NG Firewall Installation
Hello and thanks for your interest in Untangle NG Firewall!
This guide will be a quick primer on getting your Untangle NG Firewall installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have Untangle in your network you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.
- 1 What is Untangle NG Firewall?
- 2 Installing Untangle NG Firewall on a Server
- 3 Setup Wizard
- 3.1 Language selection
- 3.2 Setup Wizard - Welcome
- 3.3 Setup Wizard - Step 1 - Configure the Server
- 3.4 Setup Wizard - Step 2 - Identify Network Cards
- 3.5 Setup Wizard - Step 3 - Configure The Internet Connection
- 3.6 Setup Wizard - Step 4 - Internal Network Interface
- 3.7 Setup Wizard - Step 5 - Configure Automatic Upgrade Settings
- 3.8 Setup Wizard - Finished
- 4 Common Post-Setup-Wizard Configuration
- 5 Installing Untangle on the Network
- 6 Using Untangle
What is Untangle NG Firewall?
Untangle is NGFW/UTM software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. Untangle provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our website has a full list of features. If you have additional questions the wiki and forums are always open, plus support is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the store.
Installing Untangle NG Firewall on a Server
If you have ordered an appliance with Untangle pre-installed, refer to the Hardware Setup Guides.
Untangle installs to the hard drive of a PC, erasing all data on that drive in the process. Please be aware of this before starting the installation. Also note that Untangle requires at least two NICs to be installed before you start the installation.
You have a few methods to install Untangle NG Firewall on a new server:
- ISO: Download the ISO from Untangle, burn it to a disc and boot - the Installation Wizard will guide you through the install and network configuration process.
- USB: Write an image to a bootable USB stick - instructions are available here.
- OVA: Download the OVA from Untangle. This can be deployed in VMware and other virtualization software. When deploying in a virtual environment, be sure to read through the Cardinal Rules.
Most users install Untangle on the server before the server is placed in-line on their network. To do this plug one interface of your Untangle into your network as you would any other computer, then start the installer. This ensures that Untangle will have access to the internet during installation.
Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the Untangle installation has started, follow the directions on the screen to complete the installation process.
As of release 16.0, NG Firewall can be installed via BIOS or UEFI. When the booting via CD or USB, the installer automatically detects whether it was booted via BIOS or UEFI and tweaks the install process accordingly. To tell whether the installer was booted via BIOS or UEFI, check the installer's menu title. When booted via BIOS, the installer menu title will be "Untangle installer boot menu". When booted via UEFI, the installer menu title will be "Untangle UEFI Installer".
After the installation is complete the server will reboot and the Setup Wizard will appear to walk you through the next phase of installation.
If you encounter issues while installing Untangle onto your server, read the Troubleshooting Server Installation.
The Setup Wizard will open automatically when Untangle first boots. If you do not have a keyboard/mouse/video connected to the Untangle server, the Setup Wizard can be reached by plugging into a DHCP-configured laptop into the internal interface opening a browser to http://192.168.2.1/.
Once installed, the setup wizard can be repeated at any time and can be found in the NG Firewall GUI at Config > System > Support > Setup Wizard.
Before you begin the setup wizard, select your preferred language.
Setup Wizard - Welcome
The next screen simply welcomes you to the Setup Wizard. Click next to continue.
Setup Wizard - Step 1 - Configure the Server
The first step has you set a password for the administrator account and select a timezone. You can also set the admin email to receive alerts and reports. Select the installation type, which closest matches your deployment.
Setup Wizard - Step 2 - Identify Network Cards
The second step shows you the network cards. If this is an appliance from Untangle you can simply continue to the next step. If this is a custom server, verify that the physical network cards are mapped to the correct (desired) interface. You can verify connectivity by disconnecting or connecting the cable to the physical interface. The status icon changes immediately between grey or green to show the link state.
Setup Wizard - Step 3 - Configure The Internet Connection
The third step configures your External (WAN) interface.
The default selection is Auto (DHCP). The automatically assigned address is displayed if an address was successfully acquired. Otherwise, click Renew DHCP to acquire an IP address. Click Test Connectivity to verify Internet access.
If your Internet connection requires a static IP address or uses PPPoE, select the appropriate option and enter the parameters assigned by your Internet Service Provider.
Setup Wizard - Step 4 - Internal Network Interface
The fourth step will configure your "Internal" interface (and DHCP server and NAT configuration.) There are two choices.
You can configure the internal interface with private static IP address (ie 192.168.2.1) and enable DHCP serving and NAT (Network Address Translation) so all internal machines will have private addresses and share one public IP. This is commonly referred to as Router mode.
You can also configure the internal interface to be bridged to the external. In this mode the internal interface does not have its own address and is simply shares the External's address. This is commonly referred to as Transparent Bridge mode.
In Router mode, Untangle will be the edge device on your network and serve as a router and firewall. In this case you'll need to set up your External and Internal interfaces correctly for traffic to flow, which should have been done while installing.
In Transparent Bridge mode, Untangle is installed behind an existing firewall and sits between your existing firewall and main switch. When in Bridge mode Untangle is transparent, meaning you won't need to change the default gateway of the computers on your network or the routes on your firewall - just put the Untangle between your firewall and main switch and that's it. You do not change the configuration of existing clients or the existing firewall!
Setup Wizard - Step 5 - Configure Automatic Upgrade Settings
In the fifth step Automatic Upgrades are configured. If Automatic Upgrades is enabled, NG Firewall automatically checks for new versions and performs the upgrade between 1am and 2am every morning. You can adjust the upgrade schedule after the setup is complete from the Upgrade Settings.
This step also includes an option to manage the appliance from Command Center.
Setup Wizard - Finished
The next steps include registration and installing the desired apps and possibly tuning the configuration of your Untangle NG Firewall.
Note that the setup wizard can be repeated at any time in Config > System > Support, click Setup Wizard.
Common Post-Setup-Wizard Configuration
At this point Untangle has the basic configuration that will work for most networks. However, some networks require more configuration.
Untangle will prompt you to sign in or register a new account with untangle.com. Registration is required to install any applications and takes only a second.
Registration has the following benefits:
- Install free or paid applications on your Untangle NGFW.
- Manage your licenses, renewals, servers and contact info all from one dashboard.
- Easily transfer licenses between servers.
If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.
Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting http://untangle.com or clicking My Account in the lower left hand corner of the UI.
Installing applications is covered in the User Guide. It is recommended to finish reading this section and get everything working before configuring/tuning the application settings.
Configure Other Subnets
Untangle will route all traffic according to its routing table, even in when installed as a Transparent Bridge. This means Untangle must have the proper routing table for all subnets on your network.
If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure Untangle to know about these networks. For example, if you are running as a bridge with Untangle having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell Untangle where to reach these hosts.
There are several ways to do this:
- Add a route in Config > Network > Routes telling Untangle how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.
- Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells Untangle that this IP range is local and can be reached locally on that interface. It also provides Untangle a local address on those subnets should any of those clients need to reach Untangle using a local IP.
Each subnet on your network will need to be configured so Untangle knows how to reach them. The "Ping Test" in Config > Network > Troubleshooting can be used to verify that Untangle can reach the configured subnets.
More in depth information about how Untangle network is configured is found in Network Configuration.
Configure Other Interfaces
In the setup wizard you configured both the Internal and External interfaces. If you have more than 2 interfaces, the 3rd and beyond are Disabled by default.
If you plan to use them, they must be configured and it is suggested to choose a name reflecting its use.
Common uses include:
- Additional WAN interfaces (if you have multiple internet connections) for failover/balancing
- To do this just configure it as a WAN interface with the ISP's provided values. Read more about WAN Failover and WAN Balancer for more information about failover/balancing.
- Other internal networks
- To do this just configure it as a non-WAN interface with a static internal IP. For example if you used 192.168.1.1/24 on your internal, you could use 192.168.2.1/24 on your 3rd interface. This is useful on larger networks, for guest networks, for wireless networks etc.
- Public segment for public servers (DMZ)
- If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
- Additional NICs for existing networks
- If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the untangle to reach other internal hosts is scanned by the apps.
More in depth information about how Untangle network is configured is found in Network Configuration.
Some Untangle applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in Config > Email. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).
Port Forward Rules
If Untangle is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in Config > Network > Port Forward Rules.
Unlike many next-generation firewalls, Untangle scans All TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in Config > Network > Bypass Rules. More is described in the Network documentation.
If you use OpenVPN or quarantine or other publicly accessible services on Untangle, you may wish to configure the "public address" of Untangle so that it sends the appropriate URL to remote users. Public Address can be configured in Config > Administration > Public Address.
If you'd like to be able to administer Untangle via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the Filter Rules#Input Filter Rules.
Installing Untangle on the Network
At this point Untangle should be ready to drop into the network if it is not already in place.
If Untangle is configured in bridge mode an easy way to test Untangle is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through Untangle. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.
If you are running as a Transparent Bridge verify that Untangle is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If Untangle is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. Untangle also provides Administrative Alerts which will bring this to your attention so you can fix it.
- Untangle is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how Untangle works before making possibly major changes that may affect system operation.
The next step is installing the applications and configuring Untangle to meet your needs. The User Guide provides in depth documentation of the various functions of Untangle and the applications.
Welcome to Untangle! ʘ‿ʘ