SD-WAN and NG Firewall Together?

[Clectech]

Hello there!

Sorry in advance for the long post, but this has all been building up fkr a few weeks! After a few of weeks of research on pfsense, opnsense, flexiwan, sophos, VyOS, etc., I've decided to build my own appliance and use Untangle. At the end of the day, I want something that works well, is low stress and has a great community behind it.

I was originally going to install a firewall with load balancing, but what I really need is SD-WAN like application path selection or whatever the different vendors call it. It appears that Untangle SD-WAN can be installed free for personal use using esxi. After that, it gets fuzzy.

1. Can only version 1.2 be used this way, i.e. free?

2. Can the path quality selection/application based routing be used in a single site configuration for general internet bound traffic?

3. Can it be service chained with NG Home Probalso running as a vm or is there another way? I've seen mentions of adding the SD-WAN router to NG but that appears to be the Enterprise version. If worse came to worst, I could use the sd firewall for basic rules and put my home iot devices behind a bitdefender box, but I'd rather not.

I am working from home but am a power user of connection quality sensitive applications and also contend with 3 teenagers on digital learning (zoom, videos, etc.) and of course, everything else they're doing at the same time. It's even worse when there is a study group or gaming party. I have a 1g/1g connection but quality is all over the place even when I bypass the gateway. My employer is going to pay for a second 1g from a different ISP, but wants me to dedicate it to me as a solution and switch networks as needed. Problem with that is that both are broadband and quality will vary. So, I'd like to be able to leverage technology to my benefit. I do have experience with networking, security and SD-WAN, but only with closed source vendors and for Enterprise deployments. As all of you probably know, SD-WAN can mean a lot of things and is deployed many different ways. Some platforms have single site benefits and some do not for various reasons.

Just in case, my hardware is i7-4790, 8GB ram, 500G HDD, two authentic Intel i350-4 nics(1 fujitsu, 1 Cisco). Overkill, but I got it super cheap.

Even if some of it is at a charge, I am good with that. Just didn't want to fork out 800 bucks a year for a full on license. I know all this seems like overkill, but I am in a position to leverage it via some employer funding and I really need a hobby. Its been a while since I got to play with the gear.

Thanks in advance!

Marcus

[hpaunet]

Hello there!


1. Can only version 1.2 be used this way, i.e. free?

Untangle SD-WAN Router is available
- as an Untangle appliance with our SD-WAN Router e3 and e6 appliances, with an SD-WAN Router software license.
- deployed on VMware with an SD-WAN Router software license.

For your home lab environments, we have beta quality builds for Linksys devices including Linksys WRT1900ACS, 3200ACM, and 32x, and for Oracle Virtualbox. These don't require a license.

No change between 1.2 and 1.3 there.

2. Can the path quality selection/application based routing be used in a single site configuration for general internet bound traffic?

Application based routing can be used in a single site environment. For example, if you have 2 WAN's, you can configure specific applications to use the best performing WAN.

3. Can it be service chained with NG Home Probalso running as a vm or is there another way? I've seen mentions of adding the SD-WAN router to NG but that appears to be the Enterprise version. If worse came to worst, I could use the sd firewall for basic rules and put my home iot devices behind a bitdefender box, but I'd rather not.

You can set up Home Pro as a VM and get SD-WAN Router to route traffic to it. The use case here is for a small business where NG Firewall is used in the Headquarters office, or NG Firewall is deployed in the cloud, and SD-WAN Routers are at branch office locations. You can connect a Home Pro NG Firewall to an SD-WAN Router using OpenVPN.

Not sure we're hitting your specific use case there, but hopefully that helps describe what you can do.

[Jim.Alles]

...to Untangle, and the forums!

3. Can it be service chained with NG Home Pro also running as a vm or is there another way? I've seen mentions of adding the SD-WAN router to NG but that appears to be the Enterprise version. If worse came to worst, I could use the sd firewall for basic rules and put my home iot devices behind a bitdefender box, but I'd rather not.

You'll have to post a few more times, but it might help if we had a sketch. A hand-drawn snapshot will do fine.

What I am picking up here with the service chained / enterprise bit doesn't really describe Untangle products.
So service chained, no. But you can certainly put them in-line. You''ll have to decide which one is going to do DHCP/DNS and somehow avoid double NAT.
Also NGFW can be run with no subscription, but you just won't have access to the best Apps. So it won't be cripppled in any way, just not full-featured. And it can run in the VM.

[Clectech]

Thanks so much for the replies, Jim and Heather. My questions were answered, but a couple of other things came to mind. I'll do a sketch and copy/pasta it here soon. The rest of my hardware should be here by Monday and I plan to attempt to be up and running by the end of the following weekend. Thanks again!

[Jim.Alles]

Thanks so much for the replies, Jim and Heather. My questions were answered, but a couple of other things came to mind. I'll do a sketch and copy/pasta it here soon. The rest of my hardware should be here by Monday and I plan to attempt to be up and running by the end of the following weekend. Thanks again!

For my part, you are welcome. I am just here so you can respond by wishing me a good weekend. You do the same when you get there!

[Clectech]

Haha. Have a great weekend! I ran into a potential snag. The secondary ISP only provides private ip's. So, I have one public and one private. I know I can probably make it work, but am going to explore alternatives like a lower bw business class connection from my current ISP or lower bw business broadband from the alternate.

I work for a non-residential ISP and know there is a difference in quality between residential and business. As I'm thinking through what I'm trying to accomplish and writing it down, it might actually make more sense to have a 50 or 100m business dia instead of another residential gig.

More to come!

[Clectech]

Getting back to it. I did a little more research and am finalizing my homelab design. Sketch is attached.

Reading the posts above, along with what I've read since, it sounds like SD-WAN Router has to be run in VirtualBox and NG Homepro has to be in ESXI for free use of both. Is that accurate?

I'd like to at least test both on the same physical machine, with dedicated processor and memory resources for each before getting another physical one for each. I could also dedicate a 4 port NIC to each and make physical connections. Assuming this can work, any tweak recommendations are welcome.

I know OVA files can be run in VB, but it sounds like there are restrictions for free use as esxi was mentioned above. Please let me know your thoughts and thanks!
homelab.jpg

[Jim.Alles]

Some food for thought, not a thorough analysis:

You don't mention doing VLANs.

• NGFW doesn't do link aggregation (bonding).
• It can do VLAN trunking, but not Cisco LACP.
  

You may get some benefit by locating DHCP/DNS servers on NGFW. That would help with identifying devices & hosts in reports.
However, I am not at all certain how this can be done in 'bridge mode'. I am fairly certain dnsmasq can handle it. I intend to try this in my lab, but I am on the road tomorrow.

Wi-Fi: what do you have for an access point? If you go with something like a UniFi AC Lite, and connect it to a dedicated interface on NGFW, you can map SSIDs to VLAN tags, this is pretty neat.

oh, and I don't know about the VM environments, sorry.

In the meantime,
"Baba O' Riley" for your entertainment: https://www.youtube.com/watch?v=GqeYrNYGzJc

[Clectech]

The network portion was not fully detailed. I do an on using vlans at least for each line. Maybe more. Haven't gotten there quite yet.

Currently using an Orbi rpr-50 mesh with 3 satellites. I plan to connect it to a dedicated port.

Regarding lacp, I know some vm environments allow you to aggregate ports in the vm config, but not sure about virtualbox yet. More to come on that. Worse comes to worst, I'll get a 10g nic. Didn't want to go there, spend wise.

Thanks for the vid!

[Jim.Alles]

Thanks for the sketch!

Some more thinking out-loud (not necessarily suggestions).

If one of your WANs is going to be moderate-bandwidth business class (a Service Level Agreement - SLA would be nice) you might consider not needing SD-WAN. Just do routing between WANs and subnets (via VLANs?) and use the Business ISP as failover for the perosnal use. I think you could set up a rack for that condition, and throttle streaming services in that case.

You could then eliminate the VM environment, put NGFW on bare metal and be done with it.

I don't want to discourage you from working with the VM if you want - I would like to learn more about it myself.