Accessing Expert Mode

[jon6]

Hi,
i am using Untangle in a proxmox VM. It works great. I would like to use source ports as part of some firewall rules though and saw that it requires expert mode. I emailed support as instructed to learn how to activate expert mode but since I do not have a subcription, I just received a canned message back offering me support options. I looked around and really could not find information how to convert an active install to expert mode (if such a thing is possible). I know that untangle has specifically requested instructions on converting to expert mode to not be made publicly available to prevent too many support issues. Would someone please PM instructions on how I can change my installation to expert mode?

Thanks!

[sky-knight]

Yeah, there are a few things that Support was ordered to keep tight to their chest like this that we're now in a dark place on.

Untangle is going to have to cough up those details and document them finally, because while I know about what you're asking, I also don't now how to unlock that feature.

I'm curious as to your use case however, because source port is almost universally not what you want. FTP is the only protocol I can think of that would match on it.

What are you trying to match?

[jon6]

Well I have an iot vlan and a main vlan. I am trying to set up rules so that I can do things like use my rokus to stream audio for private listening and chromecast. I found great instructions from the ubiquiti subreddit and some of the rules require matching source ports.

It’s just amazing that support asked people to keep this secret and it really seems like it doesn’t exist on the internet.

[LaurentR]

Note: Chromecast across VLANs is a bit of a lost battle on Untangle due to the lack of support for an mDNS repeater (unless you implement one separately e.g. running Avahi on a Linux box).

[sky-knight]

I'd need more details because my Plex server doesn't require any of that. It's just a single web port accessed on the server and everything else just works. I can stream off that to my Roku's, phones, everything.

And since the firewall isn't default block, the only way it's being blocked is if you made a rule to block it. So you make a rule that allows the streaming server to do whatever it wants on egress and poof... no more source port requirement.

But beyond that I'd like to read what you're referencing because again... there's only 1 case I know of where source port is appropriate, and that's active FTP, which no one uses.

[jon6]

Actually chrome cast may have been a bad example. I have a separate proxmox container set up with avahi and it seems to work fine although I don’t use it to stream too often. I have noticed that my speaker groups don’t appear as streaming options which seems like a common issue when on a separate subnet.

[jon6]

So I primarily want it for private streaming. I frequently use the roku app to control my TV. It works across subnets and seems to find the two roku boxes in my house. However, when I try to activate private streaming, it fails. If I change my phone to the IoT vlan it works fine of course.

Here is the reddit post I was referencing. I do not know for sure, but since his post seemed to specify setting up rules based on some source ports, I wanted to give it a shot and try it.

I have placed default rules to block my IoT vlan from accessing my home vlan in the filter.

Honestly, everything works great and I am really happy with it, I was just hoping to tune it up a little bit with this.

[sky-knight]

You're going to need to deploy an mDNS service, Untangle doesn't support one and no amount of firewall wizardry will get around not having it for that specific technology.

But to put it simply, that tech isn't designed to operate beyond a network barrier.

[jon6]

I have avahi running in a proxmox container inside my network. Before that, the app didn’t find my roku boxes. That’s why I wanted to see if adding those source port rules would allow for private listening.

Whoops and here’s the Reddit post:
https://www.reddit.com/r/Ubiquiti/co...tm_name=iossmf

[sky-knight]

Again, those rules are pointless if you don't have connectivity.

Untangle by default doesn't block anything between any VLANs, so unless you've created rules to do that... pass rules based on source port won't help. You can bypass the need for source port entirely by simply making a rule that says source address, destination interface any-non wan, pass. Limiting that rule further to a specific source port doesn't increase your security at all anyway.