1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

    Dismiss Notice
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Untangle Announces Wi-Fi Router Distro

Discussion in 'General Wireless Discussion' started by thiggins, Aug 5, 2016.

  1. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    14,140
    router_evolution.png
    Security software and appliance company Untangle announced the release of a new operating system for consumer Wi-Fi routers today at DEF CON 24.

    Untangle NG Firewall is aimed at SOHO and small-to-medium businesses that desire "enterprise-grade perimeter security" and Unified Threat Management (UTM) features with the ease of use of a consumer product.
    home_router_comp.png

    Key features of Untangle NG Firewall include traffic logs, access management for websites, applications and content based on device, user, time of day, day of week and other criteria. Drill-down reports are available via the "360° Dashboard" feature.

    NG Firewall is now available to be flashed onto the Asus AC3100 RT-AC88U. Visit Untangle for more information on Untangle NG Firewall.
     
    sfx2000 and hggomes like this.
  2. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,322
    Location:
    San Diego, CA
  3. pete y testing

    pete y testing Very Senior Member

    Joined:
    Jul 12, 2011
    Messages:
    1,931
    Location:
    victoria, australia
  4. peraburek

    peraburek Senior Member

    Joined:
    Mar 13, 2015
    Messages:
    207
    interested to hear feedback, AC88U with Untangle FW could be nice router for SMB, competitor to Synology AC2600 (with IDS/IPS)
     
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    How are they dealing with Broadcom's closed source and proprietary components?
     
  6. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,322
    Location:
    San Diego, CA
    My guess at the moment - It's via OpenWRT, or they've made a deal with Broadcom directly...

    First thoughts is they've merged their stuff on top of OpenWRT. It's a more modern codebase, and cleaner build platform compared to the otherWRT's...

    Second thought here - they've built on top of the "other" SDK/HDK, e.g. the "board bring up", not the "Router in a Box" platform that most OEM's get. I've been aware of this for a long time... since '07, and it hasn't changed that much, and it's full of closed source...

    Won't know until someone gets one to dig into...
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    I had a quick look through their website documentation. I like the design they went with: you mostly flash a bootstrap, and the firmware itself is stored on USB.

    Sent from my Nexus 9 using Tapatalk
     
  8. peraburek

    peraburek Senior Member

    Joined:
    Mar 13, 2015
    Messages:
    207
    and what happens when USB stick/memory fail? router is "gone" together with configuration?
     
  9. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    14,140
    Back up the stick
     
    joltdude likes this.
  10. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    587
    Location:
    Tennessee, USA
    Untangle has several ways to back up, but in this instance simply backing up the stick is the simplest. There is also a built in nightly backup to the cloud (unless you disable it).
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    Same thing as with any computer: backups should be considered mandatory, not just "a nice suggestion".
     
  12. highwire

    highwire Regular Contributor

    Joined:
    Apr 10, 2013
    Messages:
    149
    Location:
    Canada
    Well, it sucks to be a Canadian because ASUS doesn't sell that model (the RT-AC88U) here. We get the RT-AC3100 instead.

    The dashboard makes this look very compelling. If I had an RT-AC88U (I have a RT-AC3100), I would give it a try.
     
  13. Mordred

    Mordred Regular Contributor

    Joined:
    Feb 12, 2014
    Messages:
    101
    Well their feature comparison is just a bunch of bullshit. At least for dd-wrt they do not list included features as supported. E.g.:

    -IPV6, is integrated into webif
    -snmp is integrated and it comes with even more powerful zabbix
    -dos protection is included
    -ad blocking is included, using it right now
    -captive portal, never used it, but there are several included in webif
    -qos webintegration in webif

    they talk about radius, they don't mention if only client or server radius support is available, I doubt they have radius server support

    I see lot of features missing compared to dd-wrt.

    If they can't even do a proper comparison, how good can their product be.
    I also doubt, that half of their apps will perform well. I have a IPS at work, this thing runs on a quad core 3Ghz and needs massive resources in order to handle a gigabit line for a couple of users.
    With so many services on a cpu/ram limited router this thing will not only perform bad it will also open up a lot of new security issues.
     
  14. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    Their Asuswrt feature list also contains a couple of errors.

    If they ever add support for the RT-AC5300 (very similar hardware) I might give it a try to take a closer look. Don't want to do it with the RT-AC88U since it's my main router at the moment.
     
  15. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    587
    Location:
    Tennessee, USA
    If anyone is really interested in giving the Untangle firmware a try I strongly suggest you do a little research about the product, and more specifically the firmware product, before you jump into it. I certainly would never pick a product (any product) based on a comparison chart. They never list everything. I run Untangle at home and I can tell you many of the features Untangle has are not listed on the comparison chart. That being said, it seems like Untangle's marketing is similar to Ubiquity's. They don't tell the entire story on the surface, you have to do a little research. For example here is a quote from an Untangle employee "For those familiar with Untangle this is just regular v12.1 Untangle especially tuned for this router." That makes it sound like all the features of the normal 12.1 will be there, with some "tuning" differences. Well come to find out through some digging that some of the tuning differences are the reduction in features vs the full version. An example is the IPS. The IPS is not available on the firmware version.
    He is a quote from Untangle:
    "We won't be able to support the AC87U because it only has 128 meg of RAM.
    We hope to certainly support more routers soon, but we'll likely only ever support routers with 512 megs of RAM. All the layer-7 inspection and apps and logging and reporting requires a lot of RAM. It was very difficult to get it working at 512 megs - especially if you lose 128 megs to a ramdisk for the database!
    The good news is that DD-WRT and OpenWRT already provide really good options for these IMO. They just don't give you the UTM/security and reporting/logging functionality, but that wouldn't be possible in 128 meg anyway. Hopefully we'll find some cheaper 512-meg models to support soon from vendors that intend to support open source firmwares - stay tuned.
    As for running on an ARM vs bigger x86 server, aside from the cost and form factors, its the same software. The AC88U and routers similar to it are amazingly capable. 1.4Ghz dual core is capable of a lot.
    But with only 512 meg we did remove some of the apps because there is no way they will fit in 512 meg:
    Intrusion Prevention (snort is way too big)
    Web Cache (no disk)
    Web Filter Lite (the non-premium version stores the DB in memory but there is no room for this)
    All the SMTP apps that require clam or spamassassin daemons.
    Additionally other apps have been modified to work differently.
    Virus Blocker uses a cloud lookup only. It doesn't run the bitdefender daemon locally.
    And Reports will log to a ramdisk if you run off a USB key. If run off a disk it logs to the disk normally.
    Other than those and some other minor tuning changes its pretty much the same as running on x86."
     
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    That's kinda underwhelming then. Might as well stick to Asuswrt (the Trend Micro DPI engine is quite nice), or go with OpenWRT if you have really special networking needs.
     
  17. Mordred

    Mordred Regular Contributor

    Joined:
    Feb 12, 2014
    Messages:
    101
    So it is just a bunch of opensource tools (snort, clamav...) with a frontend. LOL

    I have been working with snort for several years in an enterprise environment. Snort requires a professional admin, it is completely useless to a regular computer enthusiast.

    A cloud lookup virus blocker, wtf, this is a huge privacy issue. Even if it just transfers hashes, it would know everything I download.
    But hashing needs cpu power and I doubt it can hash large downloads etc. Cloudscan will always have issues.

    Thus as I thought just a bunch of useless features, that come with a nice looking gui. My privoxy running on an R7000 needs around 100MB of RAM if a bunch of clients surf the net and it can't really handle more then 100mbps.

    The whole security concept of running such services on your router is bad. In professional networks you separate these things. IDS etc. only receive mirrored traffic, have no access to the network so an attacker cannot use vulnerabilities in those apps to gain access.

    The webfilter is like these stupid adblock scripts pulling in filter list from remote sites, this alone is a huge risk.

    Sorry to be so negative, but I'm just sad, that so many companies make their profit with oss, while the developers behind these projects can't even pay for their server costs, e.g. bsd, openssl etc.
     
  18. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    587
    Location:
    Tennessee, USA
    I agree. When they first announced the firmware, they said it was Beta. Have not seen that since but to me it still looks Beta. If they really want it to take off they need to clearly show the differences between the normal Untangle and the stripped down firmware version. The confusion can lead to some unhappy people and some bad publicity. Now the full version of Untangle, I think is awesome (especially for home use). I have looked high and low for something like Untangle, and have had three similar setups at my house but none worked as well as Untangle and all the others were more expensive. The closest thing I had to Untangle was the Zyxel USG series firewall, but it was more expensive per year and much less powerful.
     
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    And what's wrong with that?

    That's how a lot of modern antivirus software work now. Local based signatures are half useless as they would be far too large, and require constant updating, so most of them now leverage the cloud for more accurate detection.

    An hash isn't enough to identify "everything you download". They have databases of known bad files, not of known good files (which would be endless!)

    I can't speak for Untangle, but I'm aware of at least one company that sells routers loaded with customized firmwares, which does send money back to the developers of those software projects. I know this for a fact because I've received donations from that company in the past (and they don't even sell products running my firmware, but the Tomato code they ship with does include some of my work.) And, you also have others that will sponsor development. Fairly sure the snort devs are well compensated, considering they also sell a commercial product, and considering who owns them now.

    Yes, some companies are a bit "rotten". I know a few that take open source projects, customize it, resell it, and never give anything back (neither money nor code). But that doesn't mean they are all like that. I'm not very familiar with the Untangle folks, but I have no reason to think they are part of the rotten ones at this time, unless proven otherwise.

    So no, nothing wrong with companies selling a product leveraging open source products, as long they do it properly.
     
  20. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,072
    Location:
    Canada
    Since they only support a single model at this point, I suspect that they are just getting their feet wet, and evaluating how the market reacts. There's definitely some market potential there with that approach. As mentioned, those dual-core CPUs are quite capable (as long you don't involve any cipher work).

    If that proof-of-concept works well, imagine that on the next Broadcom generation, with dual-core, 64-bit and AES acceleration support.

    A lot of advanced routers are fairly complicated to configure/manage when you start dealing with a more complex network environment. Never underestimate the value of a well-designed UI. That alone can be reason enough for someone to buy your product, as spending hours around a CLI can be more expensive than spending some money toward a well designed management interface. Especially if you have to pay someone to do that configuration work.