Untangle Bypass Rules
From UntangleWiki
About Untangle Virtual Machine
In most cases, you don't need to know that there is an Untangle Virtual Machine (UVM). However, there is no "getting around" this component in the context of bypass rules.
Bypass rules enable specific traffic to bypass the UVM. The UVM is an Untangle Server process—a Java virtual machine, that processes all traffic that reaches the Untangle Server. By default, whether your Untangle Server is a bridge or gateway, the Untangle Server traffic always passes through the UVM, then on to the racks.
Traffic can never reach the racks without first going through the UVM. So, if the traffic doesn't pass through the UVM, then it never makes its way to the racks. Traffic that has a bypass rule (e.g. VoIP) enters an interface and goes directly to Linux kernel, then exits another interface; in this case, the Linux kernel, not the UVM, processes the traffic.
Creating User Bypass Rules
When you create a bypass rule, you're really creating a user bypass rule. There are two types of bypass rules:
- User bypass rules. Bypass rules that do not exist by default, and that you can add yourself.
- System bypass rules. Bypass rules that exist by default (e.g VoIP), and that come preconfigured with the Untangle Server.
Untangle is curious about the rules that users add to the Untangle Server, so contact Untangle Technical Support to let us know when you add bypass rules so that Untangle can determine if those rules need to be added to the default list—to make life easier for all users. Thank you!
Bypass rules enable you to use technology that wouldn't otherwise work in an Untangle Server environment because the traffic requires special handling: it either depends on Windows protocol (for example, IPSEC/PPTP) or it is time-sensitive (for example, VoIP). To deal with such special handling, bypass rules instruct specific traffic to bypass the Untangle Virtual Machine (UVM). However, in the case of VoIP, the Untangle Server is preconfigured with a default bypass rule, so VoIP works "out of the box" without the typical VoIP performance and reliability problems.
A bypass rule is commonly used for high priority protocols such as SIP, which is used for VoIP. The Untangle Server bypass rules support SIP and Asterisk sessions only. SIP is an application protocol that establishes VoIP sessions between caller and sender. Underlying SIP is usually UDP or TCP transport protocols. There are many VoIP software applications that support SIP and Asterisk. The Untangle Server bypass rules don't support sessions such as RTP and H323, which Microsoft Netmeeting uses to make VoIP calls.
To create a bypass rule:
- From the Navigation pane, choose Config > Networking. The Network Configuration page launches.
- Highlight the Advanced button (on the far upper right) and from the drop-down menu, select Bypass Rules.
- Specify how you want the Untangle Server to identify the traffic, then click Save. Here are few examples:
Source Address The IP address of the host that sent the traffic. Destined Local Any external interface or external IP address on the Untangle Server. You don't need to specify a value because "any" is the value by default. Destination Address The IP address of the host that will receive the traffic. Source Port The port on the Untangle Server that first receives the traffic. Source Interface The network interface on the Untangle Server that first receives the traffic. Protocol The transport or network protocol that the traffic uses.
Next Step: To improve QoS, enable Untangle QoS.
Bypass Rules vs. Protocol Control
You can use both bypass rules and Protocol Control because they serve two, completely different functions:
- Use Protocol Control to implement policies.
- Use bypass rules to ensure that specific traffic bypasses the Untangle Virtual Machine (UVM).
From the Advanced Drop down menu (on the far upper right) choose 'BYPASS RULES'
