pfSense Routes While Untangle Protects

Ethernet cableI’ve been using Untangle as my router since June and don’t have any complaints, It’s worked well as a router an unified threat manager (UTM). I also took the plunge and subscribed to Kapersky AV for enhanced anti-virus scanning. But pfSense had been my first choice as a router, although I had to abandon it since pfSense didn’t work with my DSL I stuck with Untangle. Now that DSL was gone and there was a new version of pfSense it was time to try again. This time the plan is to run pfSense and Untangle each on their own HP MicroServer.

Hardware

Untangle Server – This will be the same hardware, minus the dual port NIC, that has been running Untangle. There’s 2GB of RAM, which has proven to be more than enough even when working as a router and UTM. While Untangle is a bit more resource intensive than other solutions I could probably get by with 1 GB. I have the additional 1 GB stick and no other use for it so I might as well use it. The only hard drive is the 160 GB drive that came with the MicroServer. In addition to the onboard NIC I’ve installed a second NIC which is a run of the mill Intel NIC.

pfSense Server – This will be the same hardware as the Untangle server, 2 GB of RAM and the standard 160 GB hard drive. Even though I initially only need 2 NICs I have a dual port NIC I’ll add to this server and I’ll disable the onboard NIC. This will allow me to add another network segment down the road without having to open the server up again. The 2 GB of memory is even more overkill here. The minimum requirements are just 128 MB of RAM, with 512 MB recommended if some of the larger add-on packages are installed. Again, since I already have the second stick, I decide to use it. The network card is the StarTech Dual Port Gigabit NIC.

The Plan

Since I’ll be moving routers, and therefore DHCP servers since the routers did double duty, I’ll need to document the current scopes and address reservations. After that the plan is simple.

  1. Shut down the Untangle server and remove the dual port NIC, but leave the software untouched for now.
  2. Install the dual port NIC in the second MicroServer and install pfSense
  3. Once pfSense is running as a router reset Untangle to run in bridge mode

The end result will look like this:

Diagram of the Home Network Plan

pfSense – Initial Problems – Eventual Success

I had some problem right out of the gate.

I decided to try configuring RAID 0, again mainly because I already had a matching drive. But this didn’t work. With RAID 0 configured, the pfSense CD went into a never ending reboot cycle. As soon as it started loading it would reboot. I didn’t spend much time working on this since RAID wasn’t a priority for me on this box, especially RAID via BIOS which I’ve never really trusted.

I rebooted again after turning off RAID in the BUOS. This time I got as far as the menu to select what I wanted to do – continue the live CD boot or install to the hard drive. I let the live CD boot continue but then the startup simply stopped with a error. I booted again but this time during the boot I didn’t accept the default boot option but instead picked the “Boot From USB Device” option since it was a USB CD drive, This did the trick.

Now I was able to boot the live CD and get it running as a router, getting me back on the internet. But my problems weren’t over yet. When I selected the option to install to the hard drive I received an error code 11 during the file copy. Setting the drive controller to IDE mode, and trying a second hard drive resulted in the same error at the same time. Google and pfSense forum searches for the error didn’t provide any help. I skipped through the error and ended up with a working router, but the web interface didn’t work properly. Long story short, while researching the possibility of a bad CD I stumbled upon a pfSense 1.3 CD and accidentally booted from it. So I decided to keep going and sure enough after getting it working as a router it installed to the hard drive just fine.

After having pfSense 1.3 running from the hard drive I was able to upgrade to pfSense 2 through the pfSense console. The upgrade went just fine and I had the pfSense router working just fine from the hard drive. So it was on to Untangle.

Untangle – Easy Enough

Once pfSense was working I was comfortable tackling Untangle since I no longer needed it as a router. I needed to change it to bridge mode so it would no longer function as a router or DHCP server. I could do it by either disabling the unneeded services or reseting to the factory defaults and running the setup wizard again. I chose the factory reset option as the safest route.  Since I removed the network card that had the LAN connection I attached a monitor and keyboard to the Untangle server and booted it up. I selected the factory reset option from the console.

After the factory reset I just had to run the setup wizard and select bridge mode.

Installation Notes

  • The factory reset preserved my Untangle license for Kaspersky so I didn’t have to go through any re-registration process.
  • The setup wizard was a little confusing, The first screen required me to assign the NIC ports as external and internal and implies an internet connection. I assigned the external as the port connecting to pfSense and the internal as the one going to the switch.
  • The next screen asked me to configure the WAN (internal port). I selected a static IP addresses and entered in 192.168.1.2 (the pfSense LAN port to Untangle is 192.168.1.1). I used the pfSense IP address as the router address. It wasn’t until the next screen where I was asked to select Bridge or Router mode. Once bridge was selected there wasn’t any option to configure the second port (since they both have the same IP address).
  • Most current NICs automatically sense the connection type so I could use a regular ethernet cable to link the pfSense server to the Untangle server without needing a crossover cable or a switch.
  • Selecting the appropriate pfSense CD to install was the hardest part. There are multiple selections with little guidance, I used fSense-2.0-RELEASE-i386.iso.gz.
  • Since the HP MicroServer has a dual core CPU I selected the SMP kernel when asked during the pfSense installation.
  • [Added Oct 10] – I needed to re-select the network type on all my Windows 7 computers as well as a Windows 2008 R2 server I was running.

A diagram showing the setup is below:

Home Network

I haven’t installed any added pfSense packages and the rest of the settings are still using the defaults. I look forward to playing around with pfSense and it’s optional packages bit out of the box it seems to be working fine.

Wrapping Up & Additional Information

PFSense Website

Untangle Website

The HomeServerShow.com website and forums have a bunch of information, mainly around installing both pfSense and Untangle on the same hardware via virtual machines. Start with the Super Router article or search for “Super Router”, pfSense, or Untangle. Earlier in the year when I started looking at a software router I was able to install both pfSense and Untangle as virtual machines running on Citrix XenServer. But I decided to go with two dedicated computers as a less complicated, slightly more secure solution. Less secure in the sense that the VM host wasn’t on the internet side of the firewall and potentially vulnerable (although admittedly unlikely).

Neither pfSense or Untangle is targeted at home users. This is more noticeable in pfSense in the lack of tutorials for the basics. Right from the beginning it’s noticeable as there are a couple dozen files available to download with no real indication of which to use and when. But with that said, and despite my specific speed bumps, the pfSense install itself is straightforward and result in an out of the box install that exceeds the capabilities of any store bought router and does “just works”. There’s also a active forum.

Untangle provides a GUI interface so it has a friendlier face. The GUI does add to the overhead makes the settings that aren’t front and center harder to find.

Admittedly this is overkill for a home network. But after running up against my bandwidth cap a couple of months I want more control and visibility into the bandwidth. Untangle was a start but pfSense has more features and charts than I’ll ever need so if nothing else, it will be more to play with. While a VM solution makes it easy to swap test machines in and out, the swappable drives of the HP MicroServers give me the same flexibility. The swappable drives are another reason I haven’t looked for smaller form-factor PCs to run pfSense and Untangle.

Anyone else using software routers or custom firmware?

Set a Static IP Address In Untangle

Typically home routers are set to provide DHCP by default and most home PCs use DHCP out of the box. This makes this work with minimal effort. But there may be times were you want a hardcoded IP address, I was recently installing a new home server which is one case where a static IP address makes sense. Having a server potentially change IP addresses is asking for problems. I also configure a static IP address to that I can access my web server using a alias rather than having to type the IP address or fully qualified domain name.  Another case where a static IP may be wanted is for media center PCs or any PC you may want to connect to from another PC or device.

This shows the steps for setting a static IP address in Untangle. Other routers will be done differently.

Logon to the Untangle Console & Select Networking on the Config Tab

wpid-media_1316830340335.png

Select DNS Server on the Networking Page

wpid-media_1316830441196.png
Existing DNS entries may be listed or the list will be blank.

Select “Add” under the Static DNS Entries section

wpid-media_1316830781218.png
This will create a new entry with some sample entries

Enter in the information for the computer

wpid-media_1316831140657.png
Because this computer will only be accessed within my home I don’t enter a full domain name. I can access the computer by using the name only. The name does not need to match the computer’s configured name but to avoid confusion and potential problems it should match the name.

You’re Done – Click OK

wpid-media_1316831301213.png
Be sure to set the IP address as a static address on the computer

Now any time you try to connect to the new name it will go to the IP address listed.

Micro Router Project: From Clear to Untangle

I recently wrote about installing ClearOS as my firewall/UTM and it included the ability to run as a typical. Well, its life was short and it was replaced by Untangle just a few days later. ClearOS’s feature checklist  seemed to meet my needs while providing even more features. The initial install also went well and things seemed fine at first.  But then I started I having  problems with the software and there were a few things I didn’t like. I probably should have given it more of a chance, but since I had so little invested, I bailed quickly.

I had problems browsing the web along with inconsistent performance. Some of these seemed to be performance related, as tweaking the settings and turning off certain features helped performance although the problem never really went away. I say it seemed to be performance related because actually watching CPU and memory usage didn’t highlight any problems. Yet cycling the software off and on resolved the immediate problem (usually just cycling the web proxy was enough).

But the biggest con for me was that everything seemed to tie into the web proxy. So if I wanted to scan for viruses it was done through the web proxy. It’s the proxy configuration that gave me the most headaches trying to get a working configuration.  Hardware wise the HP MicroServer seemed fine. Even when I had browsing problems there was plenty of free memory and the CPU usage was low. It’s not like memory or CPU usage was significantly lower after cycling the proxy.

Untangle

In a bit of irony, one reason I passed on Untangle was that I read it was a resource hog. While it certainly needs more resources than something like pfSense it has run fine on the same hardware ClearOS was on. I haven’t had any performance problems running Untangle and haven’t rebooted or cycled the server except to move it to a UPS.

Untangle uses a rack metaphor where all the installed modules are shown in the rack and all traffic flows through the rack. My current rack is shown below (click for full size image):

Image of my Untangle Rak

All the modules shown, except the Kaspersky Anti Virus Blocker, are included in the free version of the software. I’ll probably subscribe to the Kaspersky virus blocker for some added protection but other than that I’ll stick to the free modules. I tried some of the other modules, such as WAN balancing but haven’t found anything I really want and would pay for. In addition to the modules shown the free modules include:  Protocol Control (block unwanted protocols), Spam Blocker, Captive Portal (screen new network users) , and OpenVPN.

Savings Tip: Towards the end of each trial I received a email with a coupon code for an additional 10% off an annual (or multi-year) subscription so even if you know you want the module go for the trial and get the coupon code.

As for the WAN balancing I was looking for –  it doesn’t technically balance traffic. But I do have it hooked to both a DSL and Cable connection and it’s been splitting the traffic between the two without causing any problems. While I was originally looking for something to manage both my broadband connections I’ve found just splitting the traffic works fine. I don’t have the ability to report how much traffic uses each connection without buying an add-in. While something I’d like to have, I ‘d probably opt for adding pfSense before buying an add-in as it’s not worth $10/mth to me.

One Untangle Problem

I have had one problem with Untangle. After switching to Untangle I was not longer able to stream Netflix videos to any computer/device except my iPad. Since it was unlikely that all those computers and devices broke at once I started turning off Untangle modules one at a time until I narrowed it down to the virus blockers. The only configurable item (that seemed remotely related) for it was “Disable HTTP Resume” which was enabled/checked per the Untangle recommendation. Turning this option off in both the standard a Kaspersky virus blockers resolved the issue and Untangle stopped blocking Netflix.

Now, not disabling HTTP resume could let viruses through. HTTP resume allows a browser to start downloading a file from anywhere in the file. For example, from where a download was interrupted. I can see why this feature would be useful for streaming. But if a file download starts mid-way in the file then Untangle won’t be scanning the entire file so it could miss a virus.

I’m not too concerned about this, especially short term, since I have local virus protection on PCs and I don’t frequent bad internet neighborhoods. I may look at ways to route Netflix traffic around Untangle or to a different Untangle server since my Netflix devices are very low risk since they are video only devices . (Although how long before we have a Roku/Blu-ray/TV virus?) It looks like I can simply fix the IP addresses for those Netflix devices and then setup a rule to bypass Untangle for traffic to those IP addresses. But that’s still on my to do list. Since I don’t use Netflix on a computer I won’t have to bypass Untangle for these.

Conclusion

The best thing I can say about Untangle is that it’s been running much longer than I ran ClearOS and I’ve spent much less time fiddling with it. I just sits there and works. Well, except for that pesky Netflix streaming problem which took a little while to track down. Untangle’s Unified Threat Manager features seem better than it’s abilities as a router, at least out of the box at the free software level.

I’d like to have pfSense in front of Untangle to handle the routing but I’m not sure the benefits are worth the effort. I’ll also look at bypassing Untangle for my media devices (Roku/Blu-Ray/TV) but that’s a low priority and it may be awhile before it bubbles to the top of my list. For now I’m happy with Untangle and the status-quo.