Announcement

Collapse
No announcement yet.

Implementing untangle firewall behing a network with several subnets

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Implementing untangle firewall behing a network with several subnets

    Hello,
    I am currently trying to replace two pfsense servers primary and secondary with an untangle firewall. The psense servers support several subnets behind which are entered in the routes table. This has been working perfectly. Now i want to replace the pfsense proxy servers with untangle and i have entered all the routes that existed on the pfsense servers and i can successfully ping all networks behind my new untangle server. I have internet connection also established on the new untangle server. But my pc behind the untangle servers shows internet connection on the network icon but when i tried to browse it fails and returns cannot .find server.

    when i tried to traceroute from the pc it thens reply from my subnet gateway and then to an IP address which was the primary IP address of the replaced proxy server. this server does not exist in more but i dont know why my pc still point to this ip address. if i put back my pfsense server and my new untangle server then my pc that point to the untangle server. but when i shutdown the pf sense server i lost connection.

    i cannot find anywhere in the swich i there is any configuration for server ip address of the pf sense to be route for internet access. please help me out

  • #2
    Don't know anything about the hardware names used, but it sounds like your routing statement that you duplicated include a reference to the pf sense server that you're trying to remove. Your traceroute follows the routing tables, that's how it progresses from one hop to the next. Remove that IP, correct the remaining statements for the active devices you're trying to set up, and try again.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Thank you for your contribution, i dont think it is trying to reference the pfsence server as there is no reference statement. Untangle is A firewall application , it has a routing tool where you add all routes to the network. you add the network and the next hop. in my trouble shooting i decided to delete all the other routes and only concentrate on only one subnet. but want i dont seems to understand is that the pc obtain dns address from a local Active Directory dns address. this dns address are not public internet dns address however with this dns address it shows internet access on the local area connection icon. i have also observed that when all the pfsence servers are off the internet connection also goes off.

      for the pfsense which is a proxy servers my pc has proxy setting option configured on the proxy which i think force the internet traffic directly to the proxy server for internet access. but the new NG Firewall application does not have proxy functions so i think this might be the problem as the pc behing the router should aleast of a public dns address to have internet access. as i said the pc behind the network use local dns addresses issued by a domain controller.

      Do you think that i should also add public dns to be issued by the domain controllers ?

      Comment


      • #4
        Whichever device has an interface which holds the public IP you got from your ISP is your internet-facing gateway. If that device is not a router itself, then whichever device you use as the router for your internal network has to point to that gateway as it's default route, which is what it uses when it doesn't know any other more-specific route to deliver a packet to. If the pfsense device that you're retiring was your proxy server but the new device doesn't proxy, then you have to change your client device configs. A basic firewall gives you at least a NAT function to translate private vs public addresses so your private clients can pass onto the I'net. A proxy does that, but it also does a lot more. If you're not using a proxy but you're still using a firewall that does NAT for you, then any client inside your network will have to have the proxy settings removed, else they won't be able to get to the web. Your routing statements should all point to the router which is closest to your gateway, and that router should push the traffic thru that gateway. But one of those 2 devices must also NAT your traffic, or it won't pass to the I'net.

        As for DNS: your internal DNS should answer all queries from your internal clients. Your clients should not have to go out to the I'net to get DNS resolution. Your internal DNS should have 'forwarders' and 'root hints' configured, so that it can look up addresses for pages it doesn't know about. An explanation: your clients request from your DNS. Your DNS either answers if it can, or itself requests from the forwarders or root hints for the answer, and then it gives that answer to your client. That's called recursion. Unless you are hosting a web server that has to be available on the open Internet itself, public DNS records are unnecessary.

        It sounds like you are in need of someone locally to help with your network, and to give you some instruction on how to lay one out. Had you thought about hiring someone for a day or 2 to review your system and give you some pointers?
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          The device is Firewall and NAT is enabled. my internal LAN are on vlans created on a layer 3 switch. Routing is enabled and all networks can reach my firewall application. So each VLAN interface is the gateway for each network. This is working properly. Also about the DNS , the local DNS maybe doing the forwarding as it is working well with the pfsense. So there is no changes as i am using the real ip addresses used by the pfsense so that the configs works the same.

          I have noticed that when i connect from my pc from any of the vlan i can reach the firewall with a ping and that shows that my routing is ok but internet access fails. I decided to connect my pc directly to the LAN interface of the NG firewall and used the LAN ip as my gateway and public dns configured on the internet gateway and this time everything is working. Does this means that i am having NAT issue.?

          yes i will consider looking for tech in the new year coming.

          Comment


          • #6
            Since you said you can get to the i'net when you use public DNS, try using the same public DNS settings back on any/all vlans and see if your access still works. If so, then your internal DNS is the issue. But since that public DNS worked, what makes you ask about NAT? Have you verified your internal DNS settings as described previously? If you have intenral DNS (and you must, because Active Directory won't work without it), then making sure it's working is the next step. Your DNS forwarders should point to your ISP, or public DNS if necessary. Your clients should never have to go to outside DNS on their own.

            From a PC that currently can't get to the i'net, you can see whether DNS is working or not by checking the DNS cache. From a cmd prompt, use 'ipconfig /displaydns'. When you enter that command, it'll return a listing of every URL-to-IP it knows about. So if you try a web page that doesn't work, but then the DNS cache shows an IP for that name, your DNS is working. The fault is either routing or NAT. On your new firewall, just turning NAT on may not be enough. Some devices require that you specify WHAT GETS NAT'd, as well. That way, you can have (as an example) 4 subnets inside your network, but only 3 of them are allowed to be NAT processed. Users on the 4th subnet would see just what you're seeing now. But, if you can access the i'net when a test PC is plugged directly into the new firewall, I'd say NAT isn't your problem. However, did that test PC have an internal, private IP on it? To prove that NAT is working in this case, hook that back up again, make sure you know what IP you have on the PC's NIC, and go to 'whatismyip,com'. If NAT is working, that page should show the public IP that you have on the outside interface of your untangle, not whatever is on the PC's NIC. And I'm betting it will, the way things sound at the moment.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment


            • #7
              Thanks I Salute you so much. It is working as NAT was my problem. As you said turning NAT was not enough. i have actually specify what get nat. Thank you it is resolved.

              Comment


              • #8
                Glad to hear it's working now.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment

                Working...
                X