104 replies to this topic

[geek-accountant]

This post is a reply to pcdoc in another thread (didn't want to hyjack that thread with this unrelated topic).


pcdoc, one of the things I love about having my router (pfSense) and UTM (Untangle) on a VM, is how easy it is to stop one setup and start another. I did that a lot when I was first setting things up. Now I have pfSense as the router and Untangle after that as the UTM and pretty much leave it alone. Combined they work great. The only thing I pay for is the extra virus protection on Untangle. It comes with a light weight virus scanner, but I pay for the Kaspersky Virus Blocker to get better scanning at the router level. With two teenage boys (well almost 15 and 11), having virus protection at the router level makes me feel a little better.

I have both pfSense and Untangle running on a Xenserver and only use it for this purpose. I have considered beefing up the hardware and running some other VM's, but I like having these two guys all alone. They are both backed up to another server and before making any changes to them I always take a snapshot. Therefore, even when the harddrive in the system failed on me a couple of months ago, I was back up and running withing the hour (had a spare drive already) with the exact same setup.

Here is a screen shot I just took of my Untangle "rack" as they call it.




I hear Untangle is a good router, but I have not tried it that way and only use the filtering functions (virus, spam, phish, spyware, web, etc). For a router, I prefer pfSense. It has pretty good QOS settings, UPNP works great, reporting is pretty good and there are a number of add on packages to add more functionality. I use a Dashboard plugin, Country Block plugin (block all of Asia, Russia and several other locations) and a few others.

Here are a few screen shots of pfSense:


This is the initial screen you see when you log into pfSense. I am using the Dashboard package which makes the screen more useful.





Here is the traffic graph with the Rate package added so I can see which computer is using what bandwidth at the moment (no historical reporting however)




Here is the RRD graphs. Only two graphs are shown in this screen capture (the 4 and 16 hour graphs), but further down on that same page are the 2day, 1 month, 6 months and 1 year graphs. Also, that was just the quality graph, there is also a traffic graph and several others.





And while I have double virus scanners running on the Untangle box, I also use a pfSense package called Country Block, as shown below.




When I first set all this up I was a little worried about how much lag it would introduce, and I didn't want anything screwing up my Xbox360 Call of Duty games. Well, even with the wife on her computer, one of my sons on the other Xbox and the other one streaming video from the internet, the Call of Duty games are unaffected by any noticeable amount. Before I built my own router, under these same conditions, every router I tried had trouble (just a couple Netgear and Linksys routers). So I am very pleased with the setup.

Also, I have Untagle e-mail me a pdf report every day of what happened the day before. I was shocked when I was reading one of them and found it had blocked 14 virus from being downloaded. Me and my 15 year old had a good talk about him visiting hacking websites!!

Edited by geek-accountant, 05 February 2011 - 06:51 PM.

[pcdoc]

Wow, this is a great post. I have never seen pfSense before but I did run untangle as router about 6 months ago. About 2 months before they released there brand new version. I had it running on an atom box and it worked great except one thing. Everytime I would launch a blu-ray and TMT would start to fire up it would freeze. The issue was media center would try and access a IMDB site eveytime a blu-ray would play and untangle would block it. I am sure there is a way to fix it but at the time I did not have the time as we where just starting the podcast so I let it go. I am now ready to try out their new version and see if I can things to work. Now that I have a local expert, I let you know how this works out or if I have any questions. Thanks for taking the time to post the screen shots and the detail information. Keep you posted on my progess and thanks again for the effort. Very cool setup you have there.

[HSS-Dave]

Wow! This is a nice setup. I might try untangle as a router and filter. I may have to seriously consider something like this when my boys get older.

I notice that the Kaspersky addon is not cheap. $108 for a year so it takes some commitment to this platform if you want to run the extra stuff. Do you mind sharing your xenserver setup? How many NIC's you run, etc?

[pcdoc]

THe debate of using local protection in lieu of router based is always there. I prefer to use nortons internet security on the PC and then use Untangle or equiv as the firewall. You need a min of 2 NICs. One for the modem, one for internal network, and a third if you want a DMZ or Wireless access point. I have just ordered all the component build this and will be joining the ranks with geek-accountant in the next couple of weeks. They have a brand new version out and I want to give it another shot. I do like his approach of using a VM but I will just build up an atom board and use it a dedicated router. There is a good video of it on Hak5 as well as other sites. Never tried pfSense yet but may give that a shot before final deployment.

[geek-accountant]

All of the addon's are not cheap from Untangle, but the additional virus protection is their cheapest. I found their free virus scanner to be somewhat weak and I wanted the added protection of the stronger scanner (wait until you kids get bigger ). I still have antivirus protection at the PC level, but like having it at the router level also.

The setup is a AMD dual core cpu with 4gig of ram. For a long time, I ran pfSense and Untangle in separate boxes with weaker hardware (just some old stuff I had lying around). Then when I heard about virtulization, I decided this would be the perfect project. First tried esxi and it wouldn't install on the new hardware I just bought, so I turned to Xenserver which installed fine.

The system has 4 nic cards, including the onboard card. The onboard card is used for Xenserver management, one card goes to the cable modem, another to my switch and the last one is for when I want to hook up a unsecured wireless connection (I have a wireless access point at another location in the network). The unsecured wireless is only turned on when we expect guest and is separated from the main network. In addition to the physical nic's, there is a virtual switch/nic that goes between pfSense and Untangle.

In this setup, Untangle is used in transparent mode and the firewall is turned off. Therefore, I am using Untangle just for the UTM functions. The setup sounds a bit complicated, but it really is not that bad.

The benefits of having all this in a virtual environment is the ability to have multiple setups and switch between them fairly easy. Also, backing up the VM's is a great way to protect your router setups in case something goes wrong. While I was testing, I had the following VM's setup and switched between them often:

• pfSense to Untangle
• pfSense standalone - no packages
• pfSense - few packages
• pfSense - many packages
• pfSense - DHCP services only
• Smoothwall
• Untangle

There where some more but those are all I can remember right now.

I should also note, that I have resisted the temptation to run other VM's on this server. While it should be fine, I really want to keep these VM's on their own server with no other VM fighting for resources or worse causing stability issues or security problems.

Given how often I mess around with stuff, this server has been rock solid. It once ran for about 100 days without a reboot and then only had to reboot because we had a long power outage.

[geek-accountant]

As for pfSense vs Untangle, they both have their strengths and weaknesses. pfSense has better QOS, better real time reporting, better UPNP and lighter weight. Untangle has better/easier filter, the web filter has worked great with my two boys.

Here is a pretty good article discussing the two:

http://linux.sys-con.com/node/1343164

[cskenney]

I hate these kind of posts....they just get me thinking about something else that I can do, should do or want to do.

I guess I am a little fuzzy on your setup Geek-accountant. You have:

Internet <-> cable company modem <-> pfSense Router <-> Untangle <-> home network

Is that correct? Does all traffic come through pfSense and then Untangle to get to your home computers? How is everything routed through Untangle? or am I missing something. This is all new stuff to me so I am just trying to figure out how it works.

And I only have a 6 year old girl that uses the internet right now but she is too smart for her own good. I need to be thinking one step ahead of her at all times....

[geek-accountant]

Yes, you have it correct. In this setup, Untangle is in what they call "transparent mode". All it is doing is filtering the traffic that comes through it. pfSens is handling all the DHCP and firewall duties. You may want to try them individually first (both are free, Untangle has some paid addons, but works fine without them), before setting them up together. I ran pfSense alone for a good while before adding Untangle. I like Untangles filter better than that in pfSense.

For pfSense, almost any old hardware will work. The hardware requirements are really low. Untangle needs a bit more horsepower and of course if you are going to run them on a virtual server together, then even more horsepower is needed.


Mike

[jmwills]

Two questions for Geek-Accountant:

How does the Untangle product compare to either ISA Server or Astaro and secondly how many NIC cards are in the Hyper V box? (I presume you are running all the VM's from the same box as your WHS, etc)

[geek-accountant]

Not sure Untangle compares to ISA or Astaro. I have downloaded Astaro and installed in on my Xenserver, but haven't done anything past that. I have never used ISA, sorry.

These router OSs are not running in my Hyper-V server. They are running in my Xenserver. Heck, I don't even know if you could get these to run in Hyper-V since it can't run as diverse an OS list as Xenserver.

The Xenserver has 4 nic's. The onboard nic is used for Xenserver management, one nic is goes to cable modem, another to my switch. The last one is only used for an unsecured wireless access point that I run when we have guest that need it.

[pcdoc]

Which version of Untangle are you using? Also in terms of the average install, have you tried just using one solution? Your setup obviously works great and does a great job, but does it do more that a single package? As it stans Untangle has 5 times the security of a store bought router with built in packet inspection and more options of handlling traffic.

[ImTheTypeOfGuy]

I hate these kind of posts....they just get me thinking about something else that I can do, should do or want to do.

I guess I am a little fuzzy on your setup Geek-accountant. You have:

Internet <-> cable company modem <-> pfSense Router <-> Untangle <-> home network

Is that correct? Does all traffic come through pfSense and then Untangle to get to your home computers? How is everything routed through Untangle? or am I missing something. This is all new stuff to me so I am just trying to figure out how it works.

And I only have a 6 year old girl that uses the internet right now but she is too smart for her own good. I need to be thinking one step ahead of her at all times....

I agree completely. Luckily, I feel this is overkill so it isn't high on my list. HOwever, the nerd in me wants to get started now.

[geek-accountant]

Which version of Untangle are you using? Also in terms of the average install, have you tried just using one solution? Your setup obviously works great and does a great job, but does it do more that a single package? As it stans Untangle has 5 times the security of a store bought router with built in packet inspection and more options of handlling traffic.

I am running version 8, which I guess was automaticlly updated. You kept mentioning a new version (Version 8) and I was wondering what you where talking about. Then I checked an noticed that I am no longer on version 7, but am now running version 8. Can't say I notice any difference. Version 8 comes with Bandwidth Control, but that is a fee addon. The only addon I am paying for is the additional antivirus.

As for using one solution, yes I ran pfSense alone for about a year. It works great and is an incredible firewall. I also tried Smoothwall, but I prefer pfSense. I have never tried Untangle as an alone in one standalone solution. But heck since these are on my virtual server, I can just create another version and run it for a while. Untangle just doesn't have the nice reporting of pfSense or all the options, like UPNP which Untangle doesn't have.

My problem with pfSense and why I even introduced Untangle was web filtering. pfSense has a web filter (Squidguard), but it was giving me problems, plus Snort (NDIS & NDPS) was giving me some issues also. I sure I could have worked with these and made them better, but I was reading a lot of good things about using pfSense AND Untangle to create a Super Router, so I gave it a shot and have been very pleased.

I agree with you about either Untangle or pfSense kicking the a$$ of anything you can buy at Best Buy. Heck, they will kick the a$$ of a lot of Cisco routers. Using a PC to power this software gives it a LOT more juice than most routers even if you use some old equipment. In my case, I am using a dual core AMD Athlon with 4gig of ram. I gave both cores to both VM's (pfSense & Untangle), gave 1gig of ram to pfSense and 1.5gig to Untangle. It is probably overkill, but I never have issues with online games (that is related to the router) regardless of what is going on with other computers on the network. AS a test, I once had iTunes download a bunch of podcast which maxed out my connection, before I upgraded to 60meg, then started a Call of Duty game on he Xbox and then had my wife make a phone call on our VOIP phone. Game was smooth with no issues, VOIP call was perfect with no issues.

Before this setup, I was using a dual wan Netgear router (version prior to this one http://www.newegg.co...N82E16833122380) which was a good router, but I could bring it to it's knees with the above test all the time. IMO, this is a decent mid-level consumer router, but still it only has a 300mHz processor and 64meg of ram.

Give this thread a read (http://forum.pfsense...ic,7668.45.html), guy claims to be running Fox News behind a pfSense router. It's an old post, but still an interesting read.

[HSS-Dave]

Do you think it would run on an Artigo a200? This box only has one ethernet but it has a bootable CF slot. USB ethernet adapter maybe?

http://www.via.com.t...a2000/index.jsp

[geek-accountant]

For Untangle or pfSense? The processor and ram look fine for pfSense and should be OK for Untangle, which has a little higher minimum requirements. I would be more concerned with the 1 ethernet port. Although I have never tried it, pfSense is said to support "some" USB ethernet adapters, not sure about Untangle.

What I would recommend is before fighting the install and setup of either pfSense or Untangle in a box like this, do an install on an old PC with two or more nic's just to get a feel for the install process and setup. Then move on to something more challenging like this box. Of course that would be my advice for a more average user, many of the people on here are well past that level.

[maxstacks]

Following the BYOB podcast about PFsense I have setup a PFsense router. I can see where it will be much more flexible than my old Netgear router. It works quite well. On WHS verson 1 I turned on remote access and everything configured correctly. Problem is I only get a 404 page not found when I click on my homeserver.com domain link.

- Yes I can access remote login via 192.168.1.??? but not via the assigned domain name
- Yes I have released the domain name and re configured - same result
- Yes I have enabled UPnP and WHS assigned the correct ports into PFsense

This is a WHS version 1 system.
For clarity the domain name I am talking about is given to each WHS user who runs a WHS (under WHS setting| remote access)

Any advice most welcome. I'm stuck.

[cskenney]

Following the BYOB podcast about PFsense I have setup a PFsense router. I can see where it will be much more flexible than my old Netgear router. It works quite well. On WHS verson 1 I turned on remote access and everything configured correctly. Problem is I only get a 404 page not found when I click on my homeserver.com domain link.

- Yes I can access remote login via 192.168.1.??? but not via the assigned domain name
- Yes I have released the domain name and re configured - same result
- Yes I have enabled UPnP and WHS assigned the correct ports into PFsense

This is a WHS version 1 system.
For clarity the domain name I am talking about is given to each WHS user who runs a WHS (under WHS setting| remote access)

Any advice most welcome. I'm stuck.

Do you know your public IP address? Is it a dynamic or fixed IP address. If you enter that IP address does your remote access logon page come up? It may be a problem with Windows Live ID (the service that connects your issued domain name to your public IP address.

[maxstacks]

Do you know your public IP address? Is it a dynamic or fixed IP address. If you enter that IP address does your remote access logon page come up? It may be a problem with Windows Live ID (the service that connects your issued domain name to your public IP address.

Yes. I suppose what you mean by my public ip is the one shown on the PFsense dashboard next to WAN.
No, remote access doesn't come up when I enter that Ip, PFsense login comes up.

How does it work on your pfsense and WHS? If you tell me your PFsense settings I could try them.

[cskenney]

Yes. I suppose what you mean by my public ip is the one shown on the PFsense dashboard next to WAN.
No, remote access doesn't come up when I enter that Ip, PFsense login comes up.

How does it work on your pfsense and WHS? If you tell me your PFsense settings I could try them.

I am not running pfsense at this time. If you go to this web site, it will tell you your public IP address http://whatismyipaddress.com/.

Since I am an admin for the forums I can see the IP address you are using to post on the forums. If I enter that address in the following format "https://your_public_ip/remote" then I get your WHSv1 Remote Access page.

If this is the same address your are entering and the pfsense page comes up then you have something configured wrong (or you are entering the pfsense remote access)

edit - reading up, pfsense uses PORT 80 by default for remote access. Turn off the pfsense remote access and then try your WHS setup again. I but it will work.

Edited by cskenney, 20 March 2011 - 02:34 PM.
added info

[geek-accountant]

First, awesome to hear your have pfSense up and running and you like it.

Are you trying to get to the WHS page from outside the network (ie, from another location)? I have not had any problems getting to my WHS page from outside the network (I also have UPNP turned on), but I have not tried from inside the network. I just tried from inside the network and can not connect. Was this something you could do with your old router?

In my case, I have a dynamic address from my ISP, but these doesn't seem to matter since I never have issues connecting.