Results 1 to 7 of 7
  1. #1
    tjk
    tjk is online now
    Untanglit
    Join Date
    Apr 2021
    Posts
    28

    Default Question on license

    Hey All,

    My understanding on the license count is that anything that goes through the UVM is counted as an active license.

    I have 172.16.4.0/24 set as a bypass for outbound traffic, and anything on this subnet going outbound isn't showing up as active in the hosts screen, actually not showing up at all and marked false under the active column, so odd.

    The minute I do a port forward rule of public.IP.address to 172.16.4.x, it shows up as an active device. I thought rules under config -> network bypassed the UVM and wouldn't be counted as active hosts?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    You need two bypass rules, one sourced from the IP block, and another destined to the IP block.

    Licensing is tracked based on devices subject to the UVM, source AND destination. If you fire up that port forward, the new session starts outside the network, transits the forward, isn't bypassed and connects to the destination and WHAM the target is in the device list because a session that it was involved in wasn't bypassed.

    Direction doesn't matter... and you have two to worry about!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    tjk
    tjk is online now
    Untanglit
    Join Date
    Apr 2021
    Posts
    28

    Default

    So, I put bypass rules in as follows:

    Source -> pubic/24 (1 rule)
    Dest -> public/24 (1 rule)

    Source -> private/24 (1 rule)
    Dest -> private/24 (1 rule)

    When I put traffic through the port fwd, they show up as active lic counts.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    Pick a flag and stick with it...

    Your stuff is in the active list because the session isn't bypassed because you just defined two fairly narrow rules and threw a session at them that doesn't match.

    To be clear, I said two rules...

    One: source address range
    two: destination address range

    Both address ranges are identical in both rules. There are NO ADDITIONAL FLAGS in those rules. Because these rules utterly concerned with everything going into that segment, regardless of source, and everything coming out of that segment regardless of destination.

    Also, it takes time for the license to fall off... so your testing will be frustrated by this. And know, we don't know what that "time" is... That's black magic known only to Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    tjk
    tjk is online now
    Untanglit
    Join Date
    Apr 2021
    Posts
    28

    Default

    Rob, first thank you very much for helping out, you put a lot of time into the forums from what I see, and as a new UT admin I really appreciate your time and replies for sure!!

    I'm a little confused on the rules you are saying I need to try, can you expand on that?

    Assume my public block is 1.2.3.0/24 and my private block is 172.16.4.0/24 - I'm not sure what the rules should look like based on your feedback.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    Bypass Rule 1:
    Source Address: 172.16.4.0/24

    Bypass Rule 2:
    Destination Address: 172.16.4.0/24

    It doesn't matter what comes to 172.16.4.0/24 or leaves from there, it's bypassed. That entire block will now never consume a license... ever.

    You're adding more complexity, and leaving potential for licenses to be consumed, and via port forward generating sessions that are from beyond the scope of what you think the source actually is. If that wasn't the case, the rules would be working and the host list would remain clean.
    tjk likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    tjk
    tjk is online now
    Untanglit
    Join Date
    Apr 2021
    Posts
    28

    Default

    Quote Originally Posted by sky-knight View Post
    Bypass Rule 1:
    Source Address: 172.16.4.0/24

    Bypass Rule 2:
    Destination Address: 172.16.4.0/24

    It doesn't matter what comes to 172.16.4.0/24 or leaves from there, it's bypassed. That entire block will now never consume a license... ever.

    You're adding more complexity, and leaving potential for licenses to be consumed, and via port forward generating sessions that are from beyond the scope of what you think the source actually is. If that wasn't the case, the rules would be working and the host list would remain clean.
    Worked perfectly, thank you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2