untangle virtual appliance

Get Support

|

Forums

|

Wiki

|

Blog

|

About Us

Products

Product Overview

Packages

Paid Apps

Demos & Screenshots

Pricing

Deployment Options

FAQs

Untangle for Windows

�Solutions

Solutions Overview

Small Business

Home

Education / Schools

Healthcare

Government

Case Studies

�Community

Community Overview

Forums

Wiki

Blog

Feedback

Bugzilla

Developers

�Partners

Reseller Overview

MSP Overview

Find a Partner

Partner Portal Login

MSSP Connectors

�Downloads

Dedicated Untangle Server

Untangle for Windows

�Store

About Us

|

Support

|

Blog

Products

Product Overview

Paid Apps

Demos & Screenshots

Deployment Options

Re-Router Technology

MSP Connectors

Pricing

Case Studies

Untangle for Schools

FAQs

Forums

Developers

Project Overview

License

Changelogs

Source Code

Wiki

Mailing List

IRC

Bugzilla

Partners

Reseller Overview

MSP Overview

Find a Partner

Partner Portal Login

Download

Store

Personal tools

Log in / create account

Untangle Virtual Appliance on VMware

From UntangleWiki

Untangle currently supports virtualization through a virtual appliance (http://en.wikipedia.org/wiki/Virtual_appliance) running on

VMware (http://www.vmware.com) Player, Server, or Workstation (also seems to work with Fusion for the Mac). The Untangle virtual

appliance can be configured in two main ways:

as a demo virtual appliance, suitable for installation on a laptop or desktop in order to have a working instance of the

platform running inside your Windows or Linux OS for testing or demonstration purposes. This is supported using

VMware Player, Server, or Workstation and requires only one physical network interface. Use this mode if you have only

one physical network interface in your VMware host machine.

as a production virtual appliance, to be used as a network gateway. This mode requires at least two physical network

interfaces (three if you want or need an external DMZ). We recommend you use either VMware Server or VMware

Workstation running on either a Windows or Linux server. Use this mode if you have two or more physical network

interfaces that you can connect to external, internal and (optionally) DMZ networks.

Using VMware Server or VMware Workstation will allow you more functionality such as snapshots, multiple machines and greater

control over your VMware environment.

Contents

1 Step 1: Get and Install VMware Player, Server or Workstation

2 Step 2: Configure the VMware Network

2.1 Step 2.1: Understanding the Untangle Network Topology

2.2 Step 2.2: Configure the VMware Network on Windows Hosts

2.2.1 Step 2.2.1: Configure Windows Host for Demo Virtual Appliance

2.2.2 Step 2.2.2: Configure Windows Host for Production Virtual Appliance

2.3 Step 2.3: Configure the VMware Network on Linux Hosts

2.3.1 Step 2.3.1: Configure Linux Host for Demo Virtual Appliance

2.3.2 Step 2.3.2: Configure Linux Host for Production Virtual Appliance

3 Step 3: Get the Untangle Virtual Appliance

4 Step 4: Setup the Untangle Virtual Appliance

5 Step 5: Setup VMware Host to Route Through Untangle Virtual Appliance

5.1 Step 5.1: Change Routing on Your Windows VMware Host

5.1.1 Step 5.1.1: Disable External Network on a Windows VMware Host

5.1.2 Step 5.1.2: Enable Untangle Routing through Your Demo Virtual Appliance on a Windows VMware Host

5.1.3 Step 5.1.3: Enable Untangle Routing on Your Production Virtual Appliance on a Windows VMware Host

5.2 Step 5.2: Change Routing on Your Linux VMware Host

5.2.1 Step 5.2.1: Change Routing on Your Linux VMware Host using BASH

6 Step 6: Correcting Clock Skew Issues in VMware Guests (Applies to Windows and Linux Hosts)

6.1 Step 6.1: Identify the Problem

6.2 Step 6.2: Fix the Problem

6.2.1 Step 6.2.1 Enable VMware Tools Time Syncronization With Host (Host .vmx Edit Method)

6.2.2 Step 6.2.2 Enable VMware Tools (Local Console Method)

6.2.3 Step 6.2.3 Install VMware Tools

6.3 Step 6.3: Considerations and More Information on this Issue

Step 1: Get and Install VMware Player, Server or Workstation

The VMware Player and Server software are available free of charge from VMware's Free Products Page (http://www.vmware.com

/products/free_virtualization.html) .

For more information on installing or using VMware Player, see VMware's Player product page (http://www.vmware.com

/products/player/) .

For more information on installing or using VMware Server, see VMware's Server product page (http://www.vmware.com

/products/server/) .

For more information on installing or using VMware Workstation, see VMware's Workstation product page

(http://www.vmware.com/products/ws/) .

For more information on installing or using VMware Fusion, see VMware's Fusion product page (http://www.vmware.com

/products/fusion) .

Install your VMware Player, Server or Workstation before proceeding!

Note: If you are using a security suite and/or firewall on your host PC or Server, you may receive warnings when new

virtual network adapters are detected during the installation of VMware Player or Server. You should indicate that these

new virtual adapters are TRUSTED, allowing all connections.

Step 2: Configure the VMware Network

This section explains the various ways to configure network interfaces on Windows-based and Linux-based VMware hosts using

VMware's Virtual Network Editor (on Windows) and the vmware-config.pl script (on Linux).

The way that you will configure network interfaces for your Untangle virtual appliance will differ depending on whether you are setting

up a demo virtual appliance or a production virtual appliance.

We suggest you use the demo virtual appliance if you are running VMware on a host with only a single physical

network interface card.

We suggest you use the production virtual appliance if you are running VMware on a host with at least two (three if

using with an external DMZ) physical network interface cards that you can connect to external, internal and DMZ

networks.

In either case, you will use the same VMware tools (the Virtual Network Editor or vmware-config.pl script) to create the virtual

network devices in VMware. The only difference between demo virtual appliance and production virtual appliance is that the demo

virtual appliance uses virtual network cards for the internal and DMZ networks and the production virtual appliance uses physical

networks for the internal and DMZ networks by bridging to the VMware host's physical network cards. Both modes bridge to a physical

network card for the external network.

Step 2.1: Understanding the Untangle Network Topology

The following diagram illustrates the network topology including the default configuration of the Untangle VMware virtual appliance.

For proper installation and configuration, this basic diagram should be well understood prior to setting up Untangle.

Figure, Untangle Network Overview Diagram

Step 2.2: Configure the VMware Network on Windows Hosts

Windows hosts use a tool that is common to all Windows-based installations of VMware: Virtual Network Editor.

How to run VMware's Virtual Network Editor

To run this tool properly, you must be logged in as an administrator on the host PC or Server, or you must run the tool with

administrative privileges. In the case of Windows Vista, for example, you must select the Run as Administrator option when right-

clicking on the tool's executable file, vmnetcfg.exe, which is located in the same directory as your VMware. If you installed in the

default locations, the Virtual Network Editor's path is:

..\Program Files\VMware\VMware Player\vmnetcfg.exe for VMware Player

..\Program Files\VMware\VMware Workstation\vmnetcfg.exe for VMware Workstation

..\Program Files\VMware\VMware Server\vmnetcfg.exe for VMware Server (VMware Server and Workstation may also

install the tool in the appropriate program group on your start menu (Manage Virtual Networks), depending on the

installation options selected.)

When logged in as an administrator, use the Run command from your START menu to run the tool, unless your host is Windows Vista.

In Vista, you should navigate to the tool using Explorer, right-click the executable, then Run as Administrator.

Figure, Run the Virtual Network Editor

Note: From the VMware Server Console, you can also run the Virtual Network Editor by choosing Host > Virtual Network Settings.

Once you run the Virtual Network Editor, you should see something like the following:

Figure, VMware's Virtual Network Editor

Step 2.2.1: Configure Windows Host for Demo Virtual Appliance

If you have more than one physical network interface on your Windows host (e.g. wired and wireless NICs), you may want to

use physical network cards in production mode. If you have multiple physical network cards and you want to configure for

Demo mode, please be sure to change VMnet0 from Bridged to an automatically chosen adapter to whichever physical network

interface that will be connecting the Untangle virtual appliance to the external network. Do this by selecting the desired

adapter from the drop-down list mapped to VMnet0.

If you have only one network interface on your Windows host, you will need to configure VMware networking for the demo virtual

appliance. If you have more than one network interface on your Windows host, you can and probably should configure VMware

networking for the production virtual appliance (please see the next section for the production mode setup).

Navigate to the Host Virtual Adapters tab. From there, add a virtual adapter by clicking the Add button.a.

Figure, Host Virtual Adapters

Select VMnet2 if it is not already shown, then click OK.b.

Figure, Adding a Virtual Adapter, VMnet2

Once done, you should see a New Device enabled on VMnet2:

Figure, VMnet2 Added

Note: If setting up the Untangle virtual appliance to use a DMZ, follow the same procedure to add VMnet3.

Next, disable DHCP for the virtual adapter you just added by navigating to the DHCP tab, selecting the New Device on

VMnet2, and clicking the Remove button.

c.

Figure, Remove DHCP for VMnet2

Note: If setting up the Untangle virtual appliance to use a DMZ, follow the same procedure to disable DHCP on VMnet3.

Navigate to the Host Virtual Network Mapping tab. You will notice that the Virtual Network Editor allows you to map up to

ten virtual network adapters, which are named VMnet0 through VMnet9. Notice also that VMnet1 and VMnet8 are already

d.

mapped-- you should not change these. They are reserved for use by VMware. You should see your New Device on VMnet2.

Figure, Host Virtual Network Mapping

The following screen shot shows what the Host Virtual Network Mapping looks like after applying the above changes for both

VMnet2 and VMnet3.

e.

Figure, Demo Mode Host Virtual Network Mapping

Step 2.2.2: Configure Windows Host for Production Virtual Appliance

If you have more than one physical network interface on your Windows host (e.g. wired and wireless NICs), you can setup your

network for the Untangle virtual appliance to be a Production Virtual Appliance by selecting the physical network interface you

want to use for your Internal and DMZ networks. In the following example, we have mapped the Internal network to the

a.

wireless network interface on our Windows host while the forcing the External network to be mapped to our Broadcom network

interface on our Windows host (DMZ is not mapped or configured here):

Figure, Mapping Your Server Network Interfaces

Configure VMnet0 to be mapped to the physical network adapter connected to the external network, e.g. the Internet, by

selecting the appropriate adapter from the adjacent drop-down list.

Configure VMnet2 to be mapped to the physical network adapter linking to your internal network.

Optionally, you may also map VMnet3 to a DMZ.

Click the Apply button, then click the OK button.

Note: It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual

Appliance is that the Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas

the Production Virtual Appliance requires at least two physical network adapters on the VMware host. If you have

multiple network interfaces on your VMware host, we recommend you use the Production Virtual Appliance.

Note: To change an existing Demo Virtual Appliance to a Production Virtual Appliance, you must remove the Virtual

VMnet2 and VMnet3 devices from the "Host Virtual Adapters" tab of the Virtual Network Editor and apply the changes

before you can map VMnet2 and VMnet3 to physical network interfaces.

b.

Step 2.3: Configure the VMware Network on Linux Hosts

Sorry. There are no pretty GUI's here. Setting up VMware networks on Linux hosts requires root access to the command line. You

will have met the other requirements upon successful installation of VMware Player, Server or Workstation. The following assumes a

default installation of any of the above VMware products on Linux.

In our examples, the initial configuration of VMware networking is the default (however, your actual IP addresses will probably be

different). For reference, here is our post installation VMware network setup:

The following virtual networks have been defined:

. vmnet0 is bridged to eth0

. vmnet1 is a host-only network on private subnet 172.16.59.0.

. vmnet8 is a NAT network on private subnet 172.16.146.0.

Linux hosts use a tool that is common to all Linux-based installations of VMware:

vmware-config.pl

How to run VMware's vmware-config.pl script

To run this tool properly, you must be logged in as root on the host PC or Server. The vmware-config.pl script should be in the root

user's path. If it isn't, you probably did something wrong during the installation and you should review your steps. If all else fails, you

can use

find / -name "vmware-config.pl"

to find it.

Note: When the VMware Server Console is run from a Linux client, the menu item for the Virtual Network Editor under Host >

Virtual Network Settings does not exist, regardless of the platform on which the VMware Server is running.

Step 2.3.1: Configure Linux Host for Demo Virtual Appliance

The Untangle virtual appliance requires only one physical network interface on your host PC. If you have only one network interface

on your Linux host, you will need to configure VMware networking for the demo virtual appliance as is done in the following example

by setting vmnet2 and vmnet3 to hostonly. The IP addresses are irrelevant because they are determined by the Untangle virtual

appliance configuration but we will need to disable the VMware DHCP servers as stated below.

Configure VMnet0 to be bridged to the physical network adapter connected to the external network, e.g. eth0.

Configure VMnet2 to be a hostonly network for your internal network.

Configure VMnet3 to be a hostonly network for your DMZ network.

It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual Appliance is that the

Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas the Production Virtual Appliance

requires at least two physical network adapters on the VMware host. If you have multiple network interfaces on your VMware host, we

recommend you use the Production Virtual Appliance.

To run the script, open a bash prompt/terminal/console and run (as root) the command:

vmware-config.pl

Once you run the vmware-config.pl script, you should see something like the following:

Making sure services for VMware Player are stopped.

Stopping VMware services: Virtual machine monitor done Blocking file system: done Bridged networking on /dev/vmnet0 done Host network detection done DHCP server on /dev/vmnet1 done Host-only networking on /dev/vmnet1 done DHCP server on /dev/vmnet8 done NAT service on /dev/vmnet8 done Host-only networking on /dev/vmnet8 done Virtual ethernet done

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the theme icons? [/usr/share/icons]...

You can continue with the defaults until you get to the network section as shown below.

a.

In this example, we chose to setup networking using the editor to create vmnet2 and vmnet3:b.

You have already setup networking.

Would you like to skip networking setup and keep your old settings as they are?(yes/no) [yes] no

Do you want networking for your virtual machines? (yes/no/help) [yes]

Would you prefer to modify your existing networking configuration using the wizard or the editor? (wizard/editor/help) [wizard] editor





Do you wish to make any changes to the current virtual networks settings? (yes/no) [no] yes

Which virtual network do you wish to configure? (0-99) 2

What type of virtual network do you wish to set vmnet2? (bridged,hostonly,nat,none) [none] hostonly

Configuring a host-only network for vmnet2.

Do you want this program to probe for an unused private subnet? (yes/no/help) [yes] no

What will be the IP address of your host on the private network? 192.168.1.1

What will be the netmask of your private network? 255.255.255.0






Do you wish to make additional changes to the current virtual networks settings? (yes/no) [yes]


What type of virtual network do you wish to set vmnet3? (bridged,hostonly,nat,none) [none] hostonly

Configuring a host-only network for vmnet3.

Do you want this program to probe for an unused private subnet? (yes/no/help) [yes] no

What will be the IP address of your host on the private network? 192.168.2.1

What will be the netmask of your private network? 255.255.255.0







Do you wish to make additional changes to the current virtual networks settings? (yes/no) [yes] no

Extracting the sources of the vmnet module.

...

This script continues on using the default settings you set during installation.

After it completes, you should see that all your VMware services started up without errors.c.

Disable VMware's DHCP Server on Hostonly Networks

When using hostonly networking, VMware starts a DHCP server for each hostonly network. This will conflict with your

Untangle virtual appliance so they must be disabled.

To do so, go to your /etc/vmware directory. There you should see directories for your hostonly networks (vmnet2 and vmnet3).

Within each should be a dhcpd directory where you can edit the dhcpd.conf file to disable dhcpd for that network. For example,

in /etc/vmware/vmnet2/dhcpd/dhcpd.conf we comment out everything here:

d.

## Configuration file for ISC 2.0b6pl1 vmnet-dhcpd operating on vmnet2.## This file was automatically generated by the VMware configuration program.# If you modify it, it will be backed up the next time you run the# configuration program.## We set domain-name-servers to make some DHCP clients happy# (dhclient as configued in SuSE, TurboLinux, etc.).# We also supply a domain name to make pump (Red Hat 6.x) happy.#allow unknown-clients;default-lease-time 1800; # 30 minutesmax-lease-time 7200; # 2 hours

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.128 192.168.1.254; option broadcast-address 192.168.1.255; option domain-name-servers 192.168.1.1; option domain-name "localdomain";}

So that it looks like this:

## Configuration file for ISC 2.0b6pl1 vmnet-dhcpd operating on vmnet2.## This file was automatically generated by the VMware configuration program.# If you modify it, it will be backed up the next time you run the# configuration program.## We set domain-name-servers to make some DHCP clients happy# (dhclient as configued in SuSE, TurboLinux, etc.).# We also supply a domain name to make pump (Red Hat 6.x) happy.## allow unknown-clients;# default-lease-time 1800; # 30 minutes# max-lease-time 7200; # 2 hours# # subnet 192.168.1.0 netmask 255.255.255.0 {# range 192.168.1.128 192.168.1.254;# option broadcast-address 192.168.1.255;# option domain-name-servers 192.168.1.1;# option domain-name "localdomain";# }

We do the same for /etc/vmware/vmnet2/dhcpd/dhcpd.conf and /etc/vmware/vmnet3/dhcpd/dhcpd.conf and then restart VMware

with:

/etc/init.d/vmware restart

To verify, you can run the following command and make sure there are no dhcpd process on vmnet2 and vmnet3.

ps ax|grep vmnet-dhcpd

If you see something like the following for vmnet2 and/or vmnet3, your Untangle virtual appliance will not function properly:

7959 ? Ss 0:00 /usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet2/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet2/dhcpd/dhcpd.leases 7974 ? Ss 0:00 /usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet3/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet3/dhcpd/dhcpd.leases

e.

Step 2.3.2: Configure Linux Host for Production Virtual Appliance

The Untangle virtual appliance requires only one physical network interface on your host PC; however, if you have more than one

network interface on your Linux host, you will probably want to configure VMware networking for the production virtual appliance as

is done in the following example by setting vmnet2 and vmnet3 to bridged.

It is worth noticing that the only real difference between the Demo Virtual Appliance and the Production Virtual Appliance is that the

Demo Virtual Appliance requires only one physical network adapter on the VMware host whereas the Production Virtual Appliance

requires at least two physical network adapters on the VMware host. If you have multiple network interfaces on your VMware host, we

recommend you use the Production Virtual Appliance.

Configure VMnet0 to be bridged to the physical network adapter connected to the external network, e.g. eth0.

Configure VMnet2 to be bridged to the physical network adapter connected to your internal network, e.g. eth1.

Configure VMnet3 to be bridged to the physical network adapter connected to your DMZ network, e.g. eth2.

To run the script, open a bash prompt/terminal/console and run the command:

vmware-config.pl

Once you run the vmware-config.pl script, you should see something like the following:

Making sure services for VMware Player are stopped.

Stopping VMware services: Virtual machine monitor done Blocking file system: done Bridged networking on /dev/vmnet0 done Host network detection done DHCP server on /dev/vmnet1 done Host-only networking on /dev/vmnet1 done DHCP server on /dev/vmnet8 done NAT service on /dev/vmnet8 done Host-only networking on /dev/vmnet8 done Virtual ethernet done

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the theme icons? [/usr/share/icons]...

You can continue with the defaults until you get to the network section as shown below.

a.

In this example, we chose to setup networking using the editor to bridge vmnet2 to eth1 and vmnet3 to eth2:b.

You have already setup networking.

Would you like to skip networking setup and keep your old settings as they are?(yes/no) [no]

Do you want networking for your virtual machines? (yes/no/help) [yes]

Would you prefer to modify your existing networking configuration using the wizard or the editor? (wizard/editor/help) [editor]





Do you wish to make any changes to the current virtual networks settings? (yes/no) [no] yes


What type of virtual network do you wish to set vmnet2? (bridged,hostonly,nat,none) [none] bridged

Configuring a bridged network for vmnet2.

Your computer has multiple ethernet network interfaces available: eth1, eth2, vmnet1, vmnet2, vmnet3, vmnet8. Which one do you want to bridge to vmnet2? [eth0] eth1






Do you wish to make additional changes to the current virtual networks settings? (yes/no) [yes]


What type of virtual network do you wish to set vmnet3? (bridged,hostonly,nat,none) [none] bridged

Configuring a bridged network for vmnet3.

Your computer has multiple ethernet network interfaces available: eth2, vmnet1,vmnet2, vmnet3, vmnet8. Which one do you want to bridge to vmnet3? [eth0] eth2







Do you wish to make additional changes to the current virtual networks settings? (yes/no) [yes] no

Extracting the sources of the vmnet module.

...

This script continues on using the default settings you set during installation.

After it completes, you should see that all your VMware services started up without errors.c.

Disabling DHCP on bridged connections is not required since VMware disables DHCP services on all bridged

connections.

d.

Step 3: Get the Untangle Virtual Appliance

The Untangle virtual appliance is provided in a .ZIP file available here (http://www.untangle.com/index.php?option=com_content&

task=view&id=290&Itemid=1148) . This zip archive file contains the Untangle virtual machine directory and all the files necessary to

get the default Untangle virtual appliance running in VMware Player, Server or Workstation.

You may unzip the Untangle virtual appliance as soon as you are finished downloading. It will create a directory containing the files

needed by VMware.

We recommend that you configure your VMware host's network interfaces as described above before powering on the

Untangle virtual machine.

Step 4: Setup the Untangle Virtual Appliance

This is the easiest part! Because the Untangle virtual appliance is already configured for you, all you need to do is open the .VMX file

that you downloaded from Untangle.

In your VMware Player or Server, choose the menu options File > Open.a.

Browse to the directory where you unzipped your Untangle virtual appliance.b.

Open the .VMX filec.

Complete the Setup Wizard (We recommend setting it up as a Router as opposed to a Transparent Bridge)d.

Install your desired applicationse.

Go to Step 5 to setup your host to route through the Untangle virtual appliancef.

For detailed information about using your new Untangle software, see our Untangle Server User's Guide.

Step 5: Setup VMware Host to Route Through Untangle Virtual Appliance

Now that you have your Untangle virtual appliance setup and running, you may want your VMware host to route through the Untangle

VMware machine. You can do this by forcing your VMware host machine (either Windows or Linux) to route through your Untangle

virtual appliance. This requires us to "break" the direct route to the Internet through what is probably the device your Untangle virtual

appliance is bridged to as vmnet0. This is only necessary if you want the VMware host to be protected by the Untangle server, or you

want to allow the IP address which the VMware host is using to be used instead by the Untangle external interface, thus requiring only

one 'external' (probably public) IP address. Following are instructions for doing this on both Linux and Windows based hosts.

Step 5.1: Change Routing on Your Windows VMware Host

Routing is not always easy to understand or configure but the following sections should get you going. The easiest way to reconfigure

your Windows host to route through the Untangle virtual appliance is to "break" the networking on the shared external network interface

and configure your Windows VMware host to route through the desired connection to the Untangle server. In this example:

The RealTek network device that is mapped to VMnet0

VMnet2 is connected to the Internal network that may be filtered, etc. (This is a Virtual connection in Demo mode and a

bridged connection in Production mode)

VMnet3 is connected to the DMZ network that typically bypasses filtering, etc. (This is a Virtual connection in Demo mode and

a bridged connection in Production mode)

Following are the steps to accomplish this which are summarized as follows.

Disable TCP/IP on the VMware host's physical network connection to the external network1.

Enable automatic IP address and DNS configuration on VMnet2 for internal networking -or- enable automatic IP address and

DNS configuration on VMnet3 for DMZ networking

2.

Disable TCP/IP on whichever network connection you do not want to use (either VMnet3 for DMZ or VMnet2 for Internal)3.

The instructions are slightly different for Demo Virtual Appliances and Production Virtual Appliances so follow the appropriate

section for your configuration.

Step 5.1.1: Disable External Network on a Windows VMware Host

Here's one way you can accomplish this:

If you have more than one physical network adapter (e.g. wired and wireless NICs), you must "break" the link for the physical

adapter you mapped to VMnet0.

WARNING! After completing this step, you will not be able to connect to any network resources until successfully

completing Step 4 including the appropriate configuration of the Untangle server.

To proceed, open Network Connections from your Control Panel, select your primary physical network interface, right-click

and choose Properties.

a.

Figure, Properties for Primary Network Connection

Scroll to Internet Protocol (TCP/IP), and remove the check mark from the select box next to it , and then click the OK button.b.

Figure, TCP/IP Properties

This disables TCP/IP on your physical connection and forces the use of alternative routes that will be made available by your

Untangle server.

Then click OK button

Then click OK button again

c.

Step 5.1.2: Enable Untangle Routing through Your Demo Virtual Appliance on a Windows VMware Host

Note: These steps are required to force routing through the Untangle server for hosts configured in Demo mode. You must do

only step "a" or step "b" below in order to force routing through the "internal" or "DMZ" network respectively.

If you want to have your Windows host route via the Internal Untangle network, open Network Connections from your Control

Panel, right-click on your VMware Network Adapter VMnet2 and choose Properties.

Figure, Properties for VMnet2 Network Connection

a.

Scroll to Internet Protocol (TCP/IP), select it, and click the Properties button.

Figure, VMnet2 TCP/IP Properties

1.

Select the Obtain an IP address automatically radio button.2.

Select the Obtain DNS server address automatically radio button.

Figure, Obtain IP and DNS Automatically for VMnet2

3.

Then click OK button4.

Then click OK button again5.

Disable TCP/IP on VMnet3 as shown elsewhere on this page.

Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no

6.

gateway. For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a

gateway or any other information, and click OK.

Figure, Non-Routable IP

If you want to have your Windows host route via the DMZ Untangle network, open Network Connections from your Control

Panel, right-click on your VMware Network Adapter VMnet3 and choose Properties.

Figure, Properties for VMnet3 Network Connection

Scroll to Internet Protocol (TCP/IP), select it, and click the Properties button.1.

b.

Figure, VMnet3 TCP/IP Properties


Select the Obtain DNS server address automatically radio button.

Figure, Obtain IP and DNS Automatically for VMnet3

3.



Disable TCP/IP on VMnet2 as shown elsewhere on this page.

Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no

gateway. For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a

6.

gateway or any other information, and click OK.


Step 5.1.3: Enable Untangle Routing on Your Production Virtual Appliance on a Windows VMware Host

Note: Fewer steps are required to force routing through the Untangle server for hosts configured in Production mode.

Since VMnet2 and VMnet3 will not show up in your Windows network connections, you will need to know which network each of your

Local Area Network Connections is connected to (i.e. External, Internal, and DMZ). If you have set up your Windows based VMware

host in production mode, you must choose only one of the bridged network connections to be used for your Windows host.

Since you have disabled TCP/IP on the network interface connected to your external network, you must enable only one of the

interfaces connected to either the internal network or the DMZ network. You must disable TCP/IP on the interface you do not wish

to use on your Windows VMware host.

The process is the same as the demo mode process except now you are enabling and disabling automatic IP and DNS configuration of

TCP/IP on your Windows VMware host. These will show up as various Local Area Connections such as:

Local Area Connection 2

Local Area Connection 3

etc.

You will need to know which is which as this varies from system to system then simply enable TCP/IP on the one you want to use and

disable it on the one you do not want to use. In this example, our Local Area Connection 4 is connected to our Internal network. To

force routing via the physical connection of Local Area Connection 4 we use another example. In this example:

The RealTek network device that is mapped to VMnet0

Local Area Connection 4 is connected to the Internal network that may be filtered, etc. (This is a Virtual connection in Demo

mode and a bridged connection in Production mode)

Local Area Connection 3 is connected to the DMZ network that typically bypasses filtering, etc. (This is a Virtual connection in

Demo mode and a bridged connection in Production mode)

Following are the steps to accomplish this which are summarized as follows.

Disable TCP/IP on the VMware host's physical network connection to the external network as in Step 5.1.11.

Enable automatic IP address and DNS configuration on Local Area Connection 4 for internal networking -or- enable automatic

IP address and DNS configuration on Local Area Connection 3 for DMZ networking

2.

Disable TCP/IP on whichever network connection you do not want to use (either Local Area Connection 3 for DMZ or Local3.

Area Connection 4 for Internal)

TCP/IP should already be configured properly for all your physical network connections, but you may have to disable TCP/IP on the

External and DMZ connections if you want to route via the Internal network connection.

We want to check our Local Area Connection 4 TCP/IP properties. We do this by opening the Network Connections from the

Control Panel, right-clicking Local Area Connection 4, and choosing Properties

Figure, Local Area Connection 4 Properties

1.

Scroll to Internet Protocol (TCP/IP), and remove the check mark from the select box next to it , and then click the OK button.

Figure, Local Area Connection 4 TCP/IP Properties

2.


Select the Obtain DNS server address automatically radio button.4.

Figure, Obtain IP and DNS Automatically for Local Area Connection 4



Disable TCP/IP on your DMZ connection as shown elsewhere on this page.

Note: If for any reason you are not able to disable TCP/IP, go into the TCP/IP properties and set a static IP with no gateway.

For example, set the IP address to 169.254.5.10, and the Subnet mask to 255.255.0.0. Do not specify a gateway or any other

information, and click OK.

7.


Step 5.2: Change Routing on Your Linux VMware Host

Linux varies a bit from distribution to distribution. Until we have complete instructions available for the different distributions, we will

use bash to accomplish the task.

Step 5.2.1: Change Routing on Your Linux VMware Host using BASH

Again, there are no pretty GUI's here, which is typical of Linux servers. Setting up networks on Linux hosts requires root access to the

command line.

To run the following commands properly, you must be logged in as root on the host PC or Server and open a bash prompt/terminal

/console and run the command. If you are comfortable using different shells in Linux, feel free to translate as necessary on-the-fly as

the basic commands should be identical.

First you want to gather the existing routing information on your Linux host by running the route command. It should look

something like the following. Here is an example routing table as shown by the

route -n

command:

# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet810.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth00.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0

a.

Now we need to adjust the routing. To do this, you need to be aware of which routes you want to break and which routes you

want to create. Per our examples, we want to break our default route that is on our eth0 and setup the default route to come from

the Untangle virtual appliance's Internal or DMZ network. The last line above has the UG flag, which indicates the default

gateway. In this example, we want to stop routing through eth0 and start routing through vmnet2. We cannot down eth0 because

it needs to be up for the VMware machines that bridge to it. We can change the IP and remove the default route as follows:

b.

ifconfig eth0 169.254.5.10

And verify by running the route command again:

# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

Now that we have no default gateway and no effective route to the Internet, we can run our dhcp client on vmnet2 to get our IP

and gateway from our Untangle virtual appliance's Internal network. The commands typically used for this in Linux are

dhclient

or

dhcpcd

. We are using Debian and therefore

dhclient

. We have configured our Untangle virtual appliance as a DHCP server for vmnet2 using the 192.168.200.0 subnet, so we

should get a 192.168.200.? IP from it. If not, something went wrong.

Note: If you have configured the Production Virtual Server you can substitute vmnet2 with the appropriate physical

network card that is connected to your Internal (or DMZ) network.

# dhclient vmnet2Internet Software Consortium DHCP Client 2.0pl5Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.All rights reserved.

Please contribute if you find this software useful.For info, please visit http://www.isc.org/dhcp-contrib.html

sit0: unknown hardware address type 776sit0: unknown hardware address type 776Listening on LPF/vmnet2/00:50:56:c0:00:02Sending on LPF/vmnet2/00:50:56:c0:00:02Sending on Socket/fallback/fallback-netDHCPDISCOVER on vmnet2 to 255.255.255.255 port 67 interval 4receive_packet failed on vmnet2: Network is downDHCPOFFER from 192.168.200.1DHCPREQUEST on vmnet2 to 255.255.255.255 port 67DHCPNAK from 192.168.1.254DHCPDISCOVER on vmnet2 to 255.255.255.255 port 67 interval 8DHCPOFFER from 192.168.200.1DHCPREQUEST on vmnet2 to 255.255.255.255 port 67DHCPNAK from 192.168.1.254DHCPNAK with no active lease.

DHCPACK from 192.168.200.1bound to 192.168.200.171 -- renewal in 7200 seconds.

With this we can confirm that 192.168.200.1 is our Untangle server.

c.

Now we double-check our default gateway:

# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet3172.16.231.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet2172.16.157.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth00.0.0.0 192.168.200.1 0.0.0.0 UG 0 0 0 vmnet2

This all looks good and we are able to ping the network on the other side of the Untangle virtual appliance.

d.

If you have configured the DMZ network, you will need to "Break" the route on that network interface (either vmnet or physical)

or your routing may get a bit confused.

e.

To make these changes permanent on your Linux host, you will need to use the appropriate tools or write yourself a script that

takes care of things for you. If you performed this changes as we did here, rebooting your Linux host will revert all of the

settings. Look us up in IRC if you need help with your specific situation.

f.

Step 6: Correcting Clock Skew Issues in VMware Guests (Applies to Windows and Linux Hosts)

Depending on your hardware and software configuration, you may experience potentially insane clock drift issues in your Untangle

VM. This is a common situation shared with all Linux Virtual Machines when the guests differ enough from their host machines

regardless of whether the host is running a Windows or Linux based operating system. This section is dedicated to identifying and

resolving such issues. We recommend you make these changes on all Untangle VMware machines.

For more information on this topic you can check the additional resources section below (need anchor/link?):

Step 6.1: Identify the Problem

This problem is easily identified once you check the date and time on your Untangle VM as the time will be incorrect after you have

set it. You will want to make sure time is being kept properly within any Untangle VM as the Untangle VM uses many time based

policies for filtering traffic. It is important that your host has and keeps good time as well. To verify if you have a clock

synchronization issue, do the following:

Verify the time is set and working properly on your VMware host machine.a.

Boot your Untangle VM and check the time and date to see if it is set properly as well.b.

If they don't match, we highly recommend you proceed and setup the synchronization as detailed here.c.

We recommend that you make sure the VMware time synchronization to host is enabled as a best practice. If you downloaded the

Untangle VMware zip file, proceed immediately to Step 6.2. If you installed your own VMware image or need to upgrade the VMware

Tools, you may want to perform Step 6.2.3 first.

Step 6.2: Fix the Problem

Regardless of symptoms, we recommend that you use VMware tools to syncronize the time with the host OS. REMEMBER: It is

important that your host has and keeps good time. Once you have verified that the host time is correct and good you can follow

these steps to enable VMware tools clock syncronization. Untangle VMware downloads prior to and including 5.0.3 will need to have

this fix applied. All Untangle VMware images newer than version 5.0.3 will be preconfigured but if you've created your own VMware

image of Untangle, you will want to enable this functionality on your VM by installing VMware Tools as specified in Step 6.2.3.

Step 6.2.1 Enable VMware Tools Time Syncronization With Host (Host .vmx Edit Method)

If you downloaded your Untangle VM from Untangle or VMware all you need to do is change one line in your .vmx file as follows:

On the VMware host, find and edit the untangle<version>.vmx This should be located in the untangle<version> folder that came

from the untangle<version>.zip file.

1.

Find the "tools.syncTime = "FALSE" and change "FALSE" to "TRUE"2.

Save the changes and reboot the Untangle VM to force an immediate update3.

Step 6.2.2 Enable VMware Tools (Local Console Method)

(Need Screenshots?) Alternatively, if you have a local console available for your Untangle VM, you can enable time synchronization

as follows:

Open the terminal from the local console by clicking the "Terminal" button and entering the password1.

Launch vmware-tools and enable time syncronization with host2.

Close vmware-tools and the terminal3.

Reboot the Untangle VM to force an immediate update4.

Step 6.2.3 Install VMware Tools

VMware tools should be installed by default if you downloaded the Untangle VMware zip file; however, if you created your own

VMware machine or have a need to upgrade the VMware tools, you will need to install VMware tools as follows: More details to

follow but since they are pre-installed on the download...

Choose the "Install VMware Tools..." menu option from the VMware "VM" menu.1.

Open a shell and mount the CD-ROM drive2.

Copy the tarball to /usr/local/src/ and unpack3.

Run the vmware-install.pl script The build environment required by vmware-install.pl script are not installed by default.

Do we have that documented elsewhere and should we include it here or ???

4.

Step 6.3: Considerations and More Information on this Issue

The Untangle gateway relies on accurate time for time-based policies and filtering policies. When time is "adjusted" even as little as a

few seconds, false positives may result (e.g. spam may be falsely identified as spam). VMware Tools uses a slow adjustment to

correct for time differences. As a result we recommend you reboot to get a quick correction and let VMware Tools take it from there.

Future versions of Untangle are not expected to have these issues as the underlying kernel issues are normalizing over time; however,

using VMware Tools is probably a best practice that you should stick with.

For more information on the underlying issues, please see the following:

Kernel documentation

VMware documentation (http://www.vmware.com/support/pubs/)

Microsoft Virtual Server documentation (http://www.microsoft.com/technet/prodtechnol/virtualserver/2005/proddocs

/default.mspx?mfr=true)

For information about using your new Untangle software, see our Untangle Server User's Guide.

Happy virtual Untangling!

Retrieved from "http://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware"

This page was last modified 23:37, 10 June 2009.

This page has been accessed 61,246 times.

Privacy policy

About UntangleWiki

Disclaimers

untangle virtual appliance

Documents