Skip to Content

Untangled Internet connection

I've been meaning to update my firewall to the Untangle Multi-functional Firewall Software system. I finally got around to it tonight. In the process I've noticed a few quirks and felt they should be documented.

Installation
First, visit the Download page and grab the ISO.

I tried to set up the ISO onto a bootable USB stick, but this failed. In the end I had to dust off the old spool of blank CD media, and fire up the CD burner for the first time in more than a year.

Next, I shut down my existing firewall (an IPFire installation) that had been running for 146 days straight. I pulled the hard drive out of the box and replaced it with another drive that was tagged for this task. Then I fired up the computer and booted from the burned CD.

If you've installed Linux before, the initial part of the installation is very familiar. Tell it the language you want to install in, select your keyboard, and indicate that yes you really do want to erase the drive. The installation takes 10 to 20 minutes.

Once the computer has been rebooted, it'll fire up into the Untangle system. The setup wizard is pretty straight forward, assuming you know a little about networking - but you wouldn't be installing a firewall like this if you weren't. Follow through the wizard and you'll be up and running with a basic firewall.

Configuration Gotchas

I ran into a few quirks. Most of them were simply getting used to the interface though some were not so obvious.

  • Time Zone - When the setup wizard asks about your time zone, it is prepopulated with what appears to be the right value. Mine said "Mountain". It turns out that you need to set this value regardless of what it says. If you don't do this, the system assumes an UTC Time, and changing it later doesn't seem to work.
  • Package Installation - When asked what packages to install, just close the window via the X in the upper right. Selecting the Premium or Standard package here results in trial packages being installed. If you are intending on purchasing these packages anyways, then this is not an issue. But you can purchase the packages you need later. It seems that you do not need any packages at all to do basic routing, but... After closing the window, you'll see the packages listed down the left. You can pick and choose which ones you want. But I recommend the Lite package - this installs the free packages that will get you started.
  • Interface Familiarity - The first thing you should do while the packages are downloading is to review your configuration settings. To do this, click the Config tab on the left above the package lists. You'll see a list of areas down the left, each of which may show sub areas as links in the content area (the menu bar like list of links across the top). As you enter and edit each of these sub-areas, you have to watch the Apply and OK buttons in the bottom right - if they are not faded out, you MUST click one of these buttons to for your changes to be saved - even if you had to hit a save button to set the new settings already. Port Forwarding is a good example of this.

    You cannot enter another section on the left until you close the current section. You can do that by click the OK or Cancel buttons in the bottom right, or the X button in the upper right.

    Review each of the sections and set the values to meet your needs.

  • DMZ access from the internal network - The biggest problem I had was that even after setting up my port forwarding rules, I could not access my web server from inside my network. From the Untangle box itself or from outside the network everything worked properly. This took me a bit to sort out, and I even reinstalled once to try to sort it out.

    My web server does NOT have it's own public IP address - the IP gets access to the firewall, and it decides how to direct the traffic to internal resouces. So, the recommendation on the Untangle site to bridge the DMZ to the external interface does not apply. I set up a static IP for the DMZ interface.

    Next, the port forwarding rules needed to be created. I wanted all incoming traffic on port 80 to be directed to the web server in the DMZ. So after setting up the basic port forwarding rule, things still didn't work. After much beating of my head on the wall, I got it worked out. The conditions needed to be "Destined Local", "Protocol: TCP", and "Destination Port: 80". The "Source Interface" condition which was automatically added on my first attempt was not needed at all. (So my internal network goes "out" then back in, and at that point is treated just like any other external request.)

After getting these quirks out of the way, I configured each of the packages for my needs. The packages are listed in a "rack" down the center of the main content area. Click the Settings button to configure them. Most of the default values are just fine.

For OpenVPN, I set up as a VPN Server, then created a Client connection for my laptop. The only real thing I changed was to add another address pool. I don't like using the 192.168.x.x range of addresses because there is too much chance for collisions with other "default" networks. I didn't want to remove the existing "default" pool so that I could use it as a sample. So I added a new pool. After that I created a new client, and while doing that I selected the new address pool. After saving that you have to hit the Apply button in the lower right of the screen. Now, the Distribute button is displayed. Clicking that allows you to get access to the OVPN config file and required certificates. Setting up OpenVPN on the laptop was a simple matter of dropping these files into the /etc/openvpn directory on the laptop then restarting the service. Voila! Secure external access to the internal network.

So far, I'm liking Untangle much better than IPFire, and IPCop even. The setup was straight forward, and everything I need to be working more or less just works. IPCop/IPFire did most of that, but each introduced problems - specifically I couldn't VPN into the internal network easily. And Untangle has a commercial side to it, so it is likely to be around longer than IPCop was, and receive more updates than IPFire did.