ESXi + PFSense + Untangle + PFSense + vlans?

M

Martian

n00b
Joined
Feb 21, 2012
Messages
48
I have my ESXi box up and running smoothly now. I'm planning to replace my aging DLink router / firewall with PFSense. I would also like to run Untangle in bridge mode for it's filtering capabilities. My house is quickly becoming the gathering place for my son and his friends and I'd like to put Untangle to work keeping the darker corners of the Internet at bay. Lastly I would like to set up a few vlans to segregate my network and allow for a guest network. This is where my primary problem lies since Untangle doesn't support vlans and strips vlan tags.

My thought is to setup a PFSense firewall VM connected directly to my ISP on the WAN side and feeding into a bridged Untangle VM on the LAN side. Untangle would then feed into a 2nd PFSense VM whose firewall would be disabled and would only be used for routing between vlans.

Has anyone tried anything like this? Does anyone have any thoughts / opinions on if this would work? Would I be able to avoid being double NAT'd and having to set up port forwards twice? I know it seems silly to have three VM's for such a simple task but I can't think of a better way to accomplish everything I want to do (short of buying a layer 3 switch) and my ESXi box certainly has the power to do it.
 
Martian said:
My thought is to setup a PFSense firewall VM connected directly to my ISP on the WAN side and feeding into a bridged Untangle VM on the LAN side. Untangle would then feed into a 2nd PFSense VM whose firewall would be disabled and would only be used for routing between vlans.
Click to expand...
Isn't that poking your eye through your chest?

ESXi handles VLANs and why would Untangle need to run bridged?
 
Right. Untangle doesn't need to do VLANs..that's what ESXi/vNICs/port-groups are for.
 
How do i control data between vlans? Does ESXi have layer 3 routing capabilities? I want to separate private data from guest data and possibly separate my MythTV streaming as using vlans. It is my understanding that i need a "router on a stick" setup or a layer 3 switch to do this.
 
Untangle will route to/from guest network and public private. Why bother VLANing things inside your house like MythTV? That buys you nothing.
 
Please don't turn this into a PFSense vs. Untangle thread. Yes they overlap, but they are two different products with two different purposes. My problem is I want them both. Believe me I had tried to find ways to accomplish everything I want to do with one or the other but either way I have to give something up.

I either have to give up the robust filter of Untangle or the vlan routing of PFSense. I really want to find a way to have it all. I know my proposed plan probably isn't a good idea, at this point, I just want to know if it would even work. I'm guessing my final layout will be some sort of compromise but I like to start out with everything and scale back if I have to.
 
If all you want is L3 routing then do a simple software router (we use Vyatta). Then use PFSense or Untangle for their purpose. I still don't see why you'd want to VLAN out a home network. It doesn't buy you anything.
 
NetJunkie said:
If all you want is L3 routing then do a simple software router (we use Vyatta). Then use PFSense or Untangle for their purpose. I still don't see why you'd want to VLAN out a home network. It doesn't buy you anything.
Click to expand...

he's trying to do this all on esxi, i see this being a mess. Personally id take a dedicated BOX and run just untangle on it.


ISP>cable/dsl modem > untangle A to esxi then second nic to Home network.
 
dashpuppy said:
he's trying to do this all on esxi, i see this being a mess. Personally id take a dedicated BOX and run just untangle on it.


ISP>cable/dsl modem > untangle A to esxi then second nic to Home network.
Click to expand...

Why? I run Untangle under vSphere with a guest network.
 
Martian said:
Please don't turn this into a PFSense vs. Untangle thread.
Click to expand...
i'm not but
I either have to give up the robust filter of Untangle or the vlan routing of PFSense.
Click to expand...
you kind of are. i won't argue pfsense is as easy to configure and accomplish w/e filtering you want but it can be done.

you are aware pfsense has packages you can install to extend functionality right? like for instance, dansuardian + squid.

just sayin, you're over complicating things.
 
Yep. I've used both. Stand by my statement. ;) I also had odd problems with PFSense under VMware that was confirmed as a bug. It was using a LOT of CPU under heavy load when it shouldn't. It's a problem with device polling on the NIC (e1000). You can fix it..but you have to manually do it every time you reboot it.
 
Thanks for all the suggestions and help guys. I kinda figured there wasn't a sane way to do everything I want but thought I'd let the collective [H]ardforum mind kick it around.

NetJunkie said:
If all you want is L3 routing then do a simple software router (we use Vyatta). Then use PFSense or Untangle for their purpose. I still don't see why you'd want to VLAN out a home network. It doesn't buy you anything.
Click to expand...
I will look into Vyatta - I've heard good things. Sadly the reasons I want vlans are because I bought a layer 2 switch, I want to learn about them, and I like the idea of segregating my network. All bad reasons but it's what I got :rolleyes:

dashpuppy said:
Personally id take a dedicated BOX and run just untangle on it.
Click to expand...
I would too if this were production but it's home and I can swap in my old DLink router in two minutes if needed. The goal of my ESXi box is less hardware (thus my all-in-one setup) and less power draw. My old server is going to be my wife's Diablo III box so this is all win!

madrebel said:
i'm not but
you kind of are. i won't argue pfsense is as easy to configure and accomplish w/e filtering you want but it can be done.

you are aware pfsense has packages you can install to extend functionality right? like for instance, dansuardian + squid.

just sayin, you're over complicating things.
Click to expand...

Ok - yes I am comparing their features, I just don't want to derail on that (and we haven't). I am aware that PFSense has packages that do a lot of what Untangle does and learning to use them is probably still easier than my "brilliant" scheme. Untangle's filtering is just so easy... Oh, and I over complicate everything - just ask my wife...

NetJunkie said:
Yep. I've used both. Stand by my statement. ;) I also had odd problems with PFSense under VMware that was confirmed as a bug. It was using a LOT of CPU under heavy load when it shouldn't. It's a problem with device polling on the NIC (e1000). You can fix it..but you have to manually do it every time you reboot it.
Click to expand...
Hmmm - that doesn't sound good. I've not run into any issues so far in my testing / playing however I'm not passing any NICs through at the moment so maybe that is the cause?
 
you can disable polling BTW. you're not going to notice much difference with polling on or off until you reach throughput levels that are MUCH higher than what you're ever likely to see in your environment.
 
madrebel said:
you can disable polling BTW. you're not going to notice much difference with polling on or off until you reach throughput levels that are MUCH higher than what you're ever likely to see in your environment.
Click to expand...

Yep. Then I'd reboot and it would turn itself back on. Was a bug..maybe fixed by now as that was probably 6 months ago but I had a couple other people reproduce it as well.
 
madrebel said:
compile it out of the kernel :D
Click to expand...

Or do it the lazy way, create a script to do it at boot and drop it into rc.d directory! :p
OR even lazier(if it still works in FreeBSD), create a rc.local file, then append the command to disable it to it(rc.local) :p
 
Or I just use Untangle. ;)

It wasn't as simple as just unchecking it. You had to flip it a couple times (or something..it's been 6 months). Else it would use a ton of CPU under load when it shouldn't.
 
NetJunkie said:
Or I just use Untangle. ;)

It wasn't as simple as just unchecking it. You had to flip it a couple times (or something..it's been 6 months). Else it would use a ton of CPU under load when it shouldn't.
Click to expand...

wonder why he wouldn't use untangle with multiple nic's and create different subnets, woulden't that be the same as what he is trying to do ?
 
NetJunkie said:
Or I just use Untangle. ;)

It wasn't as simple as just unchecking it. You had to flip it a couple times (or something..it's been 6 months). Else it would use a ton of CPU under load when it shouldn't.
Click to expand...
Heh :D

In any case, NetJunkie already mentioned it - If you want to play with VLAN's, you can still do it using port-groups.

I think you misunderstood his and others point about using port-groups though. Instead having an over complicated set up of trunking the VLANs to the router VM(pfSense) and then bridging it to another filtering platform VM(Untangle), you tag the VLAN's at the port-group level and then let the single VM(Untangle) route between the port-groups as if they were seprate physical networks.

Basically all you’re doing is moving the VLAN tagging from the VM level, to the port-group level. Once you do that, the VM doesn’t need to be aware of or support VLAN's. You just have the VM treat it as regular untagged network traffic.

dashpuppy said:
wonder why he wouldn't use untangle with multiple nic's and create different subnets, woulden't that be the same as what he is trying to do ?
Click to expand...

By using VLAN's and tagging them at the port-group, absolutely, yes. :)

Otherwise not really, at least not without going back to an overly complicated setup(use dedicated uplinks, vSwitches, port-groups and seprate switches for each subnet). In a single switch situation, the traffic still flows in the same (broadcast, and etc) "domain". In other words, while it would work, the traffic isn't actually segregated. By using VLAN's, it will provide physical-like segregation. (VLAN’s aren’t prefect, and if not carefully implemented can be bypassed using techniques such as VLAN hopping)
 
Last edited:
Hi,
I run Untangle in ESXi env with multi vLans.
I have one Vswitch for each vLan and then a Interface in Untangle for each vLan.
As Untangle now have a 250 Interface limit it is a Easy way to route between vLans and filter traffic with Untangle.
 
Thank for all the replies! Between being sick and working extra time (to catch up from being sick) I haven't had much "project' time until yesterday.

I set up an Untangle VM (no pfSense) as a test and was able to route between a couple different vlans set up on a couple different vSwitches. I haven't tied it back to anything physical yet but it seems to be doing everything I need / want. The only downside is that I need a physical NIC and switch port for each vlan but that is doable.

Tonight's goal is figuring out how wall off the guest subnet and isolate it from the others. I'm pretty sure this is just simple firewall rules, I just haven't had time to play with it yet.

I do have a couple questions if anyone is game:

1) For the WAN side (going to my FIOS ONT) should I pass that NIC through to the Untangle VM or just create a separate vSwitch for WAN? I planned to pass through but when I tried it I lost my connection to vSphere until I unplugged the connection (I think I created a loop somewhere)

2) Is there any way to rename / delete / not use the DMZ interface? I don't plan to have a DMZ setup and would prefer name that adapter something meaningful to what it really is.
 
Martian said:
Thank for all the replies! Between being sick and working extra time (to catch up from being sick) I haven't had much "project' time until yesterday.

I set up an Untangle VM (no pfSense) as a test and was able to route between a couple different vlans set up on a couple different vSwitches. I haven't tied it back to anything physical yet but it seems to be doing everything I need / want. The only downside is that I need a physical NIC and switch port for each vlan but that is doable.
Click to expand...
You don't need to give each VLAN a separate vSwitch, you can use one vSwitch and create multiple port-groups instead ;)
 
Chilly said:
You don't need to give each VLAN a separate vSwitch, you can use one vSwitch and create multiple port-groups instead ;)
Click to expand...

Interesting - I will look into this. Can I then assign physical NICs to the various port groups on the same vSwitch?
 
I got Untangle configured just about the way I wanted it in my test setup and was getting ready to migrate the VM over to "production" when I realized that Untangle does not have any bandwidth control features unless you buy the $170/ year Bandwidth Control package.

So now I'm back to using pfSense, which honestly I think will be better in the long run. My primary reason for wanting Untangle was for the content filtering feature which I think I will be able to accomplish with OpenDNS and Squid Guard.

Let the testing continue...
 
Hi Martian,

I use pfSense and Untangle into a prod envionment. You're right when you say that pfSense are a security suite and Untangle a UTM system.

I successfully use both, back to back to provide me a solution like a Sonicwall TZ-210 with CGSS enable.

It's working well en ESXi with VoIP enabled.

Best regards

Martin
 
Why not use astaro security gateway? Effectively combines both. I run it under esxi5.x with zero issues.
 
NetJunkie said:
Or I just use Untangle. ;)

It wasn't as simple as just unchecking it. You had to flip it a couple times (or something..it's been 6 months). Else it would use a ton of CPU under load when it shouldn't.
Click to expand...
Works fine now, untick box and voila.
 
I run both PFSense and Untangle at home on ESXi 5.0. Like others have suggested, the key is using vlan based NICs in vsphere, not trying to pass tagged traffic to a VM. I run many VLANs at home without any issue.
 
Not in this case but I have no problems passing a VLAN trunk from a vDS to pfSense and doing the tagging on the pfSense VM.
 
You must log in or register to reply here.
Back
Top