Results 1 to 8 of 8
  1. #1
    Untanglit
    Join Date
    Jan 2021
    Posts
    18

    Default Routing specific devices over tunnel.

    Hi all.

    Following the advice here https://forums.untangle.com/tunnel-v...t-mullvad.html it appears I have successfully setup a connection to a vpn in Tunnel VPN.

    What I am wanting to do now is route all traffic from only specific devices over this tunnel. 2 computers, 1 phone and 1 tablet.

    I realize that my comprehension of the methods used by untangle and IT professionals is limited. With that, through my research I understand that somehow I will need to tag the device in EVENTS > TRIGGERS and then use this tag in Open VPN Rules. Am I understanding this correctly?

    If so, what I attempted was in EVENTS > TRIGGERS I added a trigger rule

    Class: DeviceTableEvent
    Condition: Device = [name of device]

    Perform the following actions.
    Action type: Tag Device
    target: device
    tag name: tunnel
    tag lifetime: 300

    IN TUNNEL VPN
    Condition: Client Tagged IS tunnel
    Destination tunnel -- my custom ovpn


    I have no idea if I am even on the correct path to making this work.

    Seeking advice.

    TY.

  2. #2
    Newbie
    Join Date
    May 2019
    Posts
    13

    Default

    If these devices have fixed ip's (either with dhcp reservations or static ip's) you can just create a rule where you use the source IP.
    If you prefer to work with tags you can just tag the devices in the devices screen, no need for a complicated rule.
    Personally I find fixed ip's easier and more reliable. Be careful with the tabled and phone though as newer ios and android devices randomize their mac address. You would need to turn this off on on your network at least in order for either method to work reliably.

    If it is critical no traffic uses your normal wan interface it might also be good to create a filter rule for these ip's or tags that block them from using your normal wan interface. That way if the tunnel ever go's down the devices will not be able to use your wan. Note thought that that would leave them without internet if the tunnel go's down.

  3. #3
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    132

    Default

    Hi,

    The way I've done it is to manually tag the devices I want to go over the tunnel in the "Hosts" tab first (tagged them as "tunnel"). Then under Tunnel VPN > Rules, one of the example rules is "Example: Route all hosts tagged with "tunnel" over any Tunnel."

  4. #4
    Untanglit
    Join Date
    Jan 2021
    Posts
    18

    Default

    In the rules in Tunnel VPN this would be

    Source Address IS : xxx.xxx.x.xx

    Would that be correct?

    Or as you say, I see now that one can tag a device directly from the devices tab.
    I'm so far unable to test this as I seem to be unable to keep the tunnel up, a problem described that opened the post I linked above is present for me too.

  5. #5
    Untanglit
    Join Date
    Jan 2021
    Posts
    18

    Default

    I take that back, I'm not sure how but my tunnel did successfully deploy and tunnel rule (either ip address or tagged, I have both) are functioning.

    May I ask, under CONFIG > NETWORK > DHCP SERVER I see a list of all currently assigned ip addresses. There is a column ADD STATIC and a plus sign. Clicking this plus sign appears to assign this IP address to this device presumably permanently.

    Is this the case?

  6. #6
    Newbie
    Join Date
    May 2019
    Posts
    13

    Default

    That's how you would create reservation yes and yes that Mac address would always get that same ip address.
    Best practise would be to give the device an ip address outside of the dhcp scope you defined for that subnet. That way you are sure this ip is never accidentally given to another device.
    I am not sure if untangle prevents the dhcp server to handing out this ip to another device if the reserved device is inactive for a while but not all dhcp servers do prevent it. Hence it being best practise to change the ip to one outside of the dhcp scope.
    Jay Bird likes this.

  7. #7
    Untanglit
    Join Date
    Jan 2021
    Posts
    18

    Default

    Quote Originally Posted by The_Istar View Post

    If it is critical no traffic uses your normal wan interface it might also be good to create a filter rule for these ip's or tags that block them from using your normal wan interface. That way if the tunnel ever go's down the devices will not be able to use your wan. Note thought that that would leave them without internet if the tunnel go's down.
    I created this rule under FIREWALL > RULES but in thinking about it, maybe this should be under NETWORK > FILTER RULES

  8. #8
    Newbie
    Join Date
    May 2019
    Posts
    13

    Default

    Quote Originally Posted by Jay Bird View Post
    I created this rule under FIREWALL > RULES but in thinking about it, maybe this should be under NETWORK > FILTER RULES
    Since the firewall only handles tcp traffic the filter is indeed better as it blocks all traffic.
    As a rule of thumb I always use the filter unless the rule I create needs some I do the filter does not have available (like application). So basically any layer 7 info.
    Jay Bird likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2