Untangle Virtual Appliance on VMware
From UntangleWiki
Untangle currently supports virtualization through a running on Player, Server, or Workstation (also seems to work with Fusion for the Mac). The Untangle virtual appliance can be configured in two main ways:
-
- as a demo virtual appliance, suitable for installation on a laptop or desktop in order to have a working instance of the platform running inside your Windows or Linux OS for testing or demonstration purposes. This is supported using VMware Player, Server, or Workstation and requires only one physical network interface. Use this mode if you have only one physical network interface in your VMware host machine.
- as a production virtual appliance, to be used as a network gateway. This mode requires at least two physical network interfaces (three if you want or need an external DMZ). We recommend you use either VMware Server or VMware Workstation running on either a Windows or Linux server. Use this mode if you have two or more physical network interfaces that you can connect to external, internal and (optionally) DMZ networks.
Using VMware Server or VMware Workstation will allow you more functionality such as snapshots, multiple machines and greater control over your VMware environment.
if (window.showTocToggle) { var tocShowText = “show”; var tocHideText = “hide”; showTocToggle(); }
Step 1: Get and Install VMware Player, Server or Workstation
The VMware Player and Server software are available free of charge from
-
- For more information on installing or using VMware Player, see
- For more information on installing or using VMware Server, see
- For more information on installing or using VMware Workstation, see
- For more information on installing or using VMware Fusion, see
Install your VMware Player, Server or Workstation before proceeding!
-
- Note: If you are using a security suite and/or firewall on your host PC or Server, you may receive warnings when new virtual network adapters are detected during the installation of VMware Player or Server. You should indicate that these new virtual adapters are TRUSTED, allowing all connections.
This section explains the various ways to configure network interfaces on Windows-based and Linux-based VMware hosts using VMware’s Virtual Network Editor (on Windows) and the vmware-config.pl script (on Linux).
The way that you will configure network interfaces for your Untangle virtual appliance will differ depending on whether you are setting up a demo virtual appliance or a production virtual appliance.
-
- We suggest you use the demo virtual appliance if you are running VMware on a host with only a single physical network interface card.
- We suggest you use the production virtual appliance if you are running VMware on a host with at least two (three if using with an external DMZ) physical network interface cards that you can connect to external, internal and DMZ networks.
In either case, you will use the same VMware tools (the Virtual Network Editor or vmware-config.pl script) to create the virtual network devices in VMware. The only difference between demo virtual appliance and production virtual appliance is that the demo virtual appliance uses virtual network cards for the internal and DMZ networks and the production virtual appliance uses physical networks for the internal and DMZ networks by bridging to the VMware host’s physical network cards. Both modes bridge to a physical network card for the external network.
[
The following diagram illustrates the network topology including the default configuration of the Untangle VMware virtual appliance. For proper installation and configuration, this basic diagram should be well understood prior to setting up Untangle.
Figure, Untangle Network Overview Diagram
]
Step 2.2: Configure the VMware Network on Windows Hosts
Windows hosts use a tool that is common to all Windows-based installations of VMware: Virtual Network Editor.
How to run VMware’s Virtual Network Editor
To run this tool properly, you must be logged in as an administrator on the host PC or Server, or you must run the tool with administrative privileges. In the case of Windows Vista, for example, you must select the Run as Administrator option when right-clicking on the tool’s executable file, vmnetcfg.exe, which is located in the same directory as your VMware. If you installed in the default locations, the Virtual Network Editor’s path is:
-
- ..\Program Files\VMware\VMware Player\vmnetcfg.exe for VMware Player
- ..\Program Files\VMware\VMware Workstation\vmnetcfg.exe for VMware Workstation
- ..\Program Files\VMware\VMware Server\vmnetcfg.exe for VMware Server (VMware Server and Workstation may also install the tool in the appropriate program group on your start menu (Manage Virtual Networks), depending on the installation options selected.)
When logged in as an administrator, use the Run command from your START menu to run the tool, unless your host is Windows Vista. In Vista, you should navigate to the tool using Explorer, right-click the executable, then Run as Administrator.
Figure, Run the Virtual Network Editor
Note: From the VMware Server Console, you can also run the Virtual Network Editor by choosing Host > Virtual Network Settings.
Once you run the Virtual Network Editor, you should see something like the following:
Figure, VMware’s Virtual Network Editor
[
Step 2.2.1: Configure Windows Host for Demo Virtual Appliance
If you have more than one physical network interface on your Windows host (e.g. wired and wireless NICs), you may want to use physical network cards in production mode. If you have multiple physical network cards and you want to configure for Demo mode, please be sure to change VMnet0 from Bridged to an automatically chosen adapter to whichever physical network interface that will be connecting the Untangle virtual appliance to the external network. Do this by selecting the desired adapter from the drop-down list mapped to VMnet0.
If you have only one network interface on your Windows host, you will need to configure VMware networking for the demo virtual appliance. If you have more than one network interface on your Windows host, you can and probably should configure VMware networking for the production virtual appliance (please see the next section for the production mode setup).
- Navigate to the Host Virtual Adapters tab. From there, add a virtual adapter by clicking the Add button.
Figure, Host Virtual Adapters
- Select VMnet2 if it is not already shown, then click OK.
Figure, Adding a Virtual Adapter, VMnet2
Once done, you should see a New Device enabled on VMnet2:
Note: If setting up the Untangle virtual appliance to use a DMZ, follow the same procedure to add VMnet3.
- Next, disable DHCP for the virtual adapter you just added by navigating to the DHCP tab, selecting the New Device on VMnet2, and clicking the Remove button.
Figure, Remove DHCP for VMnet2
Note: If setting up the Untangle virtual appliance to use a DMZ, follow the same procedure to disable DHCP on VMnet3.
- Navigate to the Host Virtual Network Mapping tab. You will notice that the Virtual Network Editor allows you to map up to ten virtual network adapters, which are named VMnet0 through VMnet9. Notice also that VMnet1 and VMnet8 are already mapped-- you should not change these. They are reserved for use by VMware. You should see your New Device on VMnet2.
Figure, Host Virtual Network Mapping
- The following screen shot shows what the Host Virtual Network Mapping looks like after applying the above changes for both VMnet2 and VMnet3.
Figure, Demo Mode Host Virtual Network Mapping
Step 2.2.2: Configure Windows Host for Production Virtual Appliance
- If you have more than one physical network interface on your Windows host (e.g. wired and wireless NICs), you can setup your network for the Untangle virtual appliance to be a Production Virtual Appliance by selecting the physical network interface you want to use for your Internal and DMZ networks. In the following example, we have mapped the Internal network to the wireless network interface on our Windows host while the forcing the External network to be mapped to our Broadcom network interface on our Windows host (DMZ is not mapped or configured here):
- Configure VMnet0 to be mapped to the physical network adapter connected to the external network, e.g. the Internet, by selecting the appropriate adapter from the adjacent drop-down list.
- Configure VMnet2 to be mapped to the physical network adapter linking to your internal network.
- Optionally, you may also map VMnet3 to a DMZ.
Figure, Mapping Your Server Network Interfaces
- Click the Apply button, then click the OK button.
- Note: It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual Appliance is that the Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas the Production Virtual Appliance requires at least two physical network adapters on the VMware host. If you have multiple network interfaces on your VMware host, we recommend you use the Production Virtual Appliance.
- Note: To change an existing Demo Virtual Appliance to a Production Virtual Appliance, you must remove the Virtual VMnet2 and VMnet3 devices from the “Host Virtual Adapters” tab of the Virtual Network Editor and apply the changes before you can map VMnet2 and VMnet3 to physical network interfaces.
Step 2.3: Configure the VMware Network on Linux Hosts
Sorry. There are no pretty GUI’s here. Setting up VMware networks on Linux hosts requires root access to the command line. You will have met the other requirements upon successful installation of VMware Player, Server or Workstation. The following assumes a default installation of any of the above VMware products on Linux.
In our examples, the initial configuration of VMware networking is the default (however, your actual IP addresses will probably be different). For reference, here is our post installation VMware network setup:
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Linux hosts use a tool that is common to all Linux-based installations of VMware:
vmware-config.pl
How to run VMware’s vmware-config.pl script
To run this tool properly, you must be logged in as root on the host PC or Server. The vmware-config.pl script should be in the root user’s path. If it isn’t, you probably did something wrong during the installation and you should review your steps. If all else fails, you can use
find / -name "vmware-config.pl"
to find it.
Note: When the VMware Server Console is run from a Linux client, the menu item for the Virtual Network Editor under Host > Virtual Network Settings does not exist, regardless of the platform on which the VMware Server is running.
The Untangle virtual appliance requires only one physical network interface on your host PC. If you have only one network interface on your Linux host, you will need to configure VMware networking for the demo virtual appliance as is done in the following example by setting vmnet2 and vmnet3 to hostonly. The IP addresses are irrelevant because they are determined by the Untangle virtual appliance configuration but we will need to disable the VMware DHCP servers as stated below.
- Configure VMnet0 to be bridged to the physical network adapter connected to the external network, e.g. eth0.
- Configure VMnet2 to be a hostonly network for your internal network.
- Configure VMnet3 to be a hostonly network for your DMZ network.
It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual Appliance is that the Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas the Production Virtual Appliance requires at least two physical network adapters on the VMware host. If you have multiple network interfaces on your VMware host, we recommend you use the Production Virtual Appliance.
- To run the script, open a bash prompt/terminal/console and run (as root) the command:
vmware-config.pl
Once you run the vmware-config.pl script, you should see something like the following:
Making sure services for VMware Player are stopped.
Stopping VMware services:
Virtual machine monitor done
Blocking file system: done
Bridged networking on /dev/vmnet0 done
Host network detection done
DHCP server on /dev/vmnet1 done
Host-only networking on /dev/vmnet1 done
DHCP server on /dev/vmnet8 done
NAT service on /dev/vmnet8 done
Host-only networking on /dev/vmnet8 done
Virtual ethernet done
Configuring fallback GTK+ 2.4 libraries.
In which directory do you want to install the theme icons?
[/usr/share/icons]
...
You can continue with the defaults until you get to the network section as shown below.
- In this example, we chose to setup networking using the editor to create vmnet2 and vmnet3:
You have already setup networking.
Would you like to skip networking setup and keep your old settings as they are?
(yes/no) [yes] no
Do you want networking for your virtual machines? (yes/no/help) [yes]
Would you prefer to modify your existing networking configuration using the
wizard or the editor? (wizard/editor/help) [wizard] editor
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make any changes to the current virtual networks settings?
(yes/no) [no] yes
Which virtual network do you wish to configure? (0-99) 2
What type of virtual network do you wish to set vmnet2?
(bridged,hostonly,nat,none) [none] hostonly
Configuring a host-only network for vmnet2.
Do you want this program to probe for an unused private subnet? (yes/no/help)
[yes] no
What will be the IP address of your host on the private
network? 192.168.1.1
What will be the netmask of your private network? 255.255.255.0
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet2 is a host-only network on private subnet 192.168.1.0.
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make additional changes to the current virtual networks
settings? (yes/no) [yes]
Which virtual network do you wish to configure? (0-99) 3
What type of virtual network do you wish to set vmnet3?
(bridged,hostonly,nat,none) [none] hostonly
Configuring a host-only network for vmnet3.
Do you want this program to probe for an unused private subnet? (yes/no/help)
[yes] no
What will be the IP address of your host on the private
network? 192.168.2.1
What will be the netmask of your private network? 255.255.255.0
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet2 is a host-only network on private subnet 192.168.1.0.
. vmnet3 is a host-only network on private subnet 192.168.2.0.
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make additional changes to the current virtual networks
settings? (yes/no) [yes] no
Extracting the sources of the vmnet module.
...
This script continues on using the default settings you set during installation.
- After it completes, you should see that all your VMware services started up without errors.
-
Disable VMware’s DHCP Server on Hostonly Networks
When using hostonly networking, VMware starts a DHCP server for each hostonly network. This will conflict with your Untangle virtual appliance so they must be disabled.
To do so, go to your /etc/vmware directory. There you should see directories for your hostonly networks (vmnet2 and vmnet3). Within each should be a dhcpd directory where you can edit the dhcpd.conf file to disable dhcpd for that network. For example, in /etc/vmware/vmnet2/dhcpd/dhcpd.conf we comment out everything here:
#
# Configuration file for ISC 2.0b6pl1 vmnet-dhcpd operating on vmnet2.
#
# This file was automatically generated by the VMware configuration program.
# If you modify it, it will be backed up the next time you run the
# configuration program.
#
# We set domain-name-servers to make some DHCP clients happy
# (dhclient as configued in SuSE, TurboLinux, etc.).
# We also supply a domain name to make pump (Red Hat 6.x) happy.
#
allow unknown-clients;
default-lease-time 1800; # 30 minutes
max-lease-time 7200; # 2 hours
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.128 192.168.1.254;
option broadcast-address 192.168.1.255;
option domain-name-servers 192.168.1.1;
option domain-name "localdomain";
}
So that it looks like this:
#
# Configuration file for ISC 2.0b6pl1 vmnet-dhcpd operating on vmnet2.
#
# This file was automatically generated by the VMware configuration program.
# If you modify it, it will be backed up the next time you run the
# configuration program.
#
# We set domain-name-servers to make some DHCP clients happy
# (dhclient as configued in SuSE, TurboLinux, etc.).
# We also supply a domain name to make pump (Red Hat 6.x) happy.
#
# allow unknown-clients;
# default-lease-time 1800; # 30 minutes
# max-lease-time 7200; # 2 hours
#
# subnet 192.168.1.0 netmask 255.255.255.0 {
# range 192.168.1.128 192.168.1.254;
# option broadcast-address 192.168.1.255;
# option domain-name-servers 192.168.1.1;
# option domain-name "localdomain";
# }
- We do the same for /etc/vmware/vmnet2/dhcpd/dhcpd.conf and /etc/vmware/vmnet3/dhcpd/dhcpd.conf and then restart VMware with:
/etc/init.d/vmware restart
To verify, you can run the following command and make sure there are no dhcpd process on vmnet2 and vmnet3.
ps ax|grep vmnet-dhcpd
If you see something like the following for vmnet2 and/or vmnet3, your Untangle virtual appliance will not function properly:
7959 ? Ss 0:00 /usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet2/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet2/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet2.pid vmnet2
7974 ? Ss 0:00 /usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet3/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet3/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet3.pid vmnet3
[
The Untangle virtual appliance requires only one physical network interface on your host PC; however, if you have more than one network interface on your Linux host, you will probably want to configure VMware networking for the production virtual appliance as is done in the following example by setting vmnet2 and vmnet3 to bridged.
It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual Appliance is that the Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas the Production Virtual Appliance requires at least two physical network adapters on the VMware host. If you have multiple network interfaces on your VMware host, we recommend you use the Production Virtual Appliance.
- Configure VMnet0 to be bridged to the physical network adapter connected to the external network, e.g. eth0.
- Configure VMnet2 to be bridged to the physical network adapter connected to your internal network, e.g. eth1.
- Configure VMnet3 to be bridged to the physical network adapter connected to your DMZ network, e.g. eth2.
- To run the script, open a bash prompt/terminal/console and run the command:
vmware-config.pl
Once you run the vmware-config.pl script, you should see something like the following:
Making sure services for VMware Player are stopped.
Stopping VMware services:
Virtual machine monitor done
Blocking file system: done
Bridged networking on /dev/vmnet0 done
Host network detection done
DHCP server on /dev/vmnet1 done
Host-only networking on /dev/vmnet1 done
DHCP server on /dev/vmnet8 done
NAT service on /dev/vmnet8 done
Host-only networking on /dev/vmnet8 done
Virtual ethernet done
Configuring fallback GTK+ 2.4 libraries.
In which directory do you want to install the theme icons?
[/usr/share/icons]
…
You can continue with the defaults until you get to the network section as shown below.
- In this example, we chose to setup networking using the editor to bridge vmnet2 to eth1 and vmnet3 to eth2:
You have already setup networking.
Would you like to skip networking setup and keep your old settings as they are?
(yes/no) [no]
Do you want networking for your virtual machines? (yes/no/help) [yes]
Would you prefer to modify your existing networking configuration using the
wizard or the editor? (wizard/editor/help) [editor]
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make any changes to the current virtual networks settings?
(yes/no) [no] yes
Which virtual network do you wish to configure? (0-99) 2
What type of virtual network do you wish to set vmnet2?
(bridged,hostonly,nat,none) [none] bridged
Configuring a bridged network for vmnet2.
Your computer has multiple ethernet network interfaces available: eth1, eth2,
vmnet1, vmnet2, vmnet3, vmnet8. Which one do you want to bridge to vmnet2?
[eth0] eth1
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet2 is bridged to eth1
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make additional changes to the current virtual networks
settings? (yes/no) [yes]
Which virtual network do you wish to configure? (0-99) 3
What type of virtual network do you wish to set vmnet3?
(bridged,hostonly,nat,none) [none] bridged
Configuring a bridged network for vmnet3.
Your computer has multiple ethernet network interfaces available: eth2, vmnet1,
vmnet2, vmnet3, vmnet8. Which one do you want to bridge to vmnet3? [eth0] eth2
The following virtual networks have been defined:
. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.59.0.
. vmnet2 is bridged to eth1
. vmnet3 is bridged to eth2
. vmnet8 is a NAT network on private subnet 172.16.146.0.
Do you wish to make additional changes to the current virtual networks
settings? (yes/no) [yes] no
Extracting the sources of the vmnet module.
...
This script continues on using the default settings you set during installation.
- After it completes, you should see that all your VMware services started up without errors.
-
Disabling DHCP on bridged connections is not required since VMware disables DHCP services on all bridged connections.
The Untangle virtual appliance is provided in a .ZIP file available This zip archive file contains the Untangle virtual machine directory and all the files necessary to get the default Untangle virtual appliance running in VMware Player, Server or Workstation.
You may unzip the Untangle virtual appliance as soon as you are finished downloading. It will create a directory containing the files needed by VMware.
We recommend that you configure your VMware host's network interfaces as described above before powering on the Untangle virtual machine.
This is the easiest part! Because the Untangle virtual appliance is already configured for you, all you need to do is open the .VMX file that you downloaded from Untangle.
- In your VMware Player or Server, choose the menu options File > Open.
- Browse to the directory where you unzipped your Untangle virtual appliance.
- Open the .VMX file
- Complete the Setup Wizard (We recommend setting it up as a Router as opposed to a Transparent Bridge)
- Install your desired applications
- Go to Step 5 to setup your host to route through the Untangle virtual appliance
For detailed information about using your new Untangle software, see our ]
Step 5: Setup VMware Host to Route Through Untangle Virtual Appliance
Now that you have your Untangle virtual appliance setup and running, you may want your VMware host to route through the Untangle VMware machine. You can do this by forcing your VMware host machine (either Windows or Linux) to route through your Untangle virtual appliance. This requires us to "break" the direct route to the Internet through what is probably the device your Untangle virtual appliance is bridged to as vmnet0. This is only necessary if you want the VMware host to be protected by the Untangle server, or you want to allow the IP address which the VMware host is using to be used instead by the Untangle external interface, thus requiring only one 'external' (probably public) IP address. Following are instructions for doing this on both Linux and Windows based hosts.
Step 5.1: Change Routing on Your Windows VMware Host
Routing is not always easy to understand or configure but the following sections should get you going. The easiest way to reconfigure your Windows host to route through the Untangle virtual appliance is to "break" the networking on the shared external network interface and configure your Windows VMware host to route through the desired connection to the Untangle server. In this example:
- The RealTek network device that is mapped to VMnet0
- VMnet2 is connected to the Internal network that may be filtered, etc. (This is a Virtual connection in Demo mode and a bridged connection in Production mode)
- VMnet3 is connected to the DMZ network that typically bypasses filtering, etc. (This is a Virtual connection in Demo mode and a bridged connection in Production mode)
Following are the steps to accomplish this which are summarized as follows.
- Disable TCP/IP on the VMware host's physical network connection to the external network
- Enable automatic IP address and DNS configuration on VMnet2 for internal networking -or- enable automatic IP address and DNS configuration on VMnet3 for DMZ networking
- Disable TCP/IP on whichever network connection you do not want to use (either VMnet3 for DMZ or VMnet2 for Internal)
The instructions are slightly different for Demo Virtual Appliances and Production Virtual Appliances so follow the appropriate section for your configuration.
Here's one way you can accomplish this:
- If you have more than one physical network adapter (e.g. wired and wireless NICs), you must "break" the link for the physical adapter you mapped to VMnet0.
WARNING! After completing this step, you will not be able to connect to any network resources until successfully completing Step 4 including the appropriate configuration of the Untangle server.
To proceed, open Network Connections from your Control Panel, select your primary physical network interface, right-click and choose Properties.
Figure, Properties for Primary Network Connection
- Scroll to Internet Protocol (TCP/IP), and remove the check mark from the select box next to it , and then click the OK button.
Figure, TCP/IP Properties
This disables TCP/IP on your physical connection and forces the use of alternative routes that will be made available by your Untangle server.
-
- Then click OK button
- Then click OK button again
Step 5.1.2: Enable Untangle Routing through Your Demo Virtual Appliance on a Windows VMware Host
Note: These steps are required to force routing through the Untangle server for hosts configured in Demo mode. You must do only step "a" or step "b" below in order to force routing through the "internal" or "DMZ" network respectively.
- If you want to have your Windows host route via the Internal Untangle network, open Network Connections from your Control Panel, right-click on your VMware Network Adapter VMnet2 and choose Properties.
Figure, Properties for VMnet2 Network Connection
- Scroll to Internet Protocol (TCP/IP), select it, and click the Properties button.
Figure, VMnet2 TCP/IP Properties
- Select the Obtain an IP address automatically radio button.
- Select the Obtain DNS server address automatically radio button.
Figure, Obtain IP and DNS Automatically for VMnet2
- Then click OK button
- Then click OK button again
- Disable TCP/IP on VMnet3 as shown elsewhere on this page.
Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no gateway. For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a gateway or any other information, and click OK.
- If you want to have your Windows host route via the DMZ Untangle network, open Network Connections from your Control Panel, right-click on your VMware Network Adapter VMnet3 and choose Properties.
Figure, Properties for VMnet3 Network Connection
- Scroll to Internet Protocol (TCP/IP), select it, and click the Properties button.
Figure, VMnet3 TCP/IP Properties
- Select the Obtain an IP address automatically radio button.
- Select the Obtain DNS server address automatically radio button.
Figure, Obtain IP and DNS Automatically for VMnet3
- Then click OK button
- Then click OK button again
- Disable TCP/IP on VMnet2 as shown elsewhere on this page.
Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no gateway. For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a gateway or any other information, and click OK.
Appliance on a Windows VMware Host
Note: Fewer steps are required to force routing through the Untangle server for hosts configured in Production mode.
Since VMnet2 and VMnet3 will not show up in your Windows network connections, you will need to know which network each of your Local Area Network Connections is connected to (i.e. External, Internal, and DMZ). If you have set up your Windows based VMware host in production mode, you must choose only one of the bridged network connections to be used for your Windows host.
Since you have disabled TCP/IP on the network interface connected to your external network, you must enable only one of the interfaces connected to either the internal network or the DMZ network. You must disable TCP/IP on the interface you do not wish to use on your Windows VMware host.
The process is the same as the demo mode process except now you are enabling and disabling automatic IP and DNS configuration of TCP/IP on your Windows VMware host. These will show up as various Local Area Connections such as:
- Local Area Connection 2
- Local Area Connection 3
- etc.
You will need to know which is which as this varies from system to system then simply enable TCP/IP on the one you want to use and disable it on the one you do not want to use. In this example, our Local Area Connection 4 is connected to our Internal network. To force routing via the physical connection of Local Area Connection 4 we use another example. In this example:
- The RealTek network device that is mapped to VMnet0
- Local Area Connection 4 is connected to the Internal network that may be filtered, etc. (This is a Virtual connection in Demo mode and a bridged connection in Production mode)
- Local Area Connection 3 is connected to the DMZ network that typically bypasses filtering, etc. (This is a Virtual connection in Demo mode and a bridged connection in Production mode)
Following are the steps to accomplish this which are summarized as follows.
- Disable TCP/IP on the VMware host's physical network connection to the external network as in Step 5.1.1
- Enable automatic IP address and DNS configuration on Local Area Connection 4 for internal networking -or- enable automatic IP address and DNS configuration on Local Area Connection 3 for DMZ networking
- Disable TCP/IP on whichever network connection you do not want to use (either Local Area Connection 3 for DMZ or Local Area Connection 4 for Internal)
TCP/IP should already be configured properly for all your physical network connections, but you may have to disable TCP/IP on the External and DMZ connections if you want to route via the Internal network connection.
- We want to check our Local Area Connection 4 TCP/IP properties. We do this by opening the Network Connections from the Control Panel, right-clicking Local Area Connection 4, and choosing Properties
Figure, Local Area Connection 4 Properties
- Scroll to Internet Protocol (TCP/IP), and remove the check mark from the select box next to it , and then click the OK button.
Figure, Local Area Connection 4 TCP/IP Properties
- Select the Obtain an IP address automatically radio button.
- Select the Obtain DNS server address automatically radio button.
Figure, Obtain IP and DNS Automatically for Local Area Connection 4
- Then click OK button
- Then click OK button again
- Disable TCP/IP on your DMZ connection as shown elsewhere on this page.
Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no gateway. For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a gateway or any other information, and click OK.
Linux varies a bit from distribution to distribution. Until we have complete instructions available for the different distributions, we will use bash to accomplish the task.
Again, there are no pretty GUI's here, which is typical of Linux servers. Setting up networks on Linux hosts requires root access to the command line.
To run the following commands properly, you must be logged in as root on the host PC or Server and open a bash prompt/terminal/console and run the command. If you are comfortable using different shells in Linux, feel free to translate as necessary on-the-fly as the basic commands should be identical.
- First you want to gather the existing routing information on your Linux host by running the route command. It should look something like the following. Here is an example routing table as shown by the
route -n
command:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2
172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0
- Now we need to adjust the routing. To do this, you need to be aware of which routes you want to break and which routes you want to create. Per our examples, we want to break our default route that is on our eth0 and setup the default route to come from the Untangle virtual appliance's Internal or DMZ network. The last line above has the UG flag, which indicates the default gateway. In this example, we want to stop routing through eth0 and start routing through vmnet2. We cannot down eth0 because it needs to be up for the VMware machines that bridge to it. We can change the IP and remove the default route as follows:
ifconfig eth0 169.254.5.10
And verify by running the route command again:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2
172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
- Now that we have no default gateway and no effective route to the Internet, we can run our dhcp client on vmnet2 to get our IP and gateway from our Untangle virtual appliance's Internal network. The commands typically used for this in Linux are
dhclient
or
dhcpcd
. We are using Debian and therefore
dhclient
. We have configured our Untangle virtual appliance as a DHCP server for vmnet2 using the 192.168.200.0 subnet, so we should get a 192.168.200.? IP from it. If not, something went wrong.
Note: If you have configured the Production Virtual Server you can substitute vmnet2 with the appropriate physical network card that is connected to your Internal (or DMZ) network.
# dhclient vmnet2
Internet Software Consortium DHCP Client 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.
Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html
sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/vmnet2/00:50:56:c0:00:02
Sending on LPF/vmnet2/00:50:56:c0:00:02
Sending on Socket/fallback/fallback-net
DHCPDISCOVER on vmnet2 to 255.255.255.255 port 67 interval 4
receive_packet failed on vmnet2: Network is down
DHCPOFFER from 192.168.200.1
DHCPREQUEST on vmnet2 to 255.255.255.255 port 67
DHCPNAK from 192.168.1.254
DHCPDISCOVER on vmnet2 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 192.168.200.1
DHCPREQUEST on vmnet2 to 255.255.255.255 port 67
DHCPNAK from 192.168.1.254
DHCPNAK with no active lease.
DHCPACK from 192.168.200.1
bound to 192.168.200.171 -- renewal in 7200 seconds.
With this we can confirm that 192.168.200.1 is our Untangle server.
- Now we double-check our default gateway:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3
172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2
172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.200.1 0.0.0.0 UG 0 0 0 vmnet2
This all looks good and we are able to ping the network on the other side of the Untangle virtual appliance.
- If you have configured the DMZ network, you will need to "Break" the route on that network interface (either vmnet or physical) or your routing may get a bit confused.
- To make these changes permanent on your Linux host, you will need to use the appropriate tools or write yourself a script that takes care of things for you. If you performed this changes as we did here, rebooting your Linux host will revert all of the settings. Look us up in IRC if you need help with your specific situation.
(Applies to Windows and Linux Hosts)
Depending on your hardware and software configuration, you may experience potentially insane clock drift issues in your Untangle VM. This is a common situation shared with all Linux Virtual Machines when the guests differ enough from their host machines regardless of whether the host is running a Windows or Linux based operating system. This section is dedicated to identifying and resolving such issues. We recommend you make these changes on all Untangle VMware machines.
For more information on this topic you can check the additional resources section below (need anchor/link?):
This problem is easily identified once you check the date and time on your Untangle VM as the time will be incorrect after you have set it. You will want to make sure time is being kept properly within any Untangle VM as the Untangle VM uses many time based policies for filtering traffic. It is important that your host has and keeps good time as well. To verify if you have a clock synchronization issue, do the following:
- Verify the time is set and working properly on your VMware host machine.
- Boot your Untangle VM and check the time and date to see if it is set properly as well.
- If they don't match, we highly recommend you proceed and setup the synchronization as detailed here.
We recommend that you make sure the VMware time synchronization to host is enabled as a best practice. If you downloaded the Untangle VMware zip file, proceed immediately to Step 6.2. If you installed your own VMware image or need to upgrade the VMware Tools, you may want to perform Step 6.2.3 first.
Regardless of symptoms, we recommend that you use VMware tools to syncronize the time with the host OS. REMEMBER: It is important that your host has and keeps good time. Once you have verified that the host time is correct and good you can follow these steps to enable VMware tools clock syncronization. Untangle VMware downloads prior to and including 5.0.3 will need to have this fix applied. All Untangle VMware images newer than version 5.0.3 will be preconfigured but if you've created your own VMware image of Untangle, you will want to enable this functionality on your VM by installing VMware Tools as specified in Step 6.2.3.
(Host .vmx Edit Method)
If you downloaded your Untangle VM from Untangle or VMware all you need to do is change one line in your .vmx file as follows:
- On the VMware host, find and edit the untangle<version>.vmx This should be located in the untangle<version> folder that came from the untangle<version>.zip file.
- Find the "tools.syncTime = "FALSE" and change "FALSE" to "TRUE"
- Save the changes and reboot the Untangle VM to force an immediate update
(Need Screenshots?) Alternatively, if you have a local console available for your Untangle VM, you can enable time synchronization as follows:
- Open the terminal from the local console by clicking the "Terminal" button and entering the password
- Launch vmware-tools and enable time syncronization with host
- Close vmware-tools and the terminal
- Reboot the Untangle VM to force an immediate update
[
VMware tools should be installed by default if you downloaded the Untangle VMware zip file; however, if you created your own VMware machine or have a need to upgrade the VMware tools, you will need to install VMware tools as follows: More details to follow but since they are pre-installed on the download...
- Choose the "Install VMware Tools..." menu option from the VMware "VM" menu.
- Open a shell and mount the CD-ROM drive
- Copy the tarball to /usr/local/src/ and unpack
- Run the vmware-install.pl script The build environment required by vmware-install.pl script are not installed by default. Do we have that documented elsewhere and should we include it here or ???
Issue
The Untangle gateway relies on accurate time for time-based policies and filtering policies. When time is "adjusted" even as little as a few seconds, false positives may result (e.g. spam may be falsely identified as spam). VMware Tools uses a slow adjustment to correct for time differences. As a result we recommend you reboot to get a quick correction and let VMware Tools take it from there.
Future versions of Untangle are not expected to have these issues as the underlying kernel issues are normalizing over time; however, using VMware Tools is probably a best practice that you should stick with.
For more information on the underlying issues, please see the following:
For information about using your new Untangle software, see our Happy virtual Untangling!
