Networking Basics
From UntangleWiki
Contents |
About Untangle Server's Network Interfaces
To configure your interfaces, go to:
- Configuring Untangle Server's External IP Address (Standard Mode)
- Configuring Untangle Server's Interfaces (Advanced Mode)
The Untangle Server supports up to 7 physical interfaces, though a typical Untangle Server includes the following interfaces:
- Internal
- External
- DMZ (Optional)
Note: OpenVPN can creates virtual interfaces.
These interfaces do not need separate IP addresses. In the default configuration, they are all bridged and share the same IP address. Traffic is transparently captured and forwarded to the correct interface.
When the Untangle Server operates as a router, the internal interface has its own address. This address serves as the default route (gateway) for internal machines. In this case, the external and DMZ interfaces are still bridged and share the same IP address. If multiple interfaces are bridged, you can specify aliases.
So why does one need more than the three, typical interfaces? Good question. Additional interfaces can be configured as Internal or DMZs, but you don't really need additional interfaces. However, because you can apply policies by interface, additional interfaces provide you more flexibility. Here are a couple of reasons, and both involve scanning traffic:
- Scanning traffic differently depending on the DMZ. You might want two DMZs, one DMZ that manages an internal Web Server and another DMZ that manages an external Web Server, and you want to scan the traffic differently for each DMZ. Well, you can do this now that the Untangle Server supports multiple DMZs. You can also create different racks for each DMZ.
- Scanning traffic differently depending on business unit. Some companies use a different internal interface for each business unit so that an Administrator can treat traffic differently for each business unit. Using racks is a much easier way to achieve this goal, but some companies have internal policies that state that the traffic must be on different physical network interfaces.
Keep in mind that only one of these seven interfaces can be the default route—the External interface. Also, you can't use these interfaces as redundant external interfaces for failover, nor can you use the interfaces for loading balancing; however, if you're interested in these features, please let us know.
Less Trusted vs. More Trusted Interfaces
Policy Manager and specific Software Products (for example, Firewall) introduce the concept that client and server interfaces can be:
- Less Trusted. Unknown interfaces are the least trusted, followed by DMZ and External.
- More Trusted. Internal interface is the most trusted, followed by VPN.
By having Less Trusted and More Trusted, a rule can account for traffic that reaches multiple interfaces using one rule. Let's assume you decide to match on this criteria (Less Trusted and More Trusted). If the request was initiated by a client or the request was served by a server with a less trusted or more trusted interface, then a match is made, and the rule is executed based on order in which it's listed in the table.
If one of your interfaces doesn't appear in the list, go to Adding Network Cards or Testing Internet Connection.
About NAT
Network Address Translation (NAT) is a Router feature. This feature configures the Untangle Server to allow multiple machines on your internal (protected) network to share access to an external network (usually the Internet) through a single IP address.
When NAT is enabled, the administrator must provide the Internal IP Address and Internal Subnet. The Internal IP Address is the IP address of the Untangle Server as seen from the internal network and the Internal Subnet is the subnet mask of the Internal IP Address.
Note: When NAT is disabled, none of the fields on the NAT tab are modifiable.
After NAT has been configured, the administrator should configure the Dynamic Host Configuration Protocol (DHCP) feature on the Untangle Server. To configure DHCP, see the discussion in About DHCP.
- If you do not plan to use the Untangle Server to provide DHCP services for some or all of the machines within your internal network and instead, plan to set up NAT functionality on these machines, you must manually set the gateway address and subnet mask of these machines.
- If you do not plan to use the Untangle Server to provide NAT services for your internal network, you must do one of the following:
- Ensure that you have a machine outside of the Untangle Server (on the external network) to provide NAT services.
- Define an IP address pool. The IP addresses in this pool must be routable on the external network. If the external network is the Internet, these IP addresses must be public IP addresses.
About DMZ
DMZ is a Router feature and is a special case of the Redirect feature. This feature redirects all traffic that is destined to the external address of the Untangle Server to a specific host inside the internal network, unless a redirect rule is active and traffic matches that rule.
When the DMZ feature is enabled, the administrator must provide the Target IP Address. The Target IP Address is the IP address of the machine that will receive the traffic that is redirected by the DMZ feature. When the DMZ Logging feature is enabled, the Untangle Server logs information about the redirected traffic.
The DMZ feature is a catch-all for inbound traffic sent from the external network. The DMZ feature is a special case of the Redirect feature that redirects all traffic to a specific host unless a redirect rule is active and traffic matches that rule. You can use the DMZ feature, for example, to deploy a web server that is hosted within the internal (protected) network. However, that web server must be accessible to users outside your internal network.
Determining Untangle Server's Internal IP Address
- If the Untangle Server is a bridge, then the internal IP address is the same as the external IP address.
- If the Untangle Server is a router, the internal IP address can be found from the NAT settings.
To determine Untangle Server's internal IP address, if configured as a bridge:
This procedure assumes that your IP address is assigned dynamically.
- From a web browser, go to http://www.whatismyipaddress.com. The website returns an IP address.
- Record the IP address that the website returns as this is the Untangle Server's internal IP address.
To determine Untangle Server's internal IP address, if configured as a router:
- From the Navigation pane, choose Config > Networking. The Network Configuration page launches.
- Record the IP address that is listed in the Address text box of the Configuration for the Internal Interface pane as this is the Untangle Server's internal IP address.
Determining Untangle Server's External IP Address
This procedure assumes that your Untangle Server is a router, not a bridge, and that your Untangle Server receives a dynamic IP address from your ISP.
To determine Untangle Server's external IP address:
- From a web browser, go to http://www.whatismyipaddress.com. The website returns an IP address.
- Record the IP address that the website returned as this is the Untangle Server's external IP address.
About Limiting Network Congestion
You might encounter a situation in which a few users consume a large amount of your network's total bandwidth. The Untangle Server does not use bandwidth throttling to solve this problem. Instead, the Untangle Server provides you a choice between two solutions:
- Protocol Control. Restricts a protocol (BitTorrent) that is specifically intended to transmit large amounts of data. To restrict this protocol, go to Blocking or Logging Network Traffic by Protocols.
- Web Content Control. Restricts video and music file types that typically contain large amounts of data (for example, .swf and .avi). To restrict video and audio file types, go to Blocking Web Filter by File Extension.
