Home User with Bypass Rules

[sclawrenc]

I was on Sophos XG before I moved to Untangle. It was a Sophos UTM, so was paying £200ish a year for fewer features than I get with Untangle at $50/year.

The interface looks nice and some of the groupings of hosts, services, ports etc they allow you to do make creating policies pretty flexible and I like the way that if you're running their endpoint products on your devices (and you're prepared to pay for it) that there can be some intelligence between them, but you're not gonna get that at $50 or even $150.

Oh... and let's not even mention the own-goal in the form SQL injection vulns that their product suffered from - game over.

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.

This is what I have done. For IOT it makes a lot of sense. Don't need all the features of Untangle fro them. Have enough features to protect the router serving them. .

Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

[mikeyscott]

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.




Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

The physical limits are 4 Cores and 6GB or RAM for Sophos XG Home v18 MR4. Got Untangle, pfsense and Sophos XG.

For me, unless it absolutely breaks the device, I want it to pass through the NGFW (whatever the vendor).

Re Sophos, any organisation bought by Thomas Bravo is a bad thing in the long run.

[sky-knight]

Sophos to me went out the window when this happened: https://support.sophos.com/support/s...language=en_US

A SQL injection vuln, in the LOGIN PAGE for a security product in 2020 is utterly unacceptable. Untangle has some questionable dev practices, but a least they try. Sophos on that day showed the world they flat don't care about security, or their users. They are coding crap like it's 1990 and they just don't care. In this case they got caught... who knows what else is left in there.

[fatman13]

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.




Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

IOT and Kids on seperate VLANs is exactly where this started with me too. And frustrated the hell out of me. And quite frankly made me quite short, terse and on the verge of greater adjetives when I contacted sales right after my purchase as I had then noticed the device limit.

I agree with you I don't want my IOT bypassed, but of course behind a NAT'd router is kinda similar, kinda not. It's up to you on that front. I'm happy with it right now behind router.

[sclawrenc]

IOT and Kids on seperate VLANs is exactly where this started with me too. And frustrated the hell out of me. And quite frankly made me quite short, terse and on the verge of greater adjetives when I contacted sales right after my purchase as I had then noticed the device limit.

I agree with you I don't want my IOT bypassed, but of course behind a NAT'd router is kinda similar, kinda not. It's up to you on that front. I'm happy with it right now behind router.

I agree fatman13. I don't want my IoT devices bypassed either which I think is the only solution if I want to stay with Untangle (currently at end of 14 day trial). I'm honestly considering just saying I'm done with the different firewalls, and going with the Xfinity XB7 (unlimited data) in router mode (in bridge mode currently) which comes with xFi Advanced Security and decent parental controls since I can create many profiles with different limits. I know it's not what I set out to do, but it does somewhat accomplish what I wanted which was security around my IoT and my kids, and it doesn't cost me $150 per year. It actually sounds like the xFi Security is decent although there is no way to configure or adjust anything. It's just on of off and mostly the same with the kids profiles.

https://forums.xfinity.com/t5/Intern...s/ta-p/3180099

I don't know... I'm just not a fan of paying for something that gets me 90% there, you know?

[sclawrenc]

Just to give an update, I am not using Untangle. I've been using the included Xfinity Advanced Security offering , although I would have preferred using Untangle, just not for $150. The ONLY reason I decided not to purchase Untangle was due to the license limit. I really wish they could go back to the old license structure or something comparable that allowed more than 50 devices for the $50 cost. I think I speak for many home users when I say that $150 is too much and bypassing the IoT devices (least secure I think) is not the best option.

Again, I appreciate everyone's input and help.

[sclawrenc]

To give another update, I decided to try Untangle for a year and paid the $50. Primarily because I wanted to use my HP t730 and I wanted to give Untangle a fair try for a full year.

Based on all I've read, it seems that I don't need to use VLANS to segment my IoT or Kid devices since I can simply apply a username or tag to the device in Untangle, and then put those devices in their respective policies with their own configured apps. I'm trying to decide if I even need the managed switches I have or if I should just go with the speedier 2.5 Gbps unmanaged switch and 10 Gbps dual X550 card that I just purchased.

So my question is, am I understanding correctly that I don't really need VLANS if I tag my devices so that they are segmented by policy instead of VLAN? I could then block all new connections to my network so that no mac spoofing or other devices can connect without my tagging them first as approved or something simliar.

[sky-knight]

There are many ways to do it... Untangle supports more than most as a platform.

So if it works, then yeah do it that way.

And you very much can use your default policy to block all access, and then use other policies to allow access based on tags, IP address, or any other criteria Policy Manager allows. The only catch is, if you run out of licenses the next device is stuck in the default policy because it's not licensed to be processed by Policy Manager.

[BlackBone]

Hello all,

I am considering purchasing the 50 device limited Untangle home version, but I have right around the 50 device mark. I emailed support, and they advised me to setup bypass rules for my IoT devices, but I'm not certain of the security risks this might present. Would bypassing IoT devices such as Alexa, Ring, Nest, Hue, etc. cause any security concerns? I'm trying to wrap my head around this whole bypass thing and how it might affect my setup. I will also have some computers, iOS devices, and gaming consoles on my network. I'm planning on putting my IoT devices on a separate VLAN too. I have some kids on my network so I will be planning on using the Webfliter along with any other suggested apps to keep the kids off unsafe or adult sites.

Thanks in advance.
Sean

New to Untangle... still getting a grasp on settings. I am trying to plan my QoS and bypass rules. I am thinking I should have my Ooma traffic, my Crashplan backup traffic, and my thermostat traffic in here for starters. I am confused though if you bypass the traffic does this still get put in the reports at all? Or being a home user just skip bypass rules and run everything through Bandwidth control?

[sky-knight]

New to Untangle... still getting a grasp on settings. I am trying to plan my QoS and bypass rules. I am thinking I should have my Ooma traffic, my Crashplan backup traffic, and my thermostat traffic in here for starters. I am confused though if you bypass the traffic does this still get put in the reports at all? Or being a home user just skip bypass rules and run everything through Bandwidth control?

Bypassed traffic is never seen by any rack application. Which also means no reports of any kind! Except, the obvious report in the network section. So you can see the session happened, when, and where, but little else.

Bypassed traffic will not be processed by policy manager, or bandwidth control. However, Bandwidth Control configures the QoS tab under config -> networking -> advanced, which bypassed sessions ARE subject to. So you can still QoS bypassed stuff there.

I wouldn't mess with it too much unless you're trying to squeeze into a smaller license bucket. And Untangle's dashboard will tell you what your license count is. So if you've got the 50 device home sub, and you see that number getting up into the 40s... you might want to start bypassing stuff.