Untangle NG Firewall and Vlan Routing

Let’s face it, networks are complex beasts. No sooner than an admin thinks he or she has it all straight, something comes along and blows everything up. Sometimes with all the chaos the basics get lost in the shuffle. One such basic that’s come to the foreground recently in our support calls, is the subtle yet profound difference between a VLAN, and an IP network.

VLAN

A VLAN is a layer 2 separation. It is a concept with associated technology that allows an administrator to carve up a single physical network switch, or multiple physical network switches, into logical switches. That’s it! You’re simply taking a big switch and making smaller ones for some purpose. It’s important to note that there is no IP addressing here, that’s layer 3. VLANs don’t care about layer 3!

IP Network

An IP Network is a layer 3 designation, completely virtual by nature and utterly dependent on someone else’s work. Unless you’ve had the privilege of setting up a network from scratch you’re usually using someone else’s numbering. And even if you do setup the network from scratch you’re usually relying on someone else’s defaults.

The Problem

To make matters more confusing, VLAN is easy to say. So, if you’ve carved your network into three IP networks, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 and you’ve assigned these networks to operate on VLAN 1, VLAN 2, and VLAN 3 respectively, it’s very easy to refer to these networks as VLAN 1, 2, or 3. However, this easy to say reference can often impart confusion. Again, these two ideas work on different levels of the OSI model. When we say VLAN 1, we often mean the IP Network running on VLAN 1.

Continuing with the example above, if you want to have devices in the 192.168.1.0/24 network communicate with devices in the 192.168.2.0/24 network you need a router that has an interface in both networks to route the traffic between the two networks. The computers attached to each VLAN don’t care that they’re on a VLAN, they’re simply subject to the layer 2 separation defined by the VLAN. So when they need to communicate with a device on the other network, they’re going to reference their local routing table, and if no information is found, transmit the packets to the configured default gateway. It is possible via tagging to have a single physical interface on a switch, or device communicate with multiple VLANs. But, each tagged interface is a virtual interface, with a distinct IP address. Each network must be fully configured with an address, network mask, and gateway for packets to flow smoothly.

Untangle NG Firewall

Now, we bring in Untangle Firewall 10. This version of the software comes equipped with the ability to create virtual interfaces tagged for a specific VLAN. This feature is powerful, as it allows the Untangle server to have an interface on as many VLANs as required. However, use of it should come with caution! Going back to our example before, if Untangle NG Firewall has a single physical interface configured with three virtual interfaces for each VLAN, and those virtual interfaces in turn take the .1 address in each segment. Untangle NG Firewall has the ability to act as a router between segments, as well as provide Internet connectivity as it would operating as a router in an environment without a VLAN. However, all three networks are now physically limited to a single network interface, and the limitations imposed by it. It’s amazing how quickly you can run out of a gigabit of connectivity! Also, should something go wrong with this single physical interface all three networks lose connectivity. Conversely, Untangle NG Firewall can be configured without VLANs at all dedicating a single physical interface to each IP network. Untangle NG Firewall would then have three physical NICs each connected to a switch port configured to reside on each of the three VLANs. In this case, Untangle has no VLANs configured, yet it’s using the VLANs through the switch’s configuration. Now each interface has a gigabit of connectivity to work with, and if a single interface fails only connectivity to that specific network fails. It’s important to keep these conditions in mind when designing a network.

Solution

It’s important for any network administrator to know the difference between IP networking and VLAN’s. It’s difficult to communicate properly with upstream support when definitions get crossed. If an administrator contacts support reporting a connectivity loss on a given VLAN, it’s important that the administrator know what IP Network is operating on each VLAN, and how those VLANs are expected to communicate. If an Untangle NG Firewall is configured to route between two or more internal networks, and it has IP addresses on each network, this situation resolves itself by virtue of the router having a complete routing table naturally. However, if a layer 3 switch or another router is utilized to perform internal routing among networks, the Untangle NG Firewall now requires additional configuration in the form of static routes for each network beyond the second router. Without a proper default route path going from each device to the Untangle NG Firewall, and an appropriate return path within Untangle NG Firewall back to the device, packets won’t flow. These issues are very difficult to troubleshoot remotely. The difficulty can expand to near impossible if proper terminology isn’t maintained. Untangle NG Firewall is a wonderful product that’s bringing powerful UTM functionality in an easy to understand package. However, if the administrator isn’t careful it can also mire you in problems that you can’t express well enough to get help. Sometimes it pays to sit down with the book for a while. The alternative is lost sleep, grey hair, and a whole lot of frustration.

By Rob Sandling