I recently wrote about installing ClearOS as my firewall/UTM and it included the ability to run as a typical. Well, its life was short and it was replaced by Untangle just a few days later. ClearOS’s feature checklist seemed to meet my needs while providing even more features. The initial install also went well and things seemed fine at first. But then I started I having problems with the software and there were a few things I didn’t like. I probably should have given it more of a chance, but since I had so little invested, I bailed quickly.
I had problems browsing the web along with inconsistent performance. Some of these seemed to be performance related, as tweaking the settings and turning off certain features helped performance although the problem never really went away. I say it seemed to be performance related because actually watching CPU and memory usage didn’t highlight any problems. Yet cycling the software off and on resolved the immediate problem (usually just cycling the web proxy was enough).
But the biggest con for me was that everything seemed to tie into the web proxy. So if I wanted to scan for viruses it was done through the web proxy. It’s the proxy configuration that gave me the most headaches trying to get a working configuration. Hardware wise the HP MicroServer seemed fine. Even when I had browsing problems there was plenty of free memory and the CPU usage was low. It’s not like memory or CPU usage was significantly lower after cycling the proxy.
In a bit of irony, one reason I passed on Untangle was that I read it was a resource hog. While it certainly needs more resources than something like pfSense it has run fine on the same hardware ClearOS was on. I haven’t had any performance problems running Untangle and haven’t rebooted or cycled the server except to move it to a UPS.
Untangle uses a rack metaphor where all the installed modules are shown in the rack and all traffic flows through the rack. My current rack is shown below (click for full size image):
All the modules shown, except the Kaspersky Anti Virus Blocker, are included in the free version of the software. I’ll probably subscribe to the Kaspersky virus blocker for some added protection but other than that I’ll stick to the free modules. I tried some of the other modules, such as WAN balancing but haven’t found anything I really want and would pay for. In addition to the modules shown the free modules include: Protocol Control (block unwanted protocols), Spam Blocker, Captive Portal (screen new network users) , and OpenVPN.
Savings Tip: Towards the end of each trial I received a email with a coupon code for an additional 10% off an annual (or multi-year) subscription so even if you know you want the module go for the trial and get the coupon code.
As for the WAN balancing I was looking for – it doesn’t technically balance traffic. But I do have it hooked to both a DSL and Cable connection and it’s been splitting the traffic between the two without causing any problems. While I was originally looking for something to manage both my broadband connections I’ve found just splitting the traffic works fine. I don’t have the ability to report how much traffic uses each connection without buying an add-in. While something I’d like to have, I ‘d probably opt for adding pfSense before buying an add-in as it’s not worth $10/mth to me.
One Untangle Problem
I have had one problem with Untangle. After switching to Untangle I was not longer able to stream Netflix videos to any computer/device except my iPad. Since it was unlikely that all those computers and devices broke at once I started turning off Untangle modules one at a time until I narrowed it down to the virus blockers. The only configurable item (that seemed remotely related) for it was “Disable HTTP Resume” which was enabled/checked per the Untangle recommendation. Turning this option off in both the standard a Kaspersky virus blockers resolved the issue and Untangle stopped blocking Netflix.
Now, not disabling HTTP resume could let viruses through. HTTP resume allows a browser to start downloading a file from anywhere in the file. For example, from where a download was interrupted. I can see why this feature would be useful for streaming. But if a file download starts mid-way in the file then Untangle won’t be scanning the entire file so it could miss a virus.
I’m not too concerned about this, especially short term, since I have local virus protection on PCs and I don’t frequent bad internet neighborhoods. I may look at ways to route Netflix traffic around Untangle or to a different Untangle server since my Netflix devices are very low risk since they are video only devices . (Although how long before we have a Roku/Blu-ray/TV virus?) It looks like I can simply fix the IP addresses for those Netflix devices and then setup a rule to bypass Untangle for traffic to those IP addresses. But that’s still on my to do list. Since I don’t use Netflix on a computer I won’t have to bypass Untangle for these.
The best thing I can say about Untangle is that it’s been running much longer than I ran ClearOS and I’ve spent much less time fiddling with it. I just sits there and works. Well, except for that pesky Netflix streaming problem which took a little while to track down. Untangle’s Unified Threat Manager features seem better than it’s abilities as a router, at least out of the box at the free software level.
I’d like to have pfSense in front of Untangle to handle the routing but I’m not sure the benefits are worth the effort. I’ll also look at bypassing Untangle for my media devices (Roku/Blu-Ray/TV) but that’s a low priority and it may be awhile before it bubbles to the top of my list. For now I’m happy with Untangle and the status-quo.