Escolar Documentos
Profissional Documentos
Cultura Documentos
Hello and thanks for your interest in Untangle! This will be a quick primer on getting your Untangle installed, up and running, and (hopefully) answer some common configuration questions without too much confusion. If you already have Untangle in your network, you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with Untangle and how it works - it will probably save you a headache or two later on. Please Note: Most of the features discussed in this User Guide are available in the (free and Open Source) Lite Package of Untangle Server software; however, some features are only available if subscribing to paid applications or packages. For a current list of features and pricing, have a look at our Product Overview.
Contents
[hide]
1 Setting up the Untangle software 2 Placing Untangle into your Network o 2.1 Router Mode o 2.2 Bridge Mode o 2.3 Notes 3 Working with Untangle o 3.1 The webGUI o 3.2 Applications 3.2.1 Filter Applications 3.2.2 Service Applications o 3.3 Config 4 Common Configuration Questions o 4.1 What are some of Untangle's idiosyncrasies I should be aware of? o 4.2 How secure is Untangle? o 4.3 How do I port forward traffic to internal machines? o 4.4 How do I add additional WAN IPs to my Untangle and/or set up 1:1 NAT? o 4.5 How do I add a guest or private WiFi network to my Untangle? o 4.6 How do I get DHCP working on other Interfaces? o 4.7 How do I prevent SSH access to my Untangle from the Internet? o 4.8 Does Untangle support failover?
[edit]
[edit]
Router Mode
In Router mode, Untangle will be the edge device on your network and serve as a router and firewall. In this case, you'll need to set up your External and Internal interfaces correctly for traffic to flow, which should have been done while installing.
[edit]
Bridge Mode
In Bridge mode, Untangle is set between your existing firewall and main switch. When in Bridge mode Untangle is transparent, meaning you won't need to change the default gateway of the computers on your network or the routes on your firewall - just put the Untangle between your firewall and main switch and... that's it! You'll need to give Untangle's External interface an IP in the subnet of the firewall, set the Internal interface to bridge and bridge it to External.
[edit]
Notes
If you're having connectivity issues, you may want to try a crossover cable between Untangle and the upstream device - this is usually not necessary with modern equipment, but it's something to try if the settings look good but it's just not working. If you want to install Untangle in a VM, we recommend reading this guide. If you're in Router mode and have a PPPoE WAN connection, contact your ISP and see if the modem can do the authentication and pass the IPs to Untangle so you can set the External interface to Static - this is a much better situation than having Untangle do the PPPoE login, since some features (such as Multi-WAN) will not work with interfaces set to PPPoE. If you're in Bridge mode you most likely do not want to be double NATing, so make sure your Internal interface is set to Bridge and not Static or DHCP. When setting up in Bridge mode, it's easy to have the Untangle plugged in backwards. The quickest way to check is to go to a website that should be blocked and take a look at the block page - if you see a simple page with a white background and black text, your interfaces are backwards. If you see a grey background with an Untangle logo, you're good to go. If it is backwards, you should be able to simply swap the External and Internal cables connected to the Untangle and verify you get the correct block page.
[edit]
Local: Simply click Launch Client on the Untangle GUI and a web browser will load the webGUI. On the LAN: In your browser, enter the LAN IP of the Untangle (for example http://10.0.0.1) Remote: In your browser, enter the WAN IP of the Untangle (for example https://203.0.113.1)
You may get a warning about certificates, these can be dismissed as you are safe connecting to your Untangle server. When prompted, provide your login credentials and you will be presented with Untangle's webGUI. By default, Remote Administration is disabled - it can be enabled from Config > Administration. After you reboot you will be presented with the Application Wizard - this will help you decide on what applications to download and use with Untangle. We provide a 14-day trial of all applications (except Branding Manager), so feel free to try different apps and see if they meet the needs of your organization.
[edit]
The webGUI
Once the Untangle has downloaded the applications, you'll see the webGUI on the console:
Untangle's webGUI can be divided into two main parts, the Navigation Pane on the left and virtual Racks on the right. The Navigation Pane contains two tabs - Apps is used to install applications into your racks, while Config is used to configure various general settings within your Untangle. Applications are installed into racks and filter the traffic that flows through them. Each application has a faceplate with a Settings button to configure it, blingers to show you current status information, and a power button to toggle it on or off. Across the top of the webGUI there is a dropdown to switch racks or use the Session Viewer, network speed statistics, a count of open sessions, and CPU, memory and disk information.
Please note that our free Lite Package only includes the ability to use one rack; if you need the ability to create multiple racks you'll need the Policy Manager.
[edit]
Applications
Filter Applications: All the Applications above the Services pane in the interface can have unique configurations, which you can apply to specific virtual racks. Virtual racks enable you to create different policies for different sets of users. Service Applications: All the Applications below the Services pane are services and are "global." Each has a configuration that applies to all virtual racks. As such, if you remove any service from any rack, you will remove that service from all racks.
Spam Blocker
Phish Blocker
Spyware Blocker
Web Filter
Web Cache
Bandwidth Control
Virus Blocker
Intrusion Prevention
Protocol Control
Firewall
Ad Blocker
IPsec VPN
Captive Portal
Live Support
WAN Failover
WAN Balancer
Policy Manager
AD Connector
Attack Blocker
OpenVPN
Configuration Backup
Reports
Branding Manager
[edit]
Config
The Config tab allows you to modify Untangle's major non-app settings, such as your WAN/LAN interfaces, Port Forwards, DHCP Server, and more. There are quite a few settings under the Config tab's umbrella, so we've broken it out to a different page you can find here.
[edit]
[edit]
By default, all Untangle interfaces can talk to each other - if you want to wall them off, you can use the Firewall application.
The Untangle webGUI has two modes: Basic and Advanced. You can switch between these modes at Config > Networking > Advanced, but be aware that while switching to Advanced mode will give you more options, switching from Advanced to Basic will both remove these extra options and require you to re-run the configuration wizard. If you have three or more interfaces when you install, Untangle will name these External, Internal and DMZ by default. These names cannot be changed. DMZ is just an interface name, it is not handled differently than any other interface. Any additional interfaces will be named ethX, where X is the number of the interface. Most ordered lists such as Port Forwards and Firewall rules are evaluated from top down, so any traffic that matches a rule will cause it to fire. If you have some entries lower in a list that don't seem to work, take a look at the entries above it they may be firing on that traffic before it ever gets down to the rule you're troubleshooting. The Destined Local flag will match traffic on any IP Untangle holds, so if you have multiple external IPs your port forwards should use the Destination Address flag rather than Destined Local.
[edit]
[edit]
multiple IPs and you're having problems you'll want to use Destination Address rather than Destined Local in your rules.
[edit]
How do I add additional WAN IPs to my Untangle and/or set up 1:1 NAT?
Any additional WAN IPs can be entered on the interface they will live on in the IP Address Aliases section. Please note that in most cases the netmask of the aliases should match the netmask of your primary IP, but if you're not sure you can contact your ISP for verification. If you'd like traffic from an internal machine to go out a particular WAN IP, you can add a NAT Policy under the Nat Policies section of the interface the machine lives on. You'll need to enter the internal IP of the machine under Address and Netmask where netmask will be /32 for just that machine and enter the WAN IP under Source Address. Please make sure you have 0.0.0.0/0 and auto as the last entry, this will take care of the rest of your network.
[edit]
[edit]
options to dnsmasq. Please note that each extra interface needs its own entry separated by a carriage return.
External Interface: (whatever it needs to be) Internal Interface: 192.168.1.1/24 (The DHCP server will take care of this by default) DMZ Interface: 192.168.5.1/24 eth3 Interface: 192.168.10.1/24
dhcp-range=192.168.5.100,192.168.5.200,14400 dhcp-range=192.168.10.100,192.168.10.200,14400
You will also need to create some Packet Filter rules at Config > Networking > Advanced > Packet Filter. As noted earlier most rules are evaluated top down, so make sure the Pass rule is above the Drop rule or all DHCP traffic will hit the first rule and be dropped.
Under System Packet Filter Rules, uncheck "Block all DHCP Requests to the local DHCP Server", "Allow DHCP Requests from the DMZ interface", and "Allow DHCP Requests from the internal interface." Create a rule to accept DHCP on any of the interfaces you want it served to: o Action: Pass; Protocol: UDP, Destination Port: 67, Source Interface: (check all interfaces you want DHCP available to) Create a rule to Drop DHCP on all the interfaces: o Action: Drop; Protocol: UDP, Destination Port: 67, Source Interface: (check all interfaces)
After all this is completed, you'll have the following DHCP pools available on their respective interfaces: 192.168.1.x on Internal, 192.168.5.x on DMZ, and 192.168.10.x on eth3.
If you'd like to allow DNS resolution on the DMZ interface you'll need to enable the Accept DNS traffic to the local DNS Server from all interfaces Packet Filter rule. This will allow DNS requests from the External Interface as well, so you will probably want to add a Packet Filter rule to drop requests to port 53 from the External Interface:
[edit]
The same rule with the port changed to 443 rather than 22 will block external access to Untangle's webGUI; many administrators prefer to use OpenVPN to securely access their network and then administer the Untangle.
[edit]