the thread here http://hardforum.com/showthread.php?t=1613226 brought up a side-topic that I'd like to explore further and not muck up the thread's OP.
note: this is home use, nothing critical.
I have a pfSense 2.0 box acting as a firewall. It has two physical interfaces, one WAN, one trunked to a managed switch. the non-WAN interface in pfSense is defiend to multiple vlans and those vlans are setup as LAN, OPT1, OPT2.
I originally wanted untangle for my own reasons (not intending to start another pfSense versus untangle) but ran into the hole of vlan tagging, which is not possible on untangle but is really slick in pfSense. I think that anyone would agree that there's values in each and even more value in pfSense and a dedicated UTM appliance.
so, with multiple internal networks (vlan), the concept of a UTM appliance becomes infeasible behind the firewall. I'd have to have one UTM appliance per vlan.
in the above referenced thread, someone suggested to place the UTM outside the firewall, still in transparent bridge mode making the network look like
Comcast-----Modem-----Untangle-----pfsense-----managed switch ----clients on multiple vlans
I haven't pulled out hardware to test this yet (giving it some time in the think-meat before spending time), but i think there's a usability issue here. right now, pfSense is of course setup to NAT all the vlans to the public IP provided by comcast. As far as untangle is concerned, all internal traffic headed out is coming from a single IP address correct? I would loose the granularity in reporting. untangle wouldn't be able to distinguish two windows 7 boxes on vlan100 from each other because of the NAT happening at the pfSense box. is this accurate?
I don't have enough working knowledge to know if i can disable NAT on pfsense, somehow have the WAN interface of pfSense pass packets through without the NATing, then Untangle would see the individual client's IP in the packet header. this seems then that untangle goes into router mode and I have effectively split router and firewall duties into separate appliances.
I know that this whole setup is extremely complicated and by no means necessary. but what better way to learn the ins and outs than by experimenting with non-standard usage!
So, am I crazy or is there a solution somewhere in there?
note: this is home use, nothing critical.
I have a pfSense 2.0 box acting as a firewall. It has two physical interfaces, one WAN, one trunked to a managed switch. the non-WAN interface in pfSense is defiend to multiple vlans and those vlans are setup as LAN, OPT1, OPT2.
I originally wanted untangle for my own reasons (not intending to start another pfSense versus untangle) but ran into the hole of vlan tagging, which is not possible on untangle but is really slick in pfSense. I think that anyone would agree that there's values in each and even more value in pfSense and a dedicated UTM appliance.
so, with multiple internal networks (vlan), the concept of a UTM appliance becomes infeasible behind the firewall. I'd have to have one UTM appliance per vlan.
in the above referenced thread, someone suggested to place the UTM outside the firewall, still in transparent bridge mode making the network look like
Comcast-----Modem-----Untangle-----pfsense-----managed switch ----clients on multiple vlans
I haven't pulled out hardware to test this yet (giving it some time in the think-meat before spending time), but i think there's a usability issue here. right now, pfSense is of course setup to NAT all the vlans to the public IP provided by comcast. As far as untangle is concerned, all internal traffic headed out is coming from a single IP address correct? I would loose the granularity in reporting. untangle wouldn't be able to distinguish two windows 7 boxes on vlan100 from each other because of the NAT happening at the pfSense box. is this accurate?
I don't have enough working knowledge to know if i can disable NAT on pfsense, somehow have the WAN interface of pfSense pass packets through without the NATing, then Untangle would see the individual client's IP in the packet header. this seems then that untangle goes into router mode and I have effectively split router and firewall duties into separate appliances.
I know that this whole setup is extremely complicated and by no means necessary. but what better way to learn the ins and outs than by experimenting with non-standard usage!
So, am I crazy or is there a solution somewhere in there?
Last edited: