Untangle NG Firewall

Jeez, I’ve been teasing this post for a long time.

I think this is the coolest solution since sliced bread, but that’s only because it’s true. Per untangle.com “Untangle’s NG Firewall enables you to quickly and easily create the network policies that deliver the perfect balance between security and productivity.”

We have all heard it before for super-object-x-v127.6, right? Hey, it may be true, but the price-tag is in the millions or you’re going to have to hire an overpaid consultant to run the thing or at best it’s terribly unstable.

Well, this isn’t the case for the Untangle Firewall.

That’s because it’s not just a Firewall. Untangle is a beautifully written software-suite which capitalizes on taking a whole mess of security functions and putting them in one place. Seriously, this thing is a *deep breath* Firewall, IPS, Phish Blocker, Virus Blocker, Ad Blocker, Application Controller, Web Filter, SSL Inspector, Bandwidth Controller, Load Balancer, Fail-over Controller, Web Cache, Captive Portal Controller, and IPsec and Open VPN node. <== Do you see that? It’s ridiculous. Best of all, I turned every single feature on in an economy hardware build, and the tower just yawns at the challenge. That’s right, Untangle Firewall can do all that stuff without breaking a sweat.

And it even it looks nice! All the applications are lined up in a graphical rack. Yep, a rack, a server rack. You move apps in and out of the rack based on the features you want. A power button turns the feature on and off and each app has a myriad of different settings and tweaks.

But does it work?

The firewall was easiest to test. Now, keep in mind, if you are NATing at the Untangle device, the firewall shouldn’t need a whole lot of tuning; NAT should stop most sad attempts to hop through onto your LAN. So I put mine in bridge mode, retuned my network, and gave the firewall real rules. It did its job fine. Now, this isn’t a hard job. My 20 year old PIX can do that part. My pix was also thousands of dollars when Cisco pushed it onto the market. Untangle is FREE. Well, FREEMIUM.

Web Filter is solid. Pick the categories you want to include, white list or black list any exceptions and go have a beer. You deserve it. What’s really nice is the low rate of false positives. I’ve fixed 2 false positives. Both times it thought it found porn and both times I imagine interesting cookies were involved. I don’t blame the Untangle in either case.

Virus Filter is awesome. I don’t have any viruses laying around, but I pulled a few defanged baddies through, compiled them, and tried to push them around. It caught all the (old) viruses, but it did let through the anti-virus test files I’ve collected. I don’t know if that’s cause for alarm on the AV vendors part or for the Untangle box. Probably the AV vendors…as I believe Symantec and McAfee are 99% unicorn tears anyways. I can tell you that the UT boxes I monitor in major deployments have a steadily ticking viruses blocked counter, occasionally corroborated by the users who complain they can’t get into their poker tournament site.

Email security is harder to test. I’m a huge proponent of keeping email on the web and in a browser, so I really don’t have a good way to test these.

IPS is pretty standard. I haven’t set it up yet, and likely wont until I finish building my packet capture box (I smell a future post). There are a crap ton of rules in there. The default comes with your standard -stuff people shouldn’t be doing- turned on, but there are an awesome number or nerd-knobs to tweak in this app.

OpenVPN and IPsec VPN just work. IPsec takes a bit more config, but it takes literally like 5 clicks to stand up a VPN tunnel. Best of all, I’ve never seen one drop since they revised their VPN app in version 9.


This is an incredibly versatile box. I work with 8 different Untangle Firewalls ranging from version 9 to (finally) 12. Each deployment has a different use case. Some are WAN links, others provide server security to a range of different servers, yet others are doing basic routing tasks and every single one of them is also carrying the Firewall, IPS, Spam/Phish, and Web Filter.

This device fits excellently on school network or in small-medium sized business, with need for a reliable, and cheap WAN solution. I’ve played with both the IPsecVPN and the OpenVPN. With over 6 years collective run time, I haven’t seen a single VPN link drop or decrypt the streams. And if you need a public face for management or whatever tickles your fancy, the Dynamic DNS has it’s own configuration page in the admin console.

I even have this thing doing sec in my own home. I’m quite comfortable with it. In bridge mode, it’s super easy to use. I even have it doing ad hoc parental controls.

But, Untangle Firewall has it’s limits.

This device isn’t a router. If you spend $100 on a half decent Wi-Fi router there’s a very good chance you will get support for RIP, but not here; this isn’t a router. While the Untangle device can do basic static routing, that feature is designed to help the firewall better fit into a network. The firewall also seems quite vulnerable to DOS attacks. If you turn on all those features, you start to see a few extra milliseconds or two of latency past 150Mbps on an interface. All my builds are gigabit, so I imagine this is where we pay the price for doing on software what is done on ASICs in the big brands. I don’t have the hardware to DDOS it myself, but I imagine VoIP quality will begin to suffer around 500Mbps.

Oh Wait, I forgot about the QOS. The QOS engine in this thing is rock solid too. I remember training for tech support “the VoIP is the least tolerant of loss and jitter” but if you tell Untangle to do VoIP QOS, you will notice internet issues way before your phone problems. It’s a good box.

Now it is a single point of failure; we’re used to that, though. Security has been the aggregation of all streams for quite some time. While there are solutions to this vulnerability, your going to drop serious dough on them. I’m okay with a single point on the untangle. I put the hardware together, I configured it, I ran the backup. I know this thing in and out. If it dies, I’ll unplug the ethernet from one Untangle and plug it in to an identically prepared twin. Worse case, I slid a Gbit NIC in a PC collecting dust and slap together the install in a hour. Load in the backup, and Voila! Even the VPN tunnels stand back up on their own.

The other issue I have with Untangle is the lack of a sync function. I manage quite a few of these bad boys; it would be awesome if they sync’d app changes between themselves. Untangle told me they are not ruling it out, but it’s not in the works right now. Dear Untangle, add this feature and prepare to rake in the dough!

Let’s talk Dollars

Nine-tenths of the features I listed earlier are free, or have a very strong lite version. Untangle doesn’t play with their lite apps. I have just as much trouble cracking through the lite versions as I do the full version. The full versions, however, have way more tuning knobs to get it just right.

Even with the cost of the full featured apps, the Untangle is really cheap to run. The starting full package is $50 a month for up to 25 hosts, $300 for 250, $750 for 1000, $1,200 for Unlimited, and plenty of packages in between. You also have the option of purchasing only the features you want. But you don’t have to spend a Cent! You can cobble together a PC with two GigE ports for about $200 and install the Untangle Firewall. All the best features and updates come free! I dare you to go to Cisco and try to get a firewall for $200. Even if they sold you a dying ASA, which they won’t, you would need a special administrator to run it.

Untangle also sells a variety of hardware solutions for those who don’t want to chance having issues with a build-your-own scenario. Details, here! http://www.untangle.com/untangle-ng-firewall/appliances/


Untangle 12 OS

That was the easiest version upgrade ever. Clicked upgrade and a while later I had a new, but familiar, interface. On previous releases it was an entire OS rewrite. Untangle released new version, you burn the image to a disk, pop it in the tray and walk through a familiar debain style install. Further, there were some issues with openVPN changes which slightly raised the difficulty in migrating for UT v9 to UT v10. Upgrading from v11 to v12 was nothing like the other. We pre-prepped a twin with a backup UT box by exporting a backup and restoring the twin from the file. Next we pressed the upgrade button on the twin to initiate the upgrade to v12. An hour later, it was ready. Took about an hour to make sure no settings were lost and swapped it out. Didn’t use change management, didn’t give advance notice, just “Hey were going to take down the network at 6, looks like about half an hour.” Bull. We were down for 3 minutes. Three frickin minutes. Users told me it was the shortest maintenance we’ve ever had. Okay, onto the big new v12 feature.

Holy Awesome Batman, this Dashboard is sweet! I would include lots of pretty images, but I don’t feel like scrubbing all my IPs off the pictures, so you can find them here. This is so intuitive. I can now choose which reports I want graphed data on and over what period and it just compiles it into beautiful graphs. It’s not quite the depth of information you get from SNMP or net-flow, but that’s not the niche I tend to find UT boxes in. It is, however, highly configurable. Go into the reports tab, which they have conveniently moved from the rack to the sidebar, and build a report for whatever info you want to crunch. Want to watch in real time as Facebook traffic goes up? Build a report for it, collect your data, and take that info to management. What just happened? You, champ, just found Return on Investment in a Firewall!

I hate to end on a cliff, but I have no way to end this post without doing Untangle an injustice. Go, Go now! Get one! Or Fifteen!


Download NG Firewall https://www.untangle.com/get-untangle/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s