When I started on this quest to secure my network I was looking for a solution that would sit inside my network and monitor all internal and out-going traffic. I discovered that the solution is called Unified Threat Management (UTM). There are hardware and software products available for this but they typically require dedicated hardware and virtual machines. I didn’t have a suitable device and the cost of buying and hassle of setting this up was too much.
There is a lot of enthusiasim for the Ubiquiti Unifi range of products for home enthusiasts as well as for commercial use. Once it’s setup I really like the approach to software configuration and visibility of the network this provides. The Unifi Security Gateway (USG) has mixed reviews and many recommend the Ubiquiti edge router as an alternative. Unifi offers a cloud key as a way to control the network remotely which is also appealing. However there are some complaints about set up of the cloud key and USG not being intuitive and I understand that because it really tested my patience.
I had already acquired and setup the Linksys Untangle router as my gateway device before I looked into the Unifi product range. There were different opinions on whether the USG was needed, should be used in combination with an Untangle NG Firewall device and even how it should be implemented. After trying a few configurations I decide to abandon the USG altogether and just use the Linksys Untangle router as my gateway device. As it turns out this is recommended for Untangle in most situations.
When I moved recently I decided to unpack the Unifi gear and see whether I could get this working the way I had originally intended it to. I wanted the Unifi cloud controller to give me visibility and control of all of the network devices including the USG as the edge device. Then I would setup the Linksys Untangle router behind the USG to act as a UTM. Untangle is a complete solution with firewall, virus scanning, malware and ad blocking, web filtering, Virtual Private Network (VPN), intrusion detection and prevention and more. This was the application I’d originally acquired Untangle for but it is not recommended for complex networks with multiple Virtual LANs (VLANs).
After unpacking and connecting everything I was finally able to get the USG working behind the untangle router. Essentially this meant having a router behind a router. Once that was working correctly I started to shift all devices to the Unifi Wireless Access Points (WAPs) or wired Ethernet connections and then disabled the Wifi on the Linksys Untangle router. This meant I no longer had visibility of the devices and users connecting to the network through the Untangle (which is why this setup is also not recommended) but hey everything was working!
After agonising about whether to ditch the USG again and just use the Linksys Untangle router as the edge device, I decided it was worth trying in bridge mode. The Unifi USG does not readily support pass-through (there is apparently a solution for USG pass-through that I have not tried) but does support WAN balancing and fail-over which I wanted. The Linksys Untangle router supports bridge mode but only has a single WAN port which makes it a problem for WAN fail-over and balancing (again there may be a solution for a second WAN if you are interested).
Fortunately there are quite good instructions for setting up Untangle in bridge mode on the Untangle Wiki. In this configuration it is described as a brouter because it must be told how to route traffic. These changes are quite straightforward provided there aren’t multiple VLANs but I lost all connectivity in my network once I’d done this. Restarting all the network devices wasn’t sufficient and I found that I had to actually remove the Linksys Untangle brouter, reestablish a working network with the Unifi devices and then reintroduce the Linksys Untangle brouter.
It works perfectly and I am really pleased with this setup now. Like anything in life, it is worth persevering to get what you want and this often takes time and effort.