Switching From Untangle
-
Good day to all of you.
I will try and keep this brief, but this will be a bit lengthy. I am the network administrator for a middle to large-sized construction company in the United States South East. When I got here a year ago things were in utter disarray, and I have slowly been restructuring and replacing out-dated or ineffective hardware. Well, it has come time to replace our RVL series Linksys router. (!!!) I initially tried to use untangle, because of it's ease of use in establishing STS VPN connections. But I ran into some pretty severe brick walls with Untangle that I have been unable to fix. This has reached a point that I am hoping I will be able to switch to pfSense.
First, I will start off with an explanation of my network. We are running out of a single main office, and we have 5 branch offices. Three of those branch offices are connected with a WAN T1 provided by our ISP. These WAN connections look like LAN connections to us. I have an advanced static route that sends any traffic bound for the specific sites to an adtran router provided by my ISP. I also have a site that is out of the state, that I would like to set up on a STS VPN because of the interconnectivity needed. Also, I have two different subnets aside from my main office subnet, that are run inside the building. They are separated by cheap linksys routers, and do exactly what we need them to. (namely, isolate production plant communications from the rest of the network.)
So, we are talking about 1 main subnet, with 6 subnets in addition to that one. So let me sort of explain what our network looks like:
Public T1 line from ISP
|
|
|
Default Gateway (currently Linksys box, having replaced untangle.)
WAN = 70.70.70.70
LAN = 192.168.2.1 / 24And then below that I have the following subnets, currently:
192.168.3.0 / 24
192.168.4.0 / 24
192.168.5.0 / 24
192.168.41.0 / 24
192.168.42.0 / 24The sixth subnet will be the STS VPN for my out of state location.
I run a webserver and an apps server (for java-based phone apps) behind the firewall. These are simple port forwarding rules, so I am not worried about these.
Now, these are the problems I had with Untangle. Until 5.1 final release I could not NAT the secondary subnets. I could only NAT the .2.0/24 network. Everything else was unable to get through the router. This was finally resolved in the final release, so I put the router in production. Another issue popped up. I cannot authenticate any secondary subnet computer to the domain. authentication traffic is eaten by untangle. I also am having some phone system problems. (Samsung officeserv 7100.)
So, these problems are unacceptable. Money is tight right now, so I can't just go drop 10 grand on routing equipment.
Will pfSense do what I need it to?
If you need more information, please let me know. Thanks a lot for reading all of this and helping me out!
Andrew Borem
-
In theory yes it will.
NAT shouldn't be a problem. Passing domain authentication is just down to writing the firewall rules to achieve what you want. For the phones, without knowing what the problem is there's no way to say what the solution is ;) pfSense supports multiple VPN types, including IPSec.
What hardware you will need will depend on your network (bandwidth used, numbers of packets per second, average size of the packets etc - it's more intensive to route 10 Mb/s of small packets than 10 Mb/s of large packets). You'll find more than a couple of threads on that subject.
-
All right, cool. Thanks for the response.
I know that hardware is not going to be an issue. I am a little bit over powered.
So if I leave the firewall completely open I shouldn't have issues, right? I want to get this in as proof of concept, and then actually configure it.
-
All right! Came in after hours and put it in. Did a lot of reading before and during the whole process, so it took a few hours. But everything is working marvelously now.
I was a bit lazy and NATted "any" subnet to my WAN iface. Created a firewall rule to allow any subnet on the LAN iface to access the WAN iface. Used the NAT port forward tab to set up my two dozen or so forwards. Everything is working perfectly now.
I appreciate all of the help you guys have given. In the past, that is. Searching this forum gave me the answers I needed.
-
I appreciate all of the help you guys have given. In the past, that is. Searching this forum gave me the answers I needed.
Great, finally a forum member with the ability to search :D
Nice that you got everything working. Spread the word :) -
I appreciate all of the help you guys have given. In the past, that is. Searching this forum gave me the answers I needed.
;D Glad to hear it! There is a wealth of information here, just a matter of looking for it.
