (The Firewall App is NOT IPTables by the way) BUT, again there are no logs.
So if you want ACLs between LANs on Untangle AND you want maximum visibility AND you want to control protocols other than TCP and UDP you need THREE rules. One rule to block all non-TCP and UDP traffic via the filter. Another FIREWALL APP ule to block all TCP and UDP traffic, and finally a last Firewall app rule to pass the specific TCP and UDP traffic you want to authorize.
Yes, this is more work. But YES you do get superior visibility out of the situation in trade. PFSense / OPNSense are great, but their logging is utterly atrocious. Anyone using these products in any reasonably complicated home setting are going to spend far more in time than the $150 / year Untangle wants for Home Protect Plus managing it. But even if you buy the subscription, if you don't understand the above you won't achieve the value and be grumpy anyway.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
@sclawrenc, you can achive what you want very nicely with Untangle. Nothing is bypassed and everything nicely separated. I'm using TP-LINK managed switches and same AP's as you which can do "magic". If you decide to go with Untangle setup I could provide some assistance but I don't have any idea how to do it with PfSence which I understand you've been using.
Thanks soldier. I am comfortable paying $50 per year, but I am not yet willing to part with $150 a year which I believe will be required to cover all of my ~50 devices. I think I can figure it out using pfSense by following some examples and performing some testing.
Thanks again.
I understand completely. I would do the same.
Thanks again. If I understand correctly, the 50 device limit is a fairly recent change, right? I wonder why they decided to do this since many, many home users might want to dabble in Untangle that have more than 50 devices, but don't want to invest $150 per year.
Because 50 filtered devices is A LOT, especially if you are creating VLANs to separate them. One VLAN for IoT devices that don't need Internet connectivity but need a LAN? Those are bypassed... don't count. Another VLAN for IoT devices that need to be online, but monitored, those count. Last VLAN for the actual PCs.
You're saying you're near 50 but don't think it's enough? I think you've got at least 15-20 devices that wouldn't benefit from Untangle's filtration at all, and once isolated can be bypassed and provide you substantial buffer with that 50 device limit.
There are 6 people in my house, including two teenagers. Each person has their own desktop, each person has their own mobile device, plus all the toys and junk and stuff, AND the load I impose running two small businesses out of this network. What's the Maximum Active on my dashboard? 24...
So to me it's the people that have well over 50 devices that I don't understand. If you have 50 devices running now, I'd seriously not be worried about it and just bypass a few. You don't need or want Untangle scanning VoIP phones for example... nor do you want it mucking with IP cameras. Those devices will require bypass to even work correctly, and therefore need some sort of segmentation too.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Thanks sky-knight. I just double checked, and I have 43 DHCP clients online right now, but that number goes up with family and company visiting. I have 8 Alexas, 10 Apple devices, 3 Nest thermostats, 6 wifi plugs, 4 Ring cameras, 4 PCs, 4 gaming consoles, 3 smart TVs, 3 Rokus, a NAS, a HUE bridge, garage door opener, a couple of Orbis (will be replaced with EAP 225s soon), and 4 managed switches. I do have family over frequently, but I could easily bypass them, right? So of the list I just provided, which ones would you feel comfortable bypassing?
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote