Bridged Untangle outside pfSense firewall

J

jbraband

n00b
Joined
Apr 13, 2011
Messages
55
the thread here http://hardforum.com/showthread.php?t=1613226 brought up a side-topic that I'd like to explore further and not muck up the thread's OP.

note: this is home use, nothing critical.

I have a pfSense 2.0 box acting as a firewall. It has two physical interfaces, one WAN, one trunked to a managed switch. the non-WAN interface in pfSense is defiend to multiple vlans and those vlans are setup as LAN, OPT1, OPT2.

I originally wanted untangle for my own reasons (not intending to start another pfSense versus untangle) but ran into the hole of vlan tagging, which is not possible on untangle but is really slick in pfSense. I think that anyone would agree that there's values in each and even more value in pfSense and a dedicated UTM appliance.

so, with multiple internal networks (vlan), the concept of a UTM appliance becomes infeasible behind the firewall. I'd have to have one UTM appliance per vlan.

in the above referenced thread, someone suggested to place the UTM outside the firewall, still in transparent bridge mode making the network look like

Comcast-----Modem-----Untangle-----pfsense-----managed switch ----clients on multiple vlans

I haven't pulled out hardware to test this yet (giving it some time in the think-meat before spending time), but i think there's a usability issue here. right now, pfSense is of course setup to NAT all the vlans to the public IP provided by comcast. As far as untangle is concerned, all internal traffic headed out is coming from a single IP address correct? I would loose the granularity in reporting. untangle wouldn't be able to distinguish two windows 7 boxes on vlan100 from each other because of the NAT happening at the pfSense box. is this accurate?

I don't have enough working knowledge to know if i can disable NAT on pfsense, somehow have the WAN interface of pfSense pass packets through without the NATing, then Untangle would see the individual client's IP in the packet header. this seems then that untangle goes into router mode and I have effectively split router and firewall duties into separate appliances.

I know that this whole setup is extremely complicated and by no means necessary. but what better way to learn the ins and outs than by experimenting with non-standard usage!

So, am I crazy or is there a solution somewhere in there?
 
Last edited:
Untangle needs an IP even in transparent bridged mode. It uses an internal IP..and "tricks" the network into using it as a gateway...even though it's not the gateway IP. It won't do that from outside of your network.

Does your switch support port based VLANs? That way you can run whatever you want for your router and not worry about VLAN taggin'.
 
thanks for the reply!

so even if i didnt care about the NATing screwing up the reporting, it wouldn't work anyways? is a transparent bridge untangle applying its WAN's gateway IP to its internal NIC and then manage the routing transparently? if thats the case then i dont see why it wouldn't just pick up the gateway of the ISP and spoof that for the firewall to use. of course, it could be doing something completely different!

i know you install untangle boxes for clients, but have you have worked in an environment where the client had vlans and was stubborn about not using their firewall appliance (pfsense or otherwise) but also wanted to utilize untangle's UTM features? [wow, that's a very specific kind of client]

my switch does do port based vlans so that is also an option. although i was excited at the prospect of needing fewer NICs (making a 1U supermicro box easier/cheaper to source (no riser card and extra NIC needed) and fewer occupied switch ports with the vlans trunked to the firewall.
 
jbraband said:
thanks for the reply!

so even if i didnt care about the NATing screwing up the reporting, it wouldn't work anyways? is a transparent bridge untangle applying its WAN's gateway IP to its internal NIC and then manage the routing transparently? if thats the case then i dont see why it wouldn't just pick up the gateway of the ISP and spoof that for the firewall to use. of course, it could be doing something completely different!

i know you install untangle boxes for clients, but have you have worked in an environment where the client had vlans and was stubborn about not using their firewall appliance (pfsense or otherwise) but also wanted to utilize untangle's UTM features? [wow, that's a very specific kind of client]

my switch does do port based vlans so that is also an option. although i was excited at the prospect of needing fewer NICs (making a 1U supermicro box easier/cheaper to source (no riser card and extra NIC needed) and fewer occupied switch ports with the vlans trunked to the firewall.
Click to expand...

I'm sure the ISP would squash anything trying to spoof their gateway and shut you down in a heartbeat...I wouldn't recommend messing with public IP's outside of your single WAN connection.

Yes I have done Untangle with port based VLANs done on the switch. No additional NICs needed, very simple, no trunking or complications. Uplink firewalls LAN NIC to switch port 1 (or pick whatever port you want...doesn't matter). Now make your port based VLANs based on <whatever you want to do> for the rest of the network....VLAN 2, VLAN 3, etc etc. Make port 1 a member of each VLAN (or whatever port you picked for the uplink).
 
YeOldeStonecat said:
Uplink firewalls LAN NIC to switch port 1 (or pick whatever port you want...doesn't matter). Now make your port based VLANs based on <whatever you want to do> for the rest of the network....VLAN 2, VLAN 3, etc etc. Make port 1 a member of each VLAN (or whatever port you picked for the uplink).
Click to expand...

ah, so this is my bad.....i thought that this was trunking. doesn't port 1 need egress packets tagged with which vlan they are from?

with the setup you describe in the quote above, can untangle distinguish one vlan from another (i believe the answer is no). if not, then how does this logically separate the subnets?

here's a sample switch setup based on your last reply:

port 1: member of vlans 1 through 4
port 2: member of vlan 1
port 3: member of vlan 2
port 4: member of vlan 3
port 5: member of vlan 4

port 1 is wired to the internal NIC of untangle (router install). is untangle able to assign IP from different IP ranges based on the vlan? maybe in your setup, the switch/or some other server on each vlan is doing DHCP duties, then untangle would be able to setup the routing between the subnets.

am i getting close?

I really appreciate the help!
 
With the port based VLANs I've done, I've had the same subnet for the whole network (like 192.168.10.xxx/32) Untangle doesn't have to differentiate or logically separate the subnets...it doesn't care, nor should it. So you can let Untangle do DHCP for the same IP range. The barrier for the networks is done in the switch, when you create the VLANs..it's like a wall between each port. That wall does the separating, so you don't have to worry about different IP ranges.

And if you need more than 1 computer on a VLAN..say, like...6 computers..just make 6 ports the member of that same VLAN. Or..if you need much larger numbers..uplink a switch to 1 port that is 1 VLAN.

I'm not saying that having different subnets is wrong...I'm just saying there's more than 1 way to skin a cat...and I've done fine with basic port based VLANs using this approach.
 
here's the mental roadblock for me: why doesn't traffic from vlan1 find a route to a machine in vlan2 through the gateway (i.e. untangle's internal NIC)?

i'm thinking of untangle's internal gateway as acting like another switch to which each vlan is uplinked thereby giving a route (since everything is the same subnet). how is it different?

this may be a good point to fire up some hardware and test to see this in action. i'm not denying anything you are saying. on the contrary, i'm challenging it to help me understand.
 
jbraband said:
here's the mental roadblock for me: why doesn't traffic from vlan1 find a route to a machine in vlan2 through the gateway (i.e. untangle's internal NIC)?
Click to expand...

Because of routing. In this example..done by Windows before it even leaves your NIC. Traffic destined to the LAN (say...Computer A with 192.168.1.101 tries to talk to Computer B at 192.168.1.155)...that traffic is local, because of the subnet mask. So it will never try to go out the gateway...so it will never try to hit port 1. The gateway is used on when traffic wants to leave the local network..and get to another network....such as the internet!
 
makes perfect sense! thanks so much for the patience

do you have any pros/cons of this setup over the OP describing the multiple vlan-ed interfaces in pfsense?

here are what i can manage for pros/cons
pro: makes vlans doable with untangle
con: no logical (subnetting) segregation of clients, no firewall "pass rules" between vlans (traffic can never jump between vlans)
 
No I can't think of any..other than if you get really large networks (above class C). Since I do SMB networks for a living, I really just focus on class C size networks...so I have little interest in multiple subnets in the same network. (unless I'm doing a WAN).

However, you could get an appliance to run Untangle on..that has many NICs on it..and create multiple "racks" in Untangle. That's one way of getting Untangle to manage multiple/seperate networks on the inside. But..it goes against you wanting to keep things simple..hardware wise.
 
agreed....i knew going into this exercise that more NICs on untangle would get around its tagging limitations. the pfSense vlan --> interface feature is quite awesome.

you've given me plenty of options to play around with next weekend. my wife "thanks" you :)
 
jbraband said:
you've given me plenty of options to play around with next weekend. my wife "thanks" you :)
Click to expand...

LOL...
I take it she wants you out of her hair!
Summer is easy for me to stay out of my wifes hair...if it ain't rainin'...hop on the Harley and go! ('course 1/2 the time she hops on the back too)
 
the quotes were for sarcasm. we have the house to paint and 200 feet of fence to stain (both sides!).

"breaking the internet" does not fit into those weekend plans :)
 
Has anyone tried putting Untagle between two PFSense installs? Would this setup allow use of vlans with multiple subnets:

Internet <=> PFSense (with firewall) <=> Untangle (bridge mode) <=> PFSense (without firewall - with vlans) <=> Layer 2 switch (with vlans) <=> multiple subnets

My theory is that the 2nd PFSense install + layer 2 switch serves as a "poor man's layer 3 switch". My concern is if there is a way to avoid being double NAT'd and double firewalled. I really don't want to have to configure port forwards on two firewalls :mad:

While three installs is not ideal they would all be on a single ESXi host so one piece of hardware. Primary goal is to add robust filtering (untangle) and separate my network into three or four distinct traffic types (private, public, mythtv, and possibly VOIP). I know I can accomplish everything I want with port based vlans but I really want separate subnets for each type of traffic.

Thoughts?
 
You must log in or register to reply here.
Back
Top