Initial Setup

Hello and thanks for your interest in Untangle! This will be a quick primer on getting your Untangle installed, up and running, and (hopefully) answer some common configuration questions without too much confusion. If you already have Untangle in your network, you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with Untangle and how it works - it will probably save you a headache or two later on. Please Note: Most of the features discussed in this User Guide are available in the (free and Open Source) Lite Package of Untangle Server software; however, some features are only available if subscribing to paid applications or packages. For a current list of features and pricing, have a look at our Product Overview.

Contents
[hide]

1 Setting up the Untangle software 2 Placing Untangle into your Network o 2.1 Router Mode o 2.2 Bridge Mode o 2.3 Notes 3 Working with Untangle o 3.1 The webGUI o 3.2 Applications 3.2.1 Filter Applications 3.2.2 Service Applications o 3.3 Config 4 Common Configuration Questions o 4.1 What are some of Untangle's idiosyncrasies I should be aware of? o 4.2 How secure is Untangle? o 4.3 How do I port forward traffic to internal machines? o 4.4 How do I add additional WAN IPs to my Untangle and/or set up 1:1 NAT? o 4.5 How do I add a guest or private WiFi network to my Untangle? o 4.6 How do I get DHCP working on other Interfaces? o 4.7 How do I prevent SSH access to my Untangle from the Internet? o 4.8 Does Untangle support failover?

[edit]

Setting up the Untangle software

Untangle installs to the hard drive of a PC and will erase any data or operating system on that drive, so it's recommended to backup anything you need before installing. Simply download the ISO from Untangle or from our Sourceforge page, burn it to a disc and boot it from the computer - the Installation Wizard will start and guide you through the install and network configuration process. We also have a QuickStart Guide available. Please note that Untangle requires at least two NICs to be installed before you start the installation. [edit]

Placing Untangle into your Network

Untangle is an in-line device, meaning only traffic that flows through it will be filtered. There are two modes available with Untangle: Router mode and Bridge mode.

[edit]

Router Mode
In Router mode, Untangle will be the edge device on your network and serve as a router and firewall. In this case, you'll need to set up your External and Internal interfaces correctly for traffic to flow, which should have been done while installing.

Untangle in Router mode

[edit]

Bridge Mode
In Bridge mode, Untangle is set between your existing firewall and main switch. When in Bridge mode Untangle is transparent, meaning you won't need to change the default gateway of the computers on your network or the routes on your firewall - just put the Untangle between your firewall and main switch and... that's it! You'll need to give Untangle's External interface an IP in the subnet of the firewall, set the Internal interface to bridge and bridge it to External.

Untangle in Bridge mode

[edit]

Notes

If you're having connectivity issues, you may want to try a crossover cable between Untangle and the upstream device - this is usually not necessary with modern equipment, but it's something to try if the settings look good but it's just not working. If you want to install Untangle in a VM, we recommend reading this guide. If you're in Router mode and have a PPPoE WAN connection, contact your ISP and see if the modem can do the authentication and pass the IPs to Untangle so you can set the External interface to Static - this is a much better situation than having Untangle do the PPPoE login, since some features (such as Multi-WAN) will not work with interfaces set to PPPoE. If you're in Bridge mode you most likely do not want to be double NATing, so make sure your Internal interface is set to Bridge and not Static or DHCP. When setting up in Bridge mode, it's easy to have the Untangle plugged in backwards. The quickest way to check is to go to a website that should be blocked and take a look at the block page - if you see a simple page with a white background and black text, your interfaces are backwards. If you see a grey background with an Untangle logo, you're good to go. If it is backwards, you should be able to simply swap the External and Internal cables connected to the Untangle and verify you get the correct block page.

[edit]

Working with Untangle

You can administer Untangle in three ways:

Local: Simply click Launch Client on the Untangle GUI and a web browser will load the webGUI. On the LAN: In your browser, enter the LAN IP of the Untangle (for example http://10.0.0.1) Remote: In your browser, enter the WAN IP of the Untangle (for example https://203.0.113.1)

You may get a warning about certificates, these can be dismissed as you are safe connecting to your Untangle server. When prompted, provide your login credentials and you will be presented with Untangle's webGUI. By default, Remote Administration is disabled - it can be enabled from Config > Administration. After you reboot you will be presented with the Application Wizard - this will help you decide on what applications to download and use with Untangle. We provide a 14-day trial of all applications (except Branding Manager), so feel free to try different apps and see if they meet the needs of your organization.

[edit]

The webGUI
Once the Untangle has downloaded the applications, you'll see the webGUI on the console:

Untangle with trial apps installed

Untangle's webGUI can be divided into two main parts, the Navigation Pane on the left and virtual Racks on the right. The Navigation Pane contains two tabs - Apps is used to install applications into your racks, while Config is used to configure various general settings within your Untangle. Applications are installed into racks and filter the traffic that flows through them. Each application has a faceplate with a Settings button to configure it, blingers to show you current status information, and a power button to toggle it on or off. Across the top of the webGUI there is a dropdown to switch racks or use the Session Viewer, network speed statistics, a count of open sessions, and CPU, memory and disk information.

Please note that our free Lite Package only includes the ability to use one rack; if you need the ability to create multiple racks you'll need the Policy Manager.

[edit]

Applications

There are two types of Applications:

Filter Applications: All the Applications above the Services pane in the interface can have unique configurations, which you can apply to specific virtual racks. Virtual racks enable you to create different policies for different sets of users. Service Applications: All the Applications below the Services pane are services and are "global." Each has a configuration that applies to all virtual racks. As such, if you remove any service from any rack, you will remove that service from all racks.

[edit] Filter Applications

Spam Blocker

Phish Blocker

Spyware Blocker

Web Filter

Web Filter Lite

Web Cache

Bandwidth Control

Kaspersky Virus Blocker

Virus Blocker

Intrusion Prevention

Protocol Control

Firewall

Ad Blocker

[edit] Service Applications

Commtouch Spam Booster

IPsec VPN

Captive Portal

Live Support

WAN Failover

WAN Balancer

Policy Manager

AD Connector

Attack Blocker

OpenVPN

Configuration Backup

Reports

Branding Manager

[edit]

Config
The Config tab allows you to modify Untangle's major non-app settings, such as your WAN/LAN interfaces, Port Forwards, DHCP Server, and more. There are quite a few settings under the Config tab's umbrella, so we've broken it out to a different page you can find here.

[edit]

Common Configuration Questions

The following section deals with common questions related to Untangle's configuration after you have it set up and traffic is properly flowing to your network.

[edit]

What are some of Untangle's idiosyncrasies I should be aware of?

By default, all Untangle interfaces can talk to each other - if you want to wall them off, you can use the Firewall application.

The Untangle webGUI has two modes: Basic and Advanced. You can switch between these modes at Config > Networking > Advanced, but be aware that while switching to Advanced mode will give you more options, switching from Advanced to Basic will both remove these extra options and require you to re-run the configuration wizard. If you have three or more interfaces when you install, Untangle will name these External, Internal and DMZ by default. These names cannot be changed. DMZ is just an interface name, it is not handled differently than any other interface. Any additional interfaces will be named ethX, where X is the number of the interface. Most ordered lists such as Port Forwards and Firewall rules are evaluated from top down, so any traffic that matches a rule will cause it to fire. If you have some entries lower in a list that don't seem to work, take a look at the entries above it they may be firing on that traffic before it ever gets down to the rule you're troubleshooting. The Destined Local flag will match traffic on any IP Untangle holds, so if you have multiple external IPs your port forwards should use the Destination Address flag rather than Destined Local.

[edit]

How secure is Untangle?

Using a default Router mode install, Untangle will block any inbound traffic that isn't explicitly port forwarded using NAT. Port 443 will show up as open and give you a login page, but by default even if you have the correct credentials External Administration will be disabled - you can change this at Config > Administration. If any other ports are showing up as open from the outside, you've either set up a port forward for them or the Untangle is somehow misconfigured. The Firewall rack application is set to default pass, so if you want a default block you'll need to change that - please be aware that doing so can be a major administrative headache.

[edit]

How do I port forward traffic to internal machines?

Untangle's port forwarding section can be found at Config > Networking > Port Forwards. We provide a few common examples, such as forwarding incoming HTTP or SMTP traffic to an internal server which will work fine for simple installations; if you have

multiple IPs and you're having problems you'll want to use Destination Address rather than Destined Local in your rules.

[edit]

How do I add additional WAN IPs to my Untangle and/or set up 1:1 NAT?
Any additional WAN IPs can be entered on the interface they will live on in the IP Address Aliases section. Please note that in most cases the netmask of the aliases should match the netmask of your primary IP, but if you're not sure you can contact your ISP for verification. If you'd like traffic from an internal machine to go out a particular WAN IP, you can add a NAT Policy under the Nat Policies section of the interface the machine lives on. You'll need to enter the internal IP of the machine under Address and Netmask where netmask will be /32 for just that machine and enter the WAN IP under Source Address. Please make sure you have 0.0.0.0/0 and auto as the last entry, this will take care of the rest of your network.

[edit]

How do I add a guest or private WiFi network to my Untangle?

In both cases you will need to disable DHCP on the wireless AP, give it an IP in the subnet of the interface you're plugging it into, and use a LAN port rather than a WAN/Uplink port on the router/AP. If the AP also a router, you'll need to set it into Router rather than Gateway mode. To add WiFi to your existing network, just plug it in to a switch somewhere on the network. If you're looking for a guest WiFi network walled off from your private network, the easiest way is to plug the wireless AP into its own interface and configure the Untangle to hand out DHCP on that interface. You can then use the Firewall to wall off that interface from connecting to your private network.

[edit]

How do I get DHCP working on other Interfaces?

To get DHCP working on interfaces other than Internal and DMZ, you will first need to go to Config > Networking > Advanced > DHCP & DNS, enable it, and pass the proper

options to dnsmasq. Please note that each extra interface needs its own entry separated by a carriage return.

Example Scenario (from a default installation):

External Interface: (whatever it needs to be) Internal Interface: 192.168.1.1/24 (The DHCP server will take care of this by default) DMZ Interface: 192.168.5.1/24 eth3 Interface: 192.168.10.1/24

This is what you'd enter under DHCP & DNS:

dhcp-range=192.168.5.100,192.168.5.200,14400 dhcp-range=192.168.10.100,192.168.10.200,14400

You will also need to create some Packet Filter rules at Config > Networking > Advanced > Packet Filter. As noted earlier most rules are evaluated top down, so make sure the Pass rule is above the Drop rule or all DHCP traffic will hit the first rule and be dropped.

Under System Packet Filter Rules, uncheck "Block all DHCP Requests to the local DHCP Server", "Allow DHCP Requests from the DMZ interface", and "Allow DHCP Requests from the internal interface." Create a rule to accept DHCP on any of the interfaces you want it served to: o Action: Pass; Protocol: UDP, Destination Port: 67, Source Interface: (check all interfaces you want DHCP available to) Create a rule to Drop DHCP on all the interfaces: o Action: Drop; Protocol: UDP, Destination Port: 67, Source Interface: (check all interfaces)

After all this is completed, you'll have the following DHCP pools available on their respective interfaces: 192.168.1.x on Internal, 192.168.5.x on DMZ, and 192.168.10.x on eth3.

If you'd like to allow DNS resolution on the DMZ interface you'll need to enable the Accept DNS traffic to the local DNS Server from all interfaces Packet Filter rule. This will allow DNS requests from the External Interface as well, so you will probably want to add a Packet Filter rule to drop requests to port 53 from the External Interface:

Action: Drop; Destination Port: 53; Source Interface: External

[edit]

How do I prevent SSH access to my Untangle from the Internet?

SSH to your Untangle is disabled by default, but if you enable it and want to block access from the Internet you can create the following Packet Filter rule:

Action: Drop; Destination Port: 22, Source Interface: External

The same rule with the port changed to 443 rather than 22 will block external access to Untangle's webGUI; many administrators prefer to use OpenVPN to securely access their network and then administer the Untangle.

[edit]

Does Untangle support failover?

Yes and no. Untangle does support WAN failover with our WAN failover app. If you are referring to hardware to hardware failover, we do not support this feature at this time. If uptime is critical for your network, you can use these special bypass cards. This only works if the Untangle is in bridge mode. There is information about HA Bypass cards here.