Month: April 2016

Way to go Time Warner!

Semi-pleasant surprise today. We had a modem connected up for client and strange things started happening. Applications were failing, a few users were complaining, and the internet was downright wonky.

So I remote in to one of the client’s computers and start poking around. Everything is normal till I run an ipconfig. Are those IPv6 addresses on the Ethernet interface? It’s not a MAC address…It’s not fe80 link local…

Okay, open google,

Your IPv6 Address Is: redacted
Your IP Details:
ISP: Time Warner Cable
Services: None Detected
City: redacted
Region: redacted
Country: United States

Holy frickin crap the modem pulled IPv6

The PCs pulled IPv6


Well sort of. We still have services to migrate to v6. The client isn’t v6 ready, which caused all the wonkiness in the network. So unfortunately we had to request switching to IPv4 only service at this site, but I’m still ridiculously excited.

I may be overdoing it a bit, but I don’t get to see this often. I primarily deal with Charter-Spectrum and Comcast. Both companies do their job well; however, I have yet to see a native IPv6 pull from either one. Both claim to have a large v6 footprint. I’ve talked to both companies too many times in reference to public facing modem IPs when helping people set up web servers or remote services, and it’s always public v4 or a private 10 dot for ISP/Carrier-grade NAT. So, all three companies say they have rolled out v6, but, in my experience, I’ve only seen v6 from Time Warner.

We need this. We’re out, straight up out, of IPv6 under ARIN. Business is not propelling v6 migration, but we know why. Everyone has said it and I’m going to say it again: There’s no Return-On-Investment for IPv6. Developers don’t want v6, it’s extra work. Standards aren’t doing it; instead, the IETF has spent all their time trying to fix old problems instead of pushing innovation. Someone has to drive this.

I want the ISPs to be the bigger people and force it.

I’m not saying do it overnight. I want to see ISPs quietly phase in dual-stack then set reasonable end-of-service dates for IPv4. I know that puts a financial burden on the  ISP, but it’s the ISPs who seem set to profit the most from the resale of IPv6 blocks anyways. I didn’t see ISPs doing that at the moment, but tripping over a native public v6 address today has restored my hope.

Time Warner, thank you for giving me an awesome Friday and inspiring me to continue to be an IPv6 Evangelist.

Untangle NG Firewall

Jeez, I’ve been teasing this post for a long time.

I think this is the coolest solution since sliced bread, but that’s only because it’s true. Per “Untangle’s NG Firewall enables you to quickly and easily create the network policies that deliver the perfect balance between security and productivity.”

We have all heard it before for super-object-x-v127.6, right? Hey, it may be true, but the price-tag is in the millions or you’re going to have to hire an overpaid consultant to run the thing or at best it’s terribly unstable.

Well, this isn’t the case for the Untangle Firewall.

That’s because it’s not just a Firewall. Untangle is a beautifully written software-suite which capitalizes on taking a whole mess of security functions and putting them in one place. Seriously, this thing is a *deep breath* Firewall, IPS, Phish Blocker, Virus Blocker, Ad Blocker, Application Controller, Web Filter, SSL Inspector, Bandwidth Controller, Load Balancer, Fail-over Controller, Web Cache, Captive Portal Controller, and IPsec and Open VPN node. <== Do you see that? It’s ridiculous. Best of all, I turned every single feature on in an economy hardware build, and the tower just yawns at the challenge. That’s right, Untangle Firewall can do all that stuff without breaking a sweat.

And it even it looks nice! All the applications are lined up in a graphical rack. Yep, a rack, a server rack. You move apps in and out of the rack based on the features you want. A power button turns the feature on and off and each app has a myriad of different settings and tweaks.

But does it work?

The firewall was easiest to test. Now, keep in mind, if you are NATing at the Untangle device, the firewall shouldn’t need a whole lot of tuning; NAT should stop most sad attempts to hop through onto your LAN. So I put mine in bridge mode, retuned my network, and gave the firewall real rules. It did its job fine. Now, this isn’t a hard job. My 20 year old PIX can do that part. My pix was also thousands of dollars when Cisco pushed it onto the market. Untangle is FREE. Well, FREEMIUM.

Web Filter is solid. Pick the categories you want to include, white list or black list any exceptions and go have a beer. You deserve it. What’s really nice is the low rate of false positives. I’ve fixed 2 false positives. Both times it thought it found porn and both times I imagine interesting cookies were involved. I don’t blame the Untangle in either case.

Virus Filter is awesome. I don’t have any viruses laying around, but I pulled a few defanged baddies through, compiled them, and tried to push them around. It caught all the (old) viruses, but it did let through the anti-virus test files I’ve collected. I don’t know if that’s cause for alarm on the AV vendors part or for the Untangle box. Probably the AV vendors…as I believe Symantec and McAfee are 99% unicorn tears anyways. I can tell you that the UT boxes I monitor in major deployments have a steadily ticking viruses blocked counter, occasionally corroborated by the users who complain they can’t get into their poker tournament site.

Email security is harder to test. I’m a huge proponent of keeping email on the web and in a browser, so I really don’t have a good way to test these.

IPS is pretty standard. I haven’t set it up yet, and likely wont until I finish building my packet capture box (I smell a future post). There are a crap ton of rules in there. The default comes with your standard -stuff people shouldn’t be doing- turned on, but there are an awesome number or nerd-knobs to tweak in this app.

OpenVPN and IPsec VPN just work. IPsec takes a bit more config, but it takes literally like 5 clicks to stand up a VPN tunnel. Best of all, I’ve never seen one drop since they revised their VPN app in version 9.


This is an incredibly versatile box. I work with 8 different Untangle Firewalls ranging from version 9 to (finally) 12. Each deployment has a different use case. Some are WAN links, others provide server security to a range of different servers, yet others are doing basic routing tasks and every single one of them is also carrying the Firewall, IPS, Spam/Phish, and Web Filter.

This device fits excellently on school network or in small-medium sized business, with need for a reliable, and cheap WAN solution. I’ve played with both the IPsecVPN and the OpenVPN. With over 6 years collective run time, I haven’t seen a single VPN link drop or decrypt the streams. And if you need a public face for management or whatever tickles your fancy, the Dynamic DNS has it’s own configuration page in the admin console.

I even have this thing doing sec in my own home. I’m quite comfortable with it. In bridge mode, it’s super easy to use. I even have it doing ad hoc parental controls.

But, Untangle Firewall has it’s limits.

This device isn’t a router. If you spend $100 on a half decent Wi-Fi router there’s a very good chance you will get support for RIP, but not here; this isn’t a router. While the Untangle device can do basic static routing, that feature is designed to help the firewall better fit into a network. The firewall also seems quite vulnerable to DOS attacks. If you turn on all those features, you start to see a few extra milliseconds or two of latency past 150Mbps on an interface. All my builds are gigabit, so I imagine this is where we pay the price for doing on software what is done on ASICs in the big brands. I don’t have the hardware to DDOS it myself, but I imagine VoIP quality will begin to suffer around 500Mbps.

Oh Wait, I forgot about the QOS. The QOS engine in this thing is rock solid too. I remember training for tech support “the VoIP is the least tolerant of loss and jitter” but if you tell Untangle to do VoIP QOS, you will notice internet issues way before your phone problems. It’s a good box.

Now it is a single point of failure; we’re used to that, though. Security has been the aggregation of all streams for quite some time. While there are solutions to this vulnerability, your going to drop serious dough on them. I’m okay with a single point on the untangle. I put the hardware together, I configured it, I ran the backup. I know this thing in and out. If it dies, I’ll unplug the ethernet from one Untangle and plug it in to an identically prepared twin. Worse case, I slid a Gbit NIC in a PC collecting dust and slap together the install in a hour. Load in the backup, and Voila! Even the VPN tunnels stand back up on their own.

The other issue I have with Untangle is the lack of a sync function. I manage quite a few of these bad boys; it would be awesome if they sync’d app changes between themselves. Untangle told me they are not ruling it out, but it’s not in the works right now. Dear Untangle, add this feature and prepare to rake in the dough!

Let’s talk Dollars

Nine-tenths of the features I listed earlier are free, or have a very strong lite version. Untangle doesn’t play with their lite apps. I have just as much trouble cracking through the lite versions as I do the full version. The full versions, however, have way more tuning knobs to get it just right.

Even with the cost of the full featured apps, the Untangle is really cheap to run. The starting full package is $50 a month for up to 25 hosts, $300 for 250, $750 for 1000, $1,200 for Unlimited, and plenty of packages in between. You also have the option of purchasing only the features you want. But you don’t have to spend a Cent! You can cobble together a PC with two GigE ports for about $200 and install the Untangle Firewall. All the best features and updates come free! I dare you to go to Cisco and try to get a firewall for $200. Even if they sold you a dying ASA, which they won’t, you would need a special administrator to run it.

Untangle also sells a variety of hardware solutions for those who don’t want to chance having issues with a build-your-own scenario. Details, here!


Untangle 12 OS

That was the easiest version upgrade ever. Clicked upgrade and a while later I had a new, but familiar, interface. On previous releases it was an entire OS rewrite. Untangle released new version, you burn the image to a disk, pop it in the tray and walk through a familiar debain style install. Further, there were some issues with openVPN changes which slightly raised the difficulty in migrating for UT v9 to UT v10. Upgrading from v11 to v12 was nothing like the other. We pre-prepped a twin with a backup UT box by exporting a backup and restoring the twin from the file. Next we pressed the upgrade button on the twin to initiate the upgrade to v12. An hour later, it was ready. Took about an hour to make sure no settings were lost and swapped it out. Didn’t use change management, didn’t give advance notice, just “Hey were going to take down the network at 6, looks like about half an hour.” Bull. We were down for 3 minutes. Three frickin minutes. Users told me it was the shortest maintenance we’ve ever had. Okay, onto the big new v12 feature.

Holy Awesome Batman, this Dashboard is sweet! I would include lots of pretty images, but I don’t feel like scrubbing all my IPs off the pictures, so you can find them here. This is so intuitive. I can now choose which reports I want graphed data on and over what period and it just compiles it into beautiful graphs. It’s not quite the depth of information you get from SNMP or net-flow, but that’s not the niche I tend to find UT boxes in. It is, however, highly configurable. Go into the reports tab, which they have conveniently moved from the rack to the sidebar, and build a report for whatever info you want to crunch. Want to watch in real time as Facebook traffic goes up? Build a report for it, collect your data, and take that info to management. What just happened? You, champ, just found Return on Investment in a Firewall!

I hate to end on a cliff, but I have no way to end this post without doing Untangle an injustice. Go, Go now! Get one! Or Fifteen!

Download NG Firewall