![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Untangle Worth it for Home Network?
- Thread starter Zarathustra[H]
- Start date
This doesn't make sense. Why would it _keep open_ tens of thousands of connections? And even if, http://www.openbsd.org/faq/pf/perf.html:Zarathustra[H];1038257768 said:
"Huge amounts of RAM are not needed -- 32MB should be plenty for close to 30,000 states, which is a lot of states for a small office or home application. Most users will find a "recycled" computer more than enough for a PF system -- a 300MHz system will move a large number of packets rapidly, at least if backed up with good NICs and a good ruleset. "
If you overkill your router boxes, you're doing it wrong. A web cache doesn't belong on a router anyway.
Edit: state tables actually speed up packet processing because a state entry is actually a shortcut, bypassing ruleset evaluation for that packet.
Last edited:
Zarathustra[H];1038257768 said:
Exactly. Throw torrenting those Linux distro's in and it gets even worse. Especially when I hold bi-montly LAN parties, including VM's have 13 pc's here in the house, and an just myself an above average interwebs user.
As I sit here typing this at 7:30am home alone, doing nothing extraordinary, my state table is over 1100.
Tomorrow when the LAN is going full tilt my state table will never be below 90k. I have my state table set to a million. I do it for the lulz. I understand its overkill. But its fun.
Last edited:
http://i.imgur.com/l7tzy.png
My state table when opening the steam server browser. 5000 servers found creates 30,000 states. I've seen total servers reach 15k. but you get the point. Like I said i have mine set to 1,000,000. I think at this LAN tomorrow I am going to try to get it as close to 1,000,000 as i possibly can. I'm going to get everyone to open the browser and their torrenting programs at once.
At a smaller LAN we were able to crash a Pentium 3 512MB pfsense box doing this. Made it become completely unresponsive.
This one is a little beefier. As you can see its a C2D with 2GB of ram. I dont think we'll crash this one, but we will try!
Either way.... state table is directly related to your internet performance. Once 1 person opens the steam browser, or starts their torrent program most routers come to a crawl. Its not because of bandwidth. Its because of the state table. Browsing the internet is like watching a slide show as the router can no longer make new connections.
I understand this was never Untangle's purpose but this is whey i cannot use it.
Also nobody answered my question if untangle is behind pfsense in bridge mode will the state table become irrelevant?
damarious25
Limp Gawd
- Joined
- Dec 27, 2010
- Messages
- 227
Took a while to click but I totally understand, I say crash the thing! I'm running a PIII pfSense box with 768MB but I'm not hosting any LAN parties.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
You doing all those with just steam? Or using a benchmark session creating tool like matrix behind the scenes to exaggerate a point you're trying to make?
What do those states look like? I'd really like to know what Steam is using at least 5 connections per server for.
Edit: To say it again, states scale exponentially with processing power. Doubling the amount of states only requires on additional comparison. So a big amount of states - even if there's no traffic flowing concurrently - is unlikely to impact performance much. Finding a state among even hundreds of thousands is _nothing_ even for old CPUs.
Your WAN traffic is at 120Kbps/55Kbps in/out respectively, so those states are not even actively carrying traffic.
If you want to verify this, try the following: Ping a host beyond the pfsense box and as close to it as possible when th state count is low. Then browse your Steam server list multiple times to generate hundreds of thousands of states. Then ping the same host as before again. Post the resulting latencies.
Last edited:
Only steam, No benchmarking. This isnt just limited to steam. This happens to any game with a server browser. If you refresh the list it will create alot of states. It gets worse whenthe game is popular. How on earth theres still 10000 Counter Strike servers out there is beyond me!
Actually the state table in pfsense is directly related to memory rather than CPU processing power. Each state takes 1K of RAM. If I were to set the state table down really low to 5k and attempt to ping or browse the web with the steam servers refreshing the ping would be very high. Bandwidth is irrelevant. Once the state table fills the router can no longer make new connctions. Even if that new connectionis extremely easy on bandwidth. This is why you see all the threads where people get worked up that their internet slows to a crawl when they torrent. The same thing is happening.
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1707758471){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
My guess is that it probably does one state per server, but the filters are applied AFTER the refresh, so for every displayed server, you may be filtering out 4 others due to not being from the right game, or being a different game mode, etc.
There is no doubt that Steam is poorly coded in this area, and there could be ways that can minimize these issues (grab one server list from steam servers, apply filters, then only ping those servers that pass filter, for instance) but regardless of this, it doesn't change the fact that when I'm streaming a netflix film with my wife, and the boys decide they are both going to play a game together, and initiate a steam server refresh at about the same time on both their machines, my router goes offline for a few minutes, ruining my film.
or better yet, I get kicked out of my favorite RO2 server that is always full, and I can't get back in for the rest of the evening...
I'd like to avoid this. The pfSense documentation says that the system itself uses 128MB of Ram and that each state takes about 1k of ram on top of that, so if I put 4GB of RAM in my planned pfSense box, I should be able to up the state table to 4 million entries. This should be sufficient overkill to never have to worry about it again...
RocketTech
2[H]4U
- Joined
- Oct 7, 2009
- Messages
- 2,359
That's the definition of over-kill: its never a problem again.
koolaidkitten
Gawd
- Joined
- Apr 28, 2006
- Messages
- 632
I love my untangle server. I refuse to go back to my Linksys E1000. My gaming PC and Ps3 function just fine behind it. I love the features it comes with. It is not overkill for him if you yourself are a power user.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
Yeah,
Considering a decent branded DDR3-1333 2GB stick of ram is down to $9 new now, there really is no reason not to put 4GB in the box and crank up the states.
ThreeDee
[H]F Junkie
- Joined
- Sep 5, 2001
- Messages
- 11,377
some have had issue with the hierchy over there .. but I have not had such issues and have had quite a few over there hold my hand through a lot of configuring and even had a few write up some stuff for me for some things I was trying to do with my smoothwall boxes.
I run a pfSense + Untangle one-two combo. The Untangle box is in transparent mode behind my pfSense firewall. pfSense also terminates my VPN's since it's free (Untangle can suck me).
That being said, I do like Untangle. I only pay for Policy Manager which is like $50/year. I have kids that need to have their surfing habits tamed and Untangle does a better job than pfSense. Between the firewall, phish blocker & web filter lite modules, I manage to keep them out of anything I want. With Policy manager, I let them hit Facebook and chatting one hour a day.
As much as I like the other modules too, like spyware, intrusion and antivirus, I probably wouldn't run an Untangle box in parallel with pfSense if it weren't for my specific....uh..."kid filter" needs.
(Those free modules are rudimentary at best, but every little bit helps.)
That being said, I do like Untangle. I only pay for Policy Manager which is like $50/year. I have kids that need to have their surfing habits tamed and Untangle does a better job than pfSense. Between the firewall, phish blocker & web filter lite modules, I manage to keep them out of anything I want. With Policy manager, I let them hit Facebook and chatting one hour a day.
As much as I like the other modules too, like spyware, intrusion and antivirus, I probably wouldn't run an Untangle box in parallel with pfSense if it weren't for my specific....uh..."kid filter" needs.
(Those free modules are rudimentary at best, but every little bit helps.)
I run a pfSense + Untangle one-two combo. The Untangle box is in transparent mode behind my pfSense firewall. pfSense also terminates my VPN's since it's free (Untangle can suck me).
That being said, I do like Untangle. I only pay for Policy Manager which is like $50/year. I have kids that need to have their surfing habits tamed and Untangle does a better job than pfSense. Between the firewall, phish blocker & web filter lite modules, I manage to keep them out of anything I want. With Policy manager, I let them hit Facebook and chatting one hour a day.
As much as I like the other modules too, like spyware, intrusion and antivirus, I probably wouldn't run an Untangle box in parallel with pfSense if it weren't for my specific....uh..."kid filter" needs.
(Those free modules are rudimentary at best, but every little bit helps.)
Untangles VPN is free too ? However it doesn't support vlans, so to build more subnets / networks you need multiple network cards in a box.. OR a nice expensive layer3 switch..
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
IPSEC starts at $270/year. Not quite free unless you're Bill Gates.
i was thinking openvpn
One of the main reasons i went with my tz210 was ssl vpn & all the supported os's.
You're forgetting that ANY UT subscription comes with support. I've called them twice since I started using it, and I had my problem solved nearly instantly. From dialing, to hanging up, One call was 3 minutes long, the other was around 4 minutes. That's truly epic . They even spoke good english.
The paid options don't really make sense for a home user, but if you're running a larger business, it can be well worth it, especially with that caliber of support.
Fully agree.
Untangle is about 1000 times simpler than a real firewall, like Checkpoint or a Cisco ASA, I can't imagine needing much support unless there truly was a bug. (that is both an attack and a praise. It's simple, but it usually just works).
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
What would be the best way to get Untangle and pfSense to run on the same box?
I'm thinking pfSense as a firewall and router, and Untangle in line as a pass through.
Can this be done?
PfSense installed on a machine with a virtual machine with BSD as the host and pfSense as the guest?
I'm thinking pfSense as a firewall and router, and Untangle in line as a pass through.
Can this be done?
PfSense installed on a machine with a virtual machine with BSD as the host and pfSense as the guest?
Zarathustra[H];1038265398 said:
ESXi would be where i'd look first.
One was related to a licensing issue, and don't worry about the other.
Be warned that I had a terrible time getting both to work without jitter. Yes, they technically worked with ESX, but my VoIP quality was erratic and suffered due to the time slicing. Untangle was the bigger culprit. I now use two physical boxes. YMMV.
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
i had this issue as well
it sucks that in the age of virtualization i have to run three separate boxes for routing/filtering/voip
You should be able to virtualize them fine...just not as dense with other VMs. I run VoIP through Untangle on ESXi and it's fine, but my CPU use is usually very low. Check CPU %READY on your ESXi hosts to get an idea if VMs are having to wait to be scheduled on a core.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
Yup it does OK virtualized...long as you have a pretty potent box, and the other guests aren't big hogs. For an average business it does just fine..but if you have latency sensitive stuff like VoIP...use a bit of noodle, you want a device that has direct access to physical NICs and its own dedicated CPU.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
Yup..their support rocks. Call up....and you get Richie or Tony..they rock! They usually pick up the phone right from a couple of rings...a live body right away...no transfers, rarely put in a hold queue.
For firewall support...out of all the vendors I've used, Untangle is the easiest I've ever had to deal with, always a pleasure. 2nd place goes to Juniper..but they're not this fast.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
Implying Untangle is a "fake firewall"?
There are many reasons to call support ...that don't mean the end user (tech) is a moron like you're implying. Sometimes...an upgrade tanks..or goes bad, and it's wise to proceed with caution so that you don't tank the whole install and have to pave the box and start from scratch. (especially if it's in a production environment and still passing packets). Sometimes there's a problem with a module...or sometimes there is a legit question about some configuration that you're dealing with. Since it's aimed at small to medium businesses...we can come up with some pretty unusual setups that are more than just the average user might think they know all the answers to, nothing to do with just the simplicity of getting it up and running in a home network.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
This stinks.
Pardon my asking, because while I have played with desktop virtualization, where I just have a bridged ethernet connection to my guest OS in VMWare player, I have never played with the server side stuff.
1.) Would the configuration look something like this?
2.) Would this require IOMMU support?
3.) Can't seem to find out if the E-350 supports IOMMU. I know it has AMD-v though. Anyone know?
Thanks again,
Matt
Please, don't even. The feature list between Untangle's firewall and something like a Cisco ASA is a mile wide.Implying Untangle is a "fake firewall"?
Yes, that is what I did. My server wasn't too powerful, but was well within the specs to run ESXi 4.0u1 at the time. I even dedicated a CPU to Untangle. It ONLY ran pfSense and Untangle, and my latency and jitter was noticeably erratic. But like I said, YMMV.Zarathustra[H];1038266845 said:
I glanced over both pages and didn't really anyone mention Astaro for a router, it's got a very steep learning curve but once you get the hang of it. It is a breeze to maintain and keep running and it's very stable.
I have mine running on a Core2Duo 2GHz with 4GB of RAM and never have an issue with it, even have a VLAN setup with my 8 port HP switch and a VPN connection as well. All free for everything since it is a home license.
I have mine running on a Core2Duo 2GHz with 4GB of RAM and never have an issue with it, even have a VLAN setup with my 8 port HP switch and a VPN connection as well. All free for everything since it is a home license.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,863
If you don't mind me asking, what were those specs?
Zarathustra[H];1038267626 said:
I was going after a low power usage setup. The motherboard is the Gigabyte GA-6KIEH-RH with a T9300 CPU and Intel NIC's in a 1U server case. It is now my dedicated Untangle server for home and plenty powerful.
BTW, jitter and latency WILL happen with VMware. Its whether your server is powerful enough to minimize it the point where it's not humanly noticeable.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
I'm not trying to compare it to other brands...I'm trying to stop myself from laughing at you as to why you're calling it a fake firewall.