Networking FAQs

From Edge Threat Management Wiki - Arista
Revision as of 20:34, 26 February 2016 by Dmorris (talk | contribs)
Jump to navigationJump to search


If I am running NAT, how can I provide access to a web server connected to the internal network?

  1. If the web server is using DHCP, it should be assigned a static address. Go to Assigning Network Computers Static IP Addresses.
  2. Map the web server to that IP address as discussed in Mapping Computer Hostnames To IP Addresses.
  3. Create a port forward rule for all incoming traffic on port 80 to your web server as discussed in Port Forward Rules.


I have multiple subnets and after installing Untangle as a bridge only my main subnet can connect to the internet. Why?

Untangle needs to know about the other subnets in order to correctly route traffic to them. This can be done in several ways.

  1. Give Untangle an alias on each subnet. This can be done in config->networking. This tells untangle that this subnet is local and should be routed accordingly.
  2. Alternatively, If your subnets are all similar (ie 192.168.1.x vs 192.168.2.x) make sure Untangle has a netmask that includes them all (255.255.0.0 vs 255.255.255.0)
  3. If your other subnets are behind another internal router also add routes to tell Untangle how to route to these subnets in Config > Network > Routes.


Is it possible to serve DHCP on multiple interfaces?

Yes, just configure the DHCP settings on the appropriate Interfaces.


Does Untangle support dual WAN or WAN failover?

Yes! Simply configure the appropriate interfaces as WANs, and install WAN Balancer for Load Balancing, and WAN Failover for failover.


My network is extremely slow and some pages won't load. Why?

Some internet connections have a sub-1500 MTU but don't support automatic MTU path discovery. It is worth a try to manually change MTU on the config->interfaces->edit page to something lower, 1492 or even 1450, to see if it has any effect. You must be in advanced mode to change this setting. This is more common with PPPoE connections. It is suggested that if this does not solve the issue you return MTU to the default setting.


Can I use OpenDNS with Untangle?

Sure. Simply change your external interface's settings to use OpenDNS's servers as a DNS server.

Can I specify multiple ports/IPs in one rule?

Absolutely. You can use comma-separated values or hyphen-separated ranges. In the case of IPs you can even use CIDR notation to cover a network space. Keep in mind that NGFW's Debian base limits rules to a maximum of 15 unique values per rule, and that hyphen-separated values count as two values.

My port forward isn't working. Why?

Follow the Port Forward Troubleshooting Guide to see if you can discover the issue.

I setup a port forward for HTTPS (port 443) and it is not working. Why?

Untangle and many of the applications use port 443. In order to forward port 443 you need to move Untangle off of port 443 to a different port. This can be done in Config > Network > Services.


I setup a port forward to my FTP server and it is working but transfers fail. Why?

FTP has multiple connections. If you setup a port forward for the control session (port 21) then you must also setup a port forward for the transfer sessions. You can do this in multiple ways.

  1. Configure your server to use a range of ports for a transfer, passive ports (i.e 10000-20000) and configure Untangle to forward all of these ports to the FTP server.
  2. Use 1:1 NAT

Can I port forward traffic destined to a specific hostname like 'mywebserver.com' to a specific server?

No. Packets are destined to IPs not hostnames. When a new packet of a new session arrives from 1.2.3.4 port 1234 to 5.6.7.8 port 5678, the port forward rules must decide if and where to forward that session based on the information present in that packet. This decision can only be made using the information known at this time. If the session is forwarded and its an HTTP or HTTPS session and later it successfully connects, the client may request "mywebserver.com/index.html". At this point in theory the hostname is known, however the port forwards must decide where to forward the session long before the hostname is known. Port forwards rules can not see into the future and know which hostname the client may request at the time the client is trying to initiate the session.

However, This can be accomplished for HTTP and HTTPS traffic using | apache as a reverse proxy. This mechanism will accept all HTTP requests and forward/proxy based on the information in the request and proxy all responses from the final server.

Does Untangle support 1:1 (One to One) NAT?

Yes, Read more about how to setup 1:1 NAT.


What is "Destined Local?"

Destined Local is a flag for port forward rules. It matches on traffic destined to the local untangle machine and one of its IPs. This flag is usually used when you want to redirect a port on the Untangle Server (and all of its IPs) to another server.