4.5. Setup - Services

Network Interfaces

Network Interfaces

Network Interfaces


A detailed description of creating and configuring each type of network interface is described in the following instructions:

All created interfaces are presented in the form of a table:
1. Network Interfaces.png

In the edit mode, it becomes possible to change the name, network card (by clicking the pencil button), and configuration settings (manually or automatically):
2. Network Interfaces.png

If the Network card is already in use by any interface, then UTM will display an error window "NIC/VLAN tag combinations must be unique".

When migrating UTM from one physical machine to another (disk transfer or backup restore on new hardware), the settings of all network interfaces specified before the migration will be restored. Use the trash bin button to remove unnecessary interfaces.
Example: the original version of UTM 13.X -> migrated UTM to new hardware -> configured new hardware -> upgraded -> in the Network interfaces section, old (before migration) and new (after migration and configuration) network interfaces will be displayed.

Network Interfaces

Configuring Local Ethernet

Manual and automatic configuration using the DHCP protocol.


Be careful!
If you select Local Ethernet and set it as External Ethernet, you will not be able to access the Internet.


Manual Configuration

To configure the connection in the web interface, follow these steps:

1. Go to the menu Services -> Network Interfaces.
2. Click on the icon (+) in the upper right corner of the window and select Local Ethernet.1. Configuring Local Ethernet.png

3. Select a network card.
4. Fill in the fields listed below:

The Gateway field in the Local interface is set only if:
- There is no External UTM interface;
- UTM is only used as a proxy.

Configuration example:
2. Configuring Local Ethernet.png

Automatic Configuration

It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol.

  1. Go to menu Services -> Network interfaces.
  2. Click on the icon (+) in the upper right corner of the window and select Local Ethernet.
  3. Select a network card.
  4. Fill in the Title field. The VLAN tag field is filled in only if the network card is already in use.
  5. Enable Automatic configuration via DHCP.
  6. Make sure that the entered values are correct and click Save.
Configuration example:
3. Configuring Local Ethernet.png
Network Interfaces

Configuring External Ethernet

Manual and automatic configuration using the DHCP protocol.


Usually, all necessary information for configuration is contained in the contract with your Internet provider.


Manual Configuration

To configure the connection in the web interface, follow these steps:

1. Go to the menu Services -> Network Interfaces.
2. Click on the icon (+) in the upper right corner of the window and select External Ethernet.1. Configuring External Ethernet.png

3. Select a network card.
4. Fill in the fields listed below:

Configuration example:
2. Configuring External Ethernet.png

Automatic Configuration

It is used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol.

  1. Go to menu Services -> Network interfaces.
  2. Click on the icon (+) in the upper right corner of the window and select External Ethernet.
  3. Select a network card.
  4. Fill in the Title field. The VLAN tag field is filled in only if the network card is already in use.
  5. Enable Automatic configuration via DHCP.
  6. Make sure that the entered values are correct and click Save.
Configuration example:
3. Configuring External Ethernet.png
Network Interfaces

Configuring PPTP Connection

Connection via PPTP protocol is used by Internet service providers in order to provide a more reliable authorization.


To configure such a connection in the web interface, follow these steps:

1. Go to the menu Services -> Network Interfaces.
2. Click on the icon (+) in the upper right corner of the window and select Ethernet + PPTP.
3. Select a network card.
4. Fill in the fields listed in the table below:

Parameter

Description

Title

The name you will use to identify the interface in the future. Maximum 42 characters.

Network card

The network adapter will be used to connect to the Internet provider.

VLAN tag

The VLAN ID in which UTM will be present. Such network interface is considered a VLAN interface. Fill only in the case a network card is already in use.

Automatic configuration via DHCP

Used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol.

IP address/mask

You can assign multiple IP addresses to the interface. At least one IP address must be specified.

Gateway

Gateway IP address.

DNS

There are two fields available to specify the DNS server. Optional fields.

VPN Server

IP address or domain name of the PPTP server.

Login

Username for the PPTP connection.

Password

Password for the PPTP connection.

5. Make sure the entered values are correct and click Save.

Configuration example:
1. Configuring PPTP Connection.png
Network Interfaces

Configuring L2TP Connection

Connection via L2TP protocol is sometimes used by Internet service providers in order to provide more reliable authorization.


To configure such a connection in the web interface, follow these steps:

  1. Go to menu Services -> Network Interfaces.
  2. Click on the icon (+) in the upper right corner of the window and select Ethernet + L2TP.
  3. Select a network card.
  4. Fill in the fields listed in the table below:

Parameter

Description

Title

The name you will use to identify the interface in the future. Maximum 42 characters.

Network Card

The network adapter will be used to connect to the Internet provider.

VLAN tag

The VLAN ID in which UTM will be present Such network interface is considered a VLAN interface. Fill in only if the network card is already in use.

Automatic configuration via DHCP

Used if your Internet provider supports the ability to automatically configure the Ethernet interface using the DHCP protocol.

IP address/mask

You can assign multiple IP addresses to the interface. At least one IP address must be specified.

Gateway

Gateway IP address.

DNS

Two fields are available to specify the DNS server (optional).

VPN Server

IP address or domain name of the L2TP server.

Username

User name for the L2TP connection.

Password

Password for the L2TP connection.

  1. Make sure that the entered values are correct and click Save.
Configuration example:
1. Configuring L2TP Connection.png
Network Interfaces

Configuring PPPoE Connection

Connection via PPPoE protocol is traditionally used by providers offering connection via xDSL.


To configure the connection in the web interface, follow these steps:

  1. Go to menu Services -> Network Interfaces.
  2. Click on the icon (+) in the upper right corner of the window and select Ethernet + PPPoE.
  3. Select a network card.
  4. Fill in the fields listed in the table below:

Parameter

Description

Title

The name you will use to identify the interface in the future. Maximum 42 characters.

Network card

The network adapter will be used to connect to the Internet provider.

VLAN tag

The VLAN ID in which UTM will be present Such network interface is considered a VLAN interface. Fill in only if the network card is already in use.

Login

Username for PPPoE connection.

Password

Password for PPPoE connection.

Service

Service ID. If you don't know what to enter, leave the field empty.

Access concentrator (Hub)

Hub ID. If you don't know what to enter, leave the field empty.

  1. Make sure the entered values are correct and click Save.
Configuration example:
1. Configuring PPPoE Connection.png
Network Interfaces

Connection via 3G and 4G

To connect to the networks of mobile operators, it is possible to use 4G routers with Ethernet interfaces.


The server also supports some models of USB modems, for example, Huawei E8372. When connected, the USB modem will be displayed in SafeUTM as a new Ethernet interface.

Channel Aggregation & Failover

Configuring channel failover, static and dynamic aggregation.


If you have multiple connections to Internet service providers, you can use them in the following ways:


Preparation

Create an additional connection to the Internet provider. The process of creating connections is described in the article on External Ethernet connection. Thus, the server must have at least two Internet connections.

To work with traffic in SafeUTM, it is important to consider two things: routing and NAT. This applies to both aggregation and failover.


Channel Redundancy

To set up redundancy, go to Services -> Channel Aggregation & Failover and select the Failover mode.
1. Balancing and Redundancy.png


Access to the Internet via Specific Connection to Provider (Static Aggregation)

Such scheme of connection to several Internet service providers is often used in the following cases:

To configure this connection scheme, follow these steps:

  1. Go to the menu section Services -> Routing.
  2. Add routing rules for a specific list of resources traffic that needs to be directed through the necessary connection to the provider by clicking Add.
Example of a rule:
2. Balancing and Redundancy.png

In this example, traffic directed to facebook.com from user Jane Smith will be directed through the connection to the provider's Local interface.


Load Aggregation Across Multiple Connections (Dynamic Aggregation)

To configure this connection scheme, follow these steps:

  1. Go to Services -> Channel Aggregation & Failover.
  2. Select the operating mode Channel Aggregation.
    3. Balancing and Redundancy.png

To evenly distribute sessions between connections, you must specify the value Bandwidth – the maximum Internet speed according to the tariffs of your providers. By default, the bandwidth is set to 100 Mbit/s. The server will automatically balance traffic depending on a load of connections.

You do not need to create routes or perform any other settings to balance traffic. Proxy server traffic will also be balanced automatically.

Routing

Used to redirect network traffic passing through SafeUTM.


It has a number of advantages over some other traditional routing systems. Among them are:

It is possible to route local and external networks in the SafeUTM web interface. You can create and edit routes via the SafeUTM web interface in the section Services -> Routing.

To organize access to remote networks via a router on a local network, read the article by following the link.


Routing of LANS

Local area network routing operates within the local area network and does not have a Source address field when adding a route. To add a new route, go to the Local area networks routing tab and click Add:


Routing of External Networks

To add a new route, go to the routing tab of WAN routes and click Add. A route creation form will open on the page:
1. Routing.png

Description of each option:

After saving the route, the page looks like this:
2. Routing.pngArrow icons increase or decrease the priority of the rule execution.

There is a status Activating in the table. It has two states:

State

Description

3. Routing.png

The route is active, and traffic falling under the conditions of the route will be redirected to the specified Gateway.

4. Routing.png

The route is not active, and traffic falling under the conditions of the route will not be this rule.

Traffic that does not fall under the conditions of the routing rules, or with object Any as a gateway, will be sent to Channel Aggregation & Failover.


When routing traffic through connections to the provider, it is important to understand that most often one route is not enough, you will also need to redefine the address using SNAT, otherwise, such a route simply will not work. SNAT can be configured using a firewall.

Task: any traffic to subnet 150.1.0.0/16 needs to be directed to the local gateway


5. Routing.png

Task: all user traffic from the group Accounting needs to be directed through the gateway of the selected network interface


6. Routing.png

If you are setting up a route to remote network access via an additional router located on the same LAN as the clients, make sure that you have avoided "asymmetric routing" and moved the router to the DMZ.

BGP

Configuring BGP to exchange information about the availability of networks.


SafeUTM 13 implements support for BGP (Border Gateway Protocol), which is the main dynamic routing protocol used on the Internet.


Setting up your autonomous system

1. Enter your AS number in the AS Number field and click Save:
1. BGP.png

2. Move the switch of the BGP section to the enabled position;
3. SafeUTM will populate the Router ID field automatically if the BGP section switch is on.


Configuring BGP neighbors

1. To add a BGP neighbor, click Add in the upper right corner;
2. Fill in the following fields:

For Incoming networks and Announced networks, the Any object cannot be set simultaneously with other filters.

If there is no required object for filtering, then you can create it by selecting Create a new object in the Incoming networks or Announced networks field:

OSPF

SafeUTM 13 supports OSPF (Open Shortest Path First), a routing protocol based on the state of channels. A channel is a router interface or network segment that connects two routers. The state data of these channels is called the channel state.

The use of this module is best suited for networks that have network load balancing and channel redundancy.

An example of topology using OSPF is shown in the diagram below:
1. OSPF.png

The principle of routing according to the state of the channel

1. Establishing adjacency relationships with neighboring devices

A router using OSPF sends greeting packets to identify all neighboring devices within these channels. If there is a neighboring device, the router tries to establish an adjacency relationship with it.
2. OSPF.png

2. Exchanging channel state announcements

After the adjacency is established, the devices exchange channel state announcements (LSAs). LSAs contain information about the state and cost of each channel with a direct connection.
3. OSPF.png

3. Creating a communication state database

Based on the LSA announcement, routers collect a database that contains data about the network topology in the area.
4. OSPF.png

4. Executing the SPF algorithm

Then the SPF algorithm is executed on the devices, resulting in the creation of a tree of shortest paths.
5. OSPF.png

5. Choosing the best route

Based on the SPF tree data, the best paths for the IP routing table are proposed. A route is added to the routing table if there is no route source to the same network with a smaller administrative distance, for example, a static route. Routing decisions are made based on entries in the routing table.
6. OSPF.png

Setting up SafeUTM

To configure OSPF on UTM, follow these steps:

  1. In the UTM web interface, go to Services -> OSPF and click Add.
  2. Fill in the following fields:
    - Interface - select the local interface connected to the router.
    - Area ID - enter the zone number (for small networks, enter zone 0). The name of the zone can be entered as a number or IP address by clicking the icon A/B.
    - Cost - enter the cost of the route.
  3. Click Save.

Configuration example:
7. OSPF.png

Example of a ready table:
8. OSPF.png

Setting up MikroTik

1. Install and boot up RouterOS:

2. After the RouterOS is installed, reboot the router by pressing Enter:
11. OSPF.png

3. Default login is "admin", password is an empty field.

4. Set the admin login/password.

5. Run the following command: routing ospf area add area-id=х.х.х.х default-cost=1 disabled=no inject-summary-lsa=no name=area1 type=default where x.x.x.x - the name of the zone that was specified when setting up SafeUTM within the network;

6. To transfer any other networks to neighboring devices via dynamic routing, enter the following command: routing ospf network add network=(other subnets)/24 area=area1

7. Repeat the command from step 6 to add each subnet.

8. To display the routing table, enter the command: ip route print

Proxy

Proxy

Proxy

Setting up a direct connection to the proxy server.


Proxy Server for Web Traffic

You do not need to explicitly specify the proxy settings on the LAN hosts. Specifying UTM as the default gateway for devices on the network is sufficient.

By default, caching of traffic to disk is disabled, but it is carried out in the server RAM. You can enable caching of web traffic to disk in Services -> Proxy, but we do not recommend doing this because of excessive load on the disk subsystem. As a rule, caching to RAM is sufficient.

Direct connections to the proxy server can be configured by checking the corresponding box in the section Services -> Proxy and specifying the IP address and port on the UTM side. Then these details should be specified on those LAN network devices whose web traffic needs to be passed through a proxy.

To configure HTTPS traffic filtering, you need to add a root UTM certificate to users' computers. Read more in the article on Setting up HTTPS filtering.

Below is a screenshot of the General tab in the Proxy section.
1. Proxy Server.png


Role of Proxy Server in the Operation of SafeUTM Gateway

The proxy server, in addition to proxying web traffic, plays the role of a master service for several services related to processing, monitoring, and accounting for user web traffic on the gateway, namely:


Direct Connections to Proxy Server

This mode is used when SafeUTM is not the default gateway for network clients.

Setting up the mode

In this mode, UTM will be able to provide hosts with web content and traffic on other ports (by default on all, if necessary, you can close the ports with a firewall), in case of necessity performing accounting (quotas), monitoring and checking web traffic for viruses, content and malicious content if the following conditions are met:

If it is not possible to specify a proxy server in the program settings for Windows or Mac OS X, then you can use third-party software to route all workstation traffic to the proxy server. For example, Proxifier provides such an opportunity. For more information on how to configure Proxifier for direct connections to the proxy server, see an article by following the link.


Exclusion of Resources from Proxy Server Processing

On the Exceptions tab, it is possible to exclude resources from processing by the proxy server and all related services (content filter, web reporting, antiviruses).

We strongly discourage you from excluding the ENTIRE LAN from proxy server processing.

When connecting directly to a proxy server, traffic cannot be excluded from proxy processing. You need to exclude traffic in the proxy server settings on the device (in the web browser or the proxy server system settings).

Proxy

Configuring Proxy with Single Interface

If necessary, you can use SafeUTM as a proxy server with direct connections of clients to the proxy, with a single interface.


To do this, you need to perform the following settings:

  1. When creating a local interface in Services -> Network interfaces, Gateway needs to be specified:

    1. Configuring Proxy with Single Interface.png

  2. Allow direct connections to the proxy server on the tab Services -> Proxy by selecting the desired port from the list:

    2. Configuring Proxy with Single Interface.png

When using SafeUTM as a proxy server with direct connections to the proxy, most of the functions will work normally, but with some peculiarities:

Proxy

Exclude IP Addresses from Proxy Server Processing

Setting up exceptions for the traffic of individual users or traffic to certain Internet resources from passing and processing by a web proxy available as part of UTM.


Resource exclusions from proxy server processing only work for transparent proxy mode. With direct connections to the proxy server, it is impossible to exclude anything from proxy processing.

Two types of exceptions can be configured:

You can only specific IP addresses or IP networks.

Traffic excluded from proxy processing will not participate in Reports, and also cannot be tested for viruses and processed by the Content filter module. At the same time, such traffic will be checked by a firewall, intrusion prevention services, and application control.
1. Exclude IP Addresses from Proxy Server Processing.png


Programs Running on Protocols Other Than HTTP(S) via Web Proxy

Some programs that send traffic to their servers on ports 80 and 443, but at the same time work on protocols other than HTTP(S), cannot be processed by a web proxy server on UTM with HTTPS traffic filtering enabled. The traffic of such programs should be excluded from proxy processing in the Destination networks field.

Proxy

Connecting to External ICAP Services

Sending HTTP(S) traffic for analysis to third-party servers using ICAP protocol.


In this case, traffic to these servers (which may include DLP systems, antiviruses, and web filters) is transmitted in decrypted form.

You can configure the connection to servers via ICAP in Services -> Proxy on the ICAP tab.
1. Connecting to External ICAP Services.png

It is possible to establish a connection to several ICAP services simultaneously.

Reverse Proxy

Publishing local network web resources in such a way that they become available to consumers from the Internet.


Reverse proxy technology allows you to proxy web traffic in the opposite direction: from the Internet to the LAN, unlike the most commonly used option, from the LAN to the Internet. This approach replaced port mapping (DNAT) and expanded the possibilities for publishing web resources.

Reverse proxy differs from DNAT in that it works at a higher level (the HTTP application protocol instead of the IP network protocol) and allows for a more flexible implementation of resource publishing. The main parameter when publishing a web resource is the Requested address on the Internet. A request to UTM will be made from the external network via HTTP protocol and this URL. A reverse proxy allows you to "route" (HTTP-routing) such a request to an HTTP server on the LAN. Thus, having one resource A-record for the UTM external network interface you can publish several resources on the LAN by distributing them to several incoming URLs. If several A-records are associated with an external UTM IP address, then routing becomes even simpler, and incoming URLs are more convenient for resource visitors.


Creating and Configuring Rule

Configuring certificates for published resources does not require their manual download. Now SafeUTM itself sends a request to issue a Let's Encrypt certificate. The certificate issue may take up to 20 minutes. The issued certificates will be available in the TLS Certificates section.

To create a rule, go to Services -> Reverse Proxy and click Add. The form for adding a rule is divided into two subsections: Basic settings and Additional settings.
1. Reverse Proxy.png

Basic Settings

If you specify 0.0.0.0 in the Requested Internet address line, the redirection will work from all external IP addresses to the address from the Local network address line.
If you specify any IP that does not belong to the external UTM interface, then such a redirect will work similarly to 0.0.0.0.

Additional Settings

Web Application Firewall parses requests to the site and blocks attacks on vulnerable components of the web application (in particular, the types of attacks included in the OWASP TOP-10). When activating this module, attackers who are scanning the site for vulnerabilities will also be blocked using the brute force attack protection module.

In the fields Requested address on the Internet and Address in the LAN for the Outlook Web Access type, specify only domains https://yourdomain/ without the rest of the URL (it is not used when publishing in this way).

! When publishing Outlook Web Access, do not enable the Web Application Firewall. Their collaboration will be possible in the next versions.

If you have a trusted SSL certificate for the domain through which a request to the published resource will go from outside, then you can upload it to the section Services -> TLS Certificates by clicking Add.

Domain names specified in the field Requested Internet address must resolve to the external IP address of the UTM server. Domain names specified in the field Local network address must resolve to the IP addresses of the published resources by the UTM server itself.

CMS Publication

So far, we have tested and officially support the publication of sites on two popular CMSs: Joomla and WordPress. The publication details of each CMS are described below.

Joomla

Joomla in the current implementation is published if you configure redirection from an external domain to a local domain without a prefix:

WordPress

WordPress in the current implementation is published only in the configuration when the same domain is configured in WordPress and in reverse proxy:

DNS

A DNS server converts human-readable server names into IP addresses. SafeUTM includes a DNS server that does not require additional configuration in most cases.


DNS service on the SafeUTM server is configured in Services -> DNS. The service allows you to specify DNS servers in external networks through which domain names will be resolved (External DNS servers tab) requested from LANs. It is possible to specify third-party DNS servers (in local or external networks relative to UTM) with an indication of the specific DNS zones that these servers serve (Forward zones tab). The listed DNS server features can be used simultaneously.
Also, in the Master Zones tab, you can configure a full-featured DNS server that resolves names to IP addresses of network devices in the LAN.


External DNS servers

For normal operation of name resolution on the Internet via SafeUTM, it is not necessary to specify DNS servers in this section. If DNS servers are not specified, the server will resolve names on the Internet using root DNS servers on the Internet. This configuration will not work if the upstream router intercepts DNS requests. In this case, we recommend:

1. DNS.png

Recommendations:

  1. The DNS server embedded in SafeUTM is a caching one. It is highly recommended to use it as a DNS server for your local network.
  2. Do not enter 8.8.8.8,1.1.1.1 or similar ones unless absolutely necessary. SafeUTM will handle the resolution on its own without any intermediaries.
  3. Do not specify a DNS server from your internal Active Directory server, even if it can resolve domain names on the Internet on its own. This, as a rule, is meaningless. When integrated with AD, SafeUTM will automatically configure everything necessary (forward zone) for AD operation and resolve the internal names of your domain. To resolve some special zones not related to AD, create a forward zone.
  4. Do not use DNS provided by your Internet provider unless absolutely necessary (do not specify either manually or through the interface selection option). SafeUTM will automatically configure everything you need to connect to PPTP/L2TP via a domain name. In practice, provider DNS exceeds TTL, and also takes a long time to respond. The only case when this is needed is the provider's special internal domain zones. In this case, create a forward zone.
  5. You can specify DNS servers engaged in filtering if necessary (SafeDNS).
  6. If all DNS servers are disabled or deleted, DNS will work fine - SafeUTM will resolve the names on its own.
  7. If the ISP or upstream device is intercepting DNS requests, then using the standard configuration with root servers is not possible, and you must either set the servers manually or use the DNS servers assigned to the connection.

Interception of DNS Requests

Enabling interception of DNS requests blocks the use of DNS-over-TLS (DoT), DNS-over-QUIC (DoQ), and DNS-over-HTTPS (DoH).

The product has the ability to intercept requests made through third-party DNS servers specified by users on workstations (in order to bypass locks, or due to incorrect configuration). To do this, enable the option Interception of custom DNS queries in External DNS servers.
2. DNS.png

The option is enabled globally for all hosts in the LAN that access the Internet via SafeUTM. This allows you to avoid possible substitution of the resource address when resolving its domain in order to bypass resource locks. Also, interception of all users' DNS requests will allow you to control the process of resolving domain names on the Internet exclusively by means of UTM.

The intercepted request will be redirected to the UTM DNS server, and the response will be generated by the UTM DNS server, not the original DNS server. Interception of DNS requests also blocks the possibility of tunneling through DNS (DNS tunneling). Enabling the interception of custom DNS requests also blocks the use of DNS-over-TLS.

You can use the following third-party DNS servers for additional traffic filtering:


DNS Server Management

You can turn off/on, edit or delete DNS servers in column Operations.

Forward zones

In this section, you can explicitly specify a DNS server to resolve the names of a specific DNS zone. By specifying the DNS server available on the network and the zone it serves, SafeUTM network clients are able to access the resources in this zone by the names of the domain it serves. For example, the IT department of an enterprise provides resources for employees in the zone in.metacortex.com under names realm1.in.metacortex.com , sandbox.metacortex.com and uses DNS server 10.10.10.10 for this.

To be able to access these resources by domain names, specify the provider's forward zone as an isp and then specify DNS server 10.10.10.10 in the Forward zone addition form.
3. DNS.png


Master zones

Master zones with configured DNS records will allow you to use UTM as a name server inside your network infrastructure to access the IP addresses of hosts on the network by domain names.

The DNS server in SafeUTM is not accessible from outside for security reasons. To support external DNS zones, we recommend using third-party DNS hostings.

Do not use master zones to block access to sites, there are other means in SafeUTM to do this. Blocking in this way works inefficiently and does not allow you to selectively prohibit access by users or subnets. It also leads to problems with excessive caching.

The records format for setting up the master zone corresponds to the records format of the BIND DNS server.

Description of record parameters:

All resource records can be found here.

An example of the record is shown in the screenshot below:
4. DNS.png

A few examples of records in the master zone:

1. Zone name: ms

$ORIGIN ms. 
$TTL 600 
@ SOA ns1.ms. administrator.ms. ( 4 7200 3600 1209600 600 ) 
@ NS ns1.ms. 
@ MX 10 mx10.ms. 
@ A 192.168.0.250 
ns1 A 192.168.0.250 
mx10 A 192.168.0.250 
www CNAME @

2. Zone name: example.com

$TTL 86400
@ SOA localhost. root.localhost. ( 991079290 28800 14400 3600000 86400 )
@ NS my-dns-server.example.com.
my-dns-server A 1.2.3.4

DHCP Server

The DHCP server is used to automatically assign IP addresses to network devices on the LAN.


SafeUTM interface allows you to configure a range of IP addresses for automatic assignment, as well as to form static bindings of IP addresses to MAC addresses of these devices. Network devices on the local network must be configured to automatically receive network details from the DHCP server. Thus, clients send a broadcast request to a LAN segment, and the server intercepts and sends responses to these requests containing the necessary settings for the client.

A static IP address must be configured on the local SafeUTM interface participating in the distribution of addresses.


Configuring Server

In order to configure DHCP for the local interface, you need to go to Services -> DHCP server and click Add.

As a rule, the SafeUTM server is the gateway and DNS server for all LAN network devices, so in most cases, the service configuration is limited to determining the range of IP addresses. If necessary, you can specify DNS servers, static routes, and WINS server addresses. The list of DHCP server parameters can be seen in the table below:

*If DNS interception is configured on SafeUTM, then name resolution will be performed using the server specified in the DNS interception settings.

If you set the checkbox in the Issue IP addresses specified in authorizations via IP without MAC checkbox, then IP addresses (with the exception of the rule with IP+MAC) used as a user authorization factor (Authorization section) will be issued by the DHCP server.

An example of configuring a DHCP server is shown in the screenshot below:
1. DHCP.png

If no value is specified in the DNS-1 or DNS-2 field, then the DNS server will be SafeUTM for all network devices on the local network.

You can enable/disable, edit or delete rules for issuing IP addresses using control buttons in the Operations column.

Also, when using a DHCP server, do not forget to move the slider at the top of the screen near the inscription DHCP server to the Enabled position.
2. DHCP.png


Configuring DHCP server with IP Binding to MAC

To configure the binding of the IP address to the MAC address in the DHCP server, follow these steps:

1. In the section Services -> DHCP server select the tab Binding IP to MAC.
3. DHCP.png

2. Create an IP-to-MAC binding rule:
4. DHCP.png

An example of the created binding rule is shown in the screenshot below:
5. DHCP.png

To check the created rule, on the computer with the MAC address specified in the rule, get an IP address via DHCP and check the result using the command ipconfig /all

Tips for configuring clients
Some devices provide a MAC address with hyphenated octets ( 01-02-03-04-05-06 ). In the SafeUTM settings, MAC address octets are separated only by colons ( 01:02:03:04:05:06 ). Therefore, be careful when coordinating the settings of client devices and the DHCP server on SafeUTM.

IPSec

IPSec

Branches and Head Office

This type of connection allows you to combine the LANs of several SafeUTM servers.


Features of IPsec technology implementation in SafeUTM assume two roles of using SafeUTM:


Setting up Connection Between Branch and Head Office

Head offices and Branches are added on the tabs with the same names in the section Services -> IPsec.

- Before creating a connection between the Branch and the Head Office, make sure that the time zone is correctly configured on each of the connected parties. It is impossible to establish a connection without this.
- Before configuring IPsec, it should be taken into account that for it to work, no IP subnets involved in connections, including the networks of the Head Office and all Branches, should overlap and, moreover, coincide.
- Networks of local interfaces of the Head offices and Branches to which you want to give access, must be set statically.
- Before setting up the connection, you need to make sure that one of the servers has a public (white) IP address from the Internet provider. If it turns out that the Head Office does not have a public IP address, and the Branch has such an address, then the server roles for this connection should be reversed.
- When replacing/reissuing the root certificate in the TLS Certificates section, IPsec connections Head Office <-> Branch will stop working and they will need to be recreated.

Step 1. Creating a connection in a Branch

In order to create a connection on SafeUTM, which will act as a Branch, it is necessary to perform the following settings in the web interface of this UTM:

1. Open the section Services -> IPsec -> Branch office and click Add in the upper left corner of the screen.
2. Fill in the following fields:

3. After filling in the fields, click Add head Office.
4. Click on the edit icon next to the added Head Office.
2. Branches and Head Office.png

5. Copy the contents of the Branch office settings field. The contents need to be pasted when setting up the Head Office to which the connection is being made (see step 2).
3. Branches and Head Office.png

Step 2. Creating a connection in the Head Office

In order to create a connection on SafeUTM which will act as the Head Office it is necessary to perform the following settings in the web interface of this UTM:

1. Open the section Services -> IPsec -> Head Office and click Add.
2. Fill in the following fields:

3. Click Add branch office.
4. Click the edit icon next to the added Branch.
5. Branches and Head Office.png

5. Select the LANs of the Head Office and click Save.
6. Branches and Head Office.png

6. Go back to editing the added Branch and copy the contents of the Head office settings field. The contents need to be added to the Branch settings (see step 3).
7. Branches and Head Office.png

Step 3. Final setup of the Branch

In order to complete the creation of a connection on SafeUTM which will act as a Branch it is necessary to perform the following settings in the web interface of this UTM:

1. Open section Services -> IPsec -> Branch office.
2. Select the desired head office and click Edit.
3. Insert into the Head Office Settings field the settings text received from the Head Office during step 2.
8. Branches and Head Office.png

4. Click Save.
5. Open section Services -> IPsec -> Branch office on UTM acting as a Branch and section Services -> IPsec -> Head Office on UTM acting as the Head Office and make sure that the connection to the Head Office is established. The confirmation Established should appear in a green frame.
9. Branches and Head Office.png


Routing of additional networks located behind the router in the local UTM network through an IPsec tunnel.

In order to configure the routing of networks located behind the router in the local UTM network, it is necessary to create a route to an additional network via the router's IP on SafeUTM (UTM, router and target host will be on the same network).

- If SafeUTM is behind NAT, then in order to work with IPsec you need to forward ports 500 and 4500 UDP.
- When installing an IPsec tunnel between SafeUTM servers (Branch and Head Office), 256-bit AES encryption is always used, as it is common and very reliable.

IPSec

Connecting Devices

Description of options for connecting various routers (Mikrotik, Zyxel Keenetic, etc.) to SafeUTM for site-to-site VPN using IPsec IKEv2 protocol.


Devices that are not described in this manual as a rule can be connected using similar settings.

When combining networks using a VPN, LANs in different offices should not overlap.


The choice of crypto algorithms on remote devices.

When configuring third-party devices, you must explicitly specify the crypto algorithms used for the connection. SafeUTM supports the most up-to-date and at the same time sufficiently secure algorithms that do not load the server and devices. At the same time, outdated algorithms and those considered unsafe (MD5, SHA1, AES128, DES, 3DES, Blowfish, etc.) are not supported. When configuring third-party devices, as a rule, you can enter several supported algorithms at the same time. In fact, one algorithm of each kind is needed. Unfortunately, not all devices support the best algorithms, so SafeUTM supports several at once. Find below the list of algorithms of each type in descending order of priority for selection.

Example

An example of setting up a pfSense connection to SafeUTM via IPsec is shown in the screenshots below:
2. Connecting Devices.png
3. Connecting Devices.png


Connecting SafeUTM to MikroTik Using PSK

If there is a public IP address on the MikroTik device, follow the steps below to configure the SafeUTM connection to MikroTik.

Step 1.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections:
5. Connecting Devices.png

Step 2.

You can configure the MikroTik device in several ways - through the GUI, and through the device console.


Connecting MikroTik to SafeUTM Using PSK

If there is a public IP address on SafeUTM, follow the steps below to configure the connection of the MikroTik device to SafeUTM.

Step 1.

You can configure the MikroTik device in several ways - through the GUI, and through the device console

Step 2.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After filling in all the fields, click Add connection. Your connection will appear in the list of connections.
7. Connecting Devices.png


Connecting SafeUTM to MikroTik Using Certificates

Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK.

For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.
The creation of outgoing IPsec connections using certificates to MikroTik below version 6.45 does not work due to the inability to use modern crypto algorithms in certificates.

Step 1.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After the request is signed, you will need to continue configuring the connection in SafeUTM.

Do not close the settings tab!

Step 2.
Setting up MikroTik

At this stage, you should configure MikroTik to continue configuring UTM.

The UTM.csr file obtained from SafeUTM must be uploaded to the MikroTik file storage. To do this, open the File section, click Browse, select the file and upload it.

You can configure MikroTik in several ways - through the GUI, and through the device console.

Two files will appear in the MikroTik file system which you need to download in order to upload to UTM later.

9. Connecting Devices.png

The file of the type cert_export_device_<random character set>.ipsec.crt is a signed UTM certificate. The file of the type cert_export_mk_ca.crt is the root certificate of MikroTik.

At this point, the MikroTik setup can be considered complete.

Step 3.
Finishing up the SafeUTM setup

Go back to SafeUTM to the tab with the device connection settings and continue filling in the following fields:

After filling in the fields, click Add connection. Your connection will appear in the list of connections.


Connecting MikroTik to SafeUTM by certificates

Connection with certificates is used because it is more secure than a PSK connection, or in cases when the device does not support PSK.

For the correct operation of certificate connections, it is necessary that the time on MikroTik be synchronized via NTP. To do this, it is sufficient for the device to have access to the Internet.

Step 1.
Setting up MikroTik

You can configure MikroTik in several ways - through the GUI, and through the device console.

Two files will appear in the MikroTik file storage which must be downloaded since they are required for further configuration.:

14. Connecting Devices.png

Next, you will need to fill in the Certificate Signing Request field in SafeUTM, here is how to configure it.

Step 2.
Setting up SafeUTM

1. In SafeUTM, open the tab Services -> IPsec -> Devices, click on the icon (+), and fill in the following fields:

2. After the settings, click Add connection. Your connection will appear in the list of connections. Click on the edit connection button to continue the setup.
12. Connecting Devices.png

3. The connection settings editing area will appear. You need to download the files that are in the fields UTM root certificate and Signed device certificate for their subsequent use in MikroTik.
13. Connecting Devices.png


Problems when reactivating an incoming connection to SafeUTM

If after using this connection you turned it off, for example, as unnecessary, and when trying to re-enable the connection failed to be established, then most likely the remote device got into fail2ban (a tool that tracks attempts to access services in log files, and if it finds repeated unsuccessful authorization attempts from the same IP-address or host, it blocks further attempts).


Connecting Mikrotik to SafeUTM via L2TP/IPsec

Configure the connection by running the following commands:

  1. Edit the IPsec profile:
    ip ipsec profile set default hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048
  1. Edit IPsec proposals:
    ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc pfs-group=modp2048
  1. Create a connection to SafeUTM:
    interface l2tp-client add connect-to={server} profile=default disabled=no name={interface_name} password="{password}" user="{login}" use-ipsec="yes" ipsec-secret="{psk}"
IPSec

Connecting users

Connecting remote users via L2TP/IPsec protocol.


The settings for connecting users (client-to-site VPN) are described in the article VPN connection L2TP IPsec.


Allow remote users to connect via L2TP/IPsec protocol

1. Go to Users -> VPN connections.
2. Check the item L2TP/IPsec connection. Unchecking the box disables all users connected via L2TP/IPsec and makes their connection impossible.
1. Connecting users.png

3. Change the default PSK. The pre-shared key is a line that will need to be entered in the L2TP/IPsec connection settings on end devices.

When changing the Pre-shared key, all remotely connected users will be disconnected. To restore connectivity, specify a new PSK on remote user devices.

Connecting offices (site-to-site)

Connecting offices (site-to-site)

PPTP VPN

Using the PPTP protocol, you can connect Branches that use outdated routers supporting only PPTP to the Head Office (if the device supports IPsec, it is recommended to use PPTP).


If possible, use a more reliable and secure protocol for connecting branches - IPsec. For details on setup, see the article Connecting devices.
For SafeUTM communication with SafeUTM, also use IPsec (see article Branches and Head Office).

The setup process consists of two stages:


Server Preparation and Configuration of Local Networks

To combine local office networks, you need to ensure the uniqueness of the IP address space in them. Each office should have its own unique network. Otherwise, when creating a VPN tunnel, you may encounter incorrect routing.

Below is an example of combining networks of two offices. Configure your network and SafeUTM security gateway according to the data in the table below:

Parameter

Office No1 (SafeUTM)

Office No2 (Router)

IP Address Space

IP address: 192.168.0.0

Netmask: 255.255.255.0

IP address: 192.168.1.0

Netmask: 255.255.255.0

Local IP address

IP address: 192.168.0.1

Netmask: 255.255.255.0

IP address: 192.168.1.1

Netmask: 255.255.255.0


Creating VPN tunnels and configuring routing

Internet gateway in Office No1

1. Create a user account, for example, "office2", on behalf of which the SafeUTM server in office No2 will connect to the SafeUTM server in office No1.

2. Allow the created account to have Allow remote access via VPN. This parameter can be activated in the section Users -> User & Group -> General by selecting the desired user.
1. PPTP VPN.png

3. Add routes to the routing table. To do this, go to Services -> Routing -> Static routes and click the add button. We need to add the following route:

Configuring the router in office No2

In the example, the settings are given for SafeUTM acting as a router. As a rule, routers from different manufacturers are configured similarly.

You need to create a VPN connection to a remote server and register a route to a remote network via a VPN connection. To do this, follow these steps:

Connecting offices (site-to-site)

Incoming Connection of Cisco IOS to SafeUTM via IPsec

Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK.


Find below the connection setup according to the scheme shown in the figure:
1. Incoming Connection of Cisco IOS to SafeUTM via IPsec.png


Step 1. Initial Setup of SafeUTM

Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup.


Step 2. Initial setup of Cisco IOS EX

Cisco configuration can be done through the device console (the configuration is described below) 

1. Setting up the local interface:

enable
conf t
interface GigabitEthernet2
ip address {local IP Cisco} {subnet mask}
no shutdown
ip nat inside
exit

2. Configuring the external interface:

interface GigabitEthernet1
ip address {Cisco external IP} {subnet mask}
no shutdown
ip nat outside
exit

3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses.

4. Creating an access list with local network addressing:

ip access-list extended NAT
permit ip {Cisco local subnet} {reverse subnet mask} any
exit

5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website):

ip nat inside source list NAT interface GigabitEthernet1 overload
exit

6. Saving configuration settings:

write memory

7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN.


Step 3. Configuring IKEv2+IPsec on Cisco

1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website):

conf t
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha256
group 19
exit

2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website):

crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
exit

3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website.

crypto ikev2 keyring key
peer strongswan
address {UTM external IP}
identity key-id {key_id}
pre-shared-key local {psk}
pre-shared-key remote {psk}
exit
exit

4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website):

crypto ikev2 profile ikev2profile
match identity remote address {UTM external IP} 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
exit

5. Setting up encryption in esp:

crypto ipsec transform-set TS esp-gcm 256
mode tunnel
exit

6. Creating ipsec-isakmp:

crypto map cmap 10 ipsec-isakmp
set peer {UTM external IP}
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
exit

7. Configuring the crypto map on the external interface:

interface GigabitEthernet1
crypto map cmap
exit

8. Creating an access list for traffic between Cisco and UTM local networks:

ip access-list extended cryptoacl
permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask}
exit

9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit):

ip access-list extended NAT
no permit ip {Cisco local subnet} {reverse subnet mask} any
deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask}
permit ip {Cisco local subnet} {reverse subnet mask} any
exit
end

10. Saving configuration settings:

write memory

Step 4. Creating an incoming IPsec connection on UTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection:

3. Save the created connection, then click on Turn on
4. Check that the connection is established (your connection will appear in the list of connections, in column Statuses the word Installed will be highlighted in green).
5. Check for traffic between local networks (TCP and web).


The final configuration of Cisco IOS

The final configuration of IKEv2 IPsec on Cisco IOS should look like this:

crypto ikev2 proposal ikev2proposal 
 encryption aes-cbc-256
 integrity sha256
 group 19

crypto ikev2 policy ikev2policy 
 match fvrf any
 proposal ikev2proposal

crypto ikev2 keyring key
 peer strongswan
  address 5.5.5.5
  pre-shared-key local QWEqwe1234567890
  pre-shared-key remote QWEqwe1234567890

crypto ikev2 profile ikev2profile
 match identity remote key-id key-id
 authentication remote pre-share
 authentication local pre-share
 keyring local key

crypto ipsec transform-set TS esp-gcm 256 
 mode tunnel

crypto map cmap 10 ipsec-isakmp 
 set peer 5.5.5.5
 set transform-set TS 
 set ikev2-profile ikev2profile
 match address cryptoacl

interface GigabitEthernet1
! external interface
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map cmap

interface GigabitEthernet2
! local interface
 ip address 2.2.2.2 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
 no mop sysid

ip nat inside source list NAT interface GigabitEthernet1 overload

ip access-list extended NAT
 deny   ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 permit ip 2.2.2.0 0.0.0.255 any
ip access-list extended cryptoacl
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
Connecting offices (site-to-site)

Outgoing SafeUTM Connection to Cisco IOS via IPsec

Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK.


Find below the connection setup according to the scheme shown in the figure:
1. Outgoing SafeUTM Connection to Cisco IOS via IPsec.png


Step 1. Initial Setup of SafeUTM

Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup.


Step 2. Initial Setup of Cisco IOS EX

Cisco configuration can be done through the device console (the configuration is described below).

1. Setting up the local interface:

enable
conf t
interface GigabitEthernet2
ip address {Cisco local IP} {subnet mask}
no shutdown
ip nat inside
exit

2. Configuring the external interface:

interface GigabitEthernet1
ip address {Cisco external IP} {subnet mask}
no shutdown
ip nat outside
exit

3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses.

4. Creating an access list with local network addressing:

ip access-list extended NAT
permit ip {Cisco local subnet} {reverse subnet mask} any
exit

5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website):

ip nat inside source list NAT interface GigabitEthernet1 overload
exit

6. Saving configuration settings:

write memory

7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN.


Step 3. Configuring IKEv2+IPsec on Cisco

1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website):

conf t
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha256
group 19
exit

2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website):

crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
exit

3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website.

crypto ikev2 keyring key
peer strongswan
address {UTM external IP}
identity key-id {key_id}
pre-shared-key local {psk}
pre-shared-key remote {psk}
exit
exit

4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website):

crypto ikev2 profile ikev2profile
match identity remote address {UTM external IP} 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
exit

5. Setting up encryption in esp:

crypto ipsec transform-set TS esp-gcm 256
mode tunnel
exit

6. Creating ipsec-isakmp:

crypto map cmap 10 ipsec-isakmp
set peer {UTM external IP}
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
exit

7. Configuring the crypto map on the external interface:

interface GigabitEthernet1
crypto map cmap
exit

8. Creating an access list for traffic between Cisco and UTM local networks:

ip access-list extended cryptoacl
permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask}
exit

9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit):

ip access-list extended NAT
no permit ip {Cisco local subnet} {reverse subnet mask} any
deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask}
permit ip {Cisco local subnet} {reverse subnet mask} any
exit

end

10. Saving configuration settings:

write memory

Step 4. Creating an outgoing IPsec connection on SafeUTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection:

3. Check that the connection has been established (your connection will appear in the list of connections, in the column Statuses the word Installed will be highlighted in green).
4. Check for traffic between local networks (TCP and web).


Final Configuration of Cisco IOS

The final configuration of IKEv2 IPsec on Cisco IOS should look like this:

crypto ikev2 proposal ikev2proposal 
 encryption aes-cbc-256
 integrity sha256
 group 19

crypto ikev2 policy ikev2policy 
 match fvrf any
 proposal ikev2proposal

crypto ikev2 keyring key
 peer strongswan
  address 5.5.5.5
  pre-shared-key local QWEqwe1234567890
  pre-shared-key remote QWEqwe1234567890

crypto ikev2 profile ikev2profile
 match identity remote key-id key-id
 authentication remote pre-share
 authentication local pre-share
 keyring local key

crypto ipsec transform-set TS esp-gcm 256 
 mode tunnel

crypto map cmap 10 ipsec-isakmp 
 set peer 5.5.5.5
 set transform-set TS 
 set ikev2-profile ikev2profile
 match address cryptoacl

interface GigabitEthernet1
! external interface
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map cmap

interface GigabitEthernet2
! local interface
 ip address 2.2.2.2 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
 no mop sysid

ip nat inside source list NAT interface GigabitEthernet1 overload

ip access-list extended NAT
 deny   ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 permit ip 2.2.2.0 0.0.0.255 any
ip access-list extended cryptoacl
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
Connecting offices (site-to-site)

Incoming pfSense connection to SafeUTM via IPsec

Following the steps in this article, you can combine pfSense and SafeUTM networks via IPsec using PSK.


The combined LANs should not overlap!


Setting up SafeUTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection:

3. Save the created connection, then click on the "Enable" button.
4. Two configuration files will be generated on SafeUTM in the /etc/strongswan/autogen/ folder. You need to go to the console and open the file of the type device_<number>.peer for editing.
5. From this file, you need to copy the value of the rightid line (approximate type –@#746573745f70736b). In the future, this value will need to be registered on pfSense.
6. The setup is complete, now let’s set up pfSense.


Setting up pfSense

1. In the pfSense web interface, go to tab VPN -> IPsec –> Tunnels.
2. Add a new connection:

All other values can be left by default.

3. Save the connection.
4. Click on the button Show Phase 2 Entries and add a new Phase 2. Specify here:

All other values can be left by default.

5. Save the connection.
6. Then you need to allow traffic to flow between the pfSense and SafeUTM local networks in the pfSense firewall (go to tab Firewall -> Rules -> IPsec and create two rules that allow traffic to flow between the SafeUTM and pfSense local networks).
Also, pay attention to the WAN firewall section – by default, incoming traffic from "gray" subnets is prohibited in it, so you need to remove this restriction.

7. Now go to tab Status -> IPsec (the created connection should appear there), and click on the Connect VPN button.

The setup is complete, the connection should be successfully established.

If the connection could not be established, and the pfSense firewall settings were made correctly, you should recreate the connection on UTM by specifying in the Key ID field the value that was specified in My identifier and Peer identifier for pfSense and try to connect again. No changes are required on the pfSense side.

Connecting offices (site-to-site)

Outgoing pfSense Connection to SafeUTM via IPsec


Setting up SafeUTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection:


Setting up pfSense

1. In the pfSense web interface, go to tab VPN > IPsec > Advanced Options, and in the Child SA Start Action field select option None (Responder Only).
2. Add a new connection:

3. Save the connection.
4. Click the button Show Phase 2 Entries and add a new Phase 2 and enter the following values:

All other values can be left by default.

5. Save the connection.
6. Then you need to allow traffic to flow between the pfSense and SafeUTM local networks in the pfSense firewall (go to tab Firewall -> Rules -> IPsec and create two rules that allow traffic to flow between the SafeUTM and pfSense local networks).
7. Also pay attention to the WAN firewall section – by default, incoming traffic from "gray" subnets is prohibited in it, so you need to remove this restriction.
8. Now go to tab Status -> IPsec (the connection that was created should appear there), and click on the Connect VPN button.

The setup is complete, the connection should be successfully established.

If the connection could not be established, and the pfSense firewall settings are correct, you should recreate the connection to UTM by specifying in the field Key ID the value specified in My identifier and Peer identifier of pfSense, and try to connect again. On the pfSense side, no changes are necessary.

Connecting offices (site-to-site)

Connecting Keenetic via SSTP

You can connect routers with SSTP protocol support in site-to-site VPN mode.


If you do not need access from the central office to the network for Keenetic, then use the article Connecting Wi-Fi Keenetic Routers via SSTP on client-to-site connection.


Setting up SafeUTM

1. Enable and configure the port and domain for SSTP in Users -> VPN connections.
2. In Users -> User & Group create a special user for the remote router. Check the box Allow remote access via VPN. The username/password of the user will be used on the router, save or write them down.
1. Connecting Keenetic via SSTP.png

3. Register the routes to the remote network. For example, if the network behind the router is 192.168.10.0/24, you need to add the following route to the section Services -> Routing -> Static routes:
2. Connecting Keenetic via SSTP.png


Configuring Keenetic Router

Configure the VPN connection of the Keenetic router according to the instructions for client-to-site connections.

Do not forget to follow all three steps:

  1. Set up a VPN connection.
  2. Set up routes.
  3. Configure DNS to resolve the local domain (if using Active Directory).

Verification and Possible Problems

To check the connection, use the ping and traceroute utilities.

If a VPN connection is established, but there is no access to the resources of one local network from another, use the instructions from the article to diagnose possible problems.

Most often, access is blocked in Windows due to network profile settings.

You can allow access to "non-local" networks in all profiles, by running the command in PowerShell (launched with elevated administrator rights): Enable-NetFirewallRule -Group "@FirewallAPI.dll,-28502"

Connecting offices (site-to-site)

Connecting Kerio Control to SafeUTM via IPsec

Following the steps of the article below, you can combine Kerio Control and SafeUTM networks via IPsec using PSK.


The combined LANs should not overlap!


Setting up SafeUTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection and fill in the following fields:

3. Save the created connection, then activate the connection by clicking on the Enable icon in the column Operations.
4. The setup is complete, Kerio Control needs to be configured.


Configuring Kerio Control

1. By default, Kerio Control uses IKEv1 to create connections to third-party devices. You can enable IKEv2 via the console. To do this, follow these steps:

1.1. Connect to Kerio Control via SSH.
1.2. Go to the folder /var/winroute 1.3. Open winroute.cfg file for editing.
1.4. In it, find the section starting with the text <table name="Firewall">
1.5. In this section, find the line <variable name="IKEVersion">ikev1</variable> and change ikev1 in it to ikev2
1.6. After that, it is advisable to restart the server and make sure that the changes in the settings are saved.

2. In the section Traffic rules, allow VPN services traffic.
3. Then go to the section Interfaces and click Add. In the drop-down list, select VPN tunnel...
4. The connection creation window will open. In it, select:

An example of the final settings is shown in the screenshot below.
Screenshot_35.png

5. Go to the section Remote networks, click Add and enter the information about SafeUTM local network, which will be visible from the Kerio Control subnet.
6. Then in the section Local networks either click on the button Use automatically defined local networks, or configure networks that will be visible from the SafeUTM subnet manually, as in the previous step.
7. Setup is complete. After adding a new interface, you need to click Apply. After that, the connection should be successfully established, and the information about this is displayed in the table in the Interfaces section.

In case of problems, first of all, pay attention to Kerio Control firewall settings.

Connecting offices (site-to-site)

Connecting Keenetic via IPsec

On the SafeUTM side, configure the connection settings in the Services -> IPSec -> Devices section.

On the Keenetic device side, use the following encryption protocol settings:

01.png

02.png

03.png

Certificates

Certificates

TLS Certificates

Section with information about SSL certificates.


This section displays SSL certificates/certificate chains, the list of which is formed by the following modules: reverse proxying module, IKEv2, SSTP VPN servers, web interface, web authorization, mail, etc.
1. Certificates.png

Valid certificates

The table Valid Certificates shows the ones generated automatically, as well as the downloaded certificate chains used by SafeUTM.

If the same certificate chain is listed in several rows of the Valid Certificates table, then this chain is used by several modules.

Downloaded certificates

The Downloaded Certificates table shows all downloaded certificate chains, as well as the SafeUTM root certificate. For more information, see Uploading your SSL certificate to server.

To view basic information about the certificate (serial number, expiration date, etc.), click the eye icon.


How is the certificate issued?

  1. A local certificate chain is created, and signed by a root (self-signed) certificate.
  2. Simultaneously with the creation of a local certificate chain, a request is sent to issue the chain to Let's Encrypt.
  3. If the Let's Encrypt certificate chain is successfully issued, it will replace the local chain.
  4. If the Let's Encrypt certificate chain issue fails, then the local certificate chain will be used.
How is the certificate reissued?

When reissuing a non-root certificate chain, UTM will try to update the chain as follows:

When the root certificate is reissued, UTM will replace the previous certificate with an automatically generated root certificate.


Features

If you want to try again to get a Let's Encrypt certificate instead of a self-signed one, you need to click Reissue in column Management.
When replacing/reissuing the root certificate chain, IPsec connections Head office <–> Branch will stop working and they will need to be recreated.
If you want to replace an automatically issued certificate chain with your own, then when uploading your own certificate chain, the CN (Common name) of the last certificate in the chain must match the domain for which the certificate is being uploaded.
Let's Encrypt certificate is issued for 3 months and will be automatically reissued upon expiration.
From this section, you can download the root (self-signed) certificate by clicking on the corresponding link.

To upload an SSL certificate to the server, see the article Uploading your SSL certificate to server.

Certificates

Uploading your SSL certificate to server

After purchasing a trusted SSL certificate from Certificate Authority (CA), you need to create a text file of the type:

-----BEGIN PRIVATE KEY-----
.....
.....
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

This file consists of two logical blocks:

Be careful: in addition to the root and domain certificate, the CA will most likely send additional vendor certificates consisting of several additional certificates in one file (bundle). This bundle of certificates must be added after the main certificate is issued for your domain. The order of the blocks in the file can be represented as follows:

Private key
Certificate for domain
Certificate from the vendor-certificates bundle
4Certificate from the vendor-certificates bundle
...
The main (root) certificate

After that, you can upload the received file with the private key and certificate to UTM via the web interface. To do this, go to Services -> TLS Certificates.

The generally accepted standard for creating a certificate chain file can also be found here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm.

Encrypted private key

Only the standard private key format is supported: decrypted PEM. Such a key starts with the line:

-----BEGIN RSA PRIVATE KEY-----

Sometimes the CA issues an encrypted private key using a passphrase. In this case, you need to decrypt (convert) the encrypted key into a regular one using the openssl utility or, if the CA provides other tools for this, use them. The list of parameters for calling openssl to convert the key into an unencrypted form depends on CA's key encryption technology and should be described in the instructions for installing the certificate from the CA. You cannot upload and use an encrypted private key on the SafeUTM server.


Instructions for Creating Certificate on Windows OS.

To create a certificate, follow these steps:

1. Download the OpenSSL program. Link to the program: http://slproweb.com/products/Win32OpenSSL.html.
2. Install OpenSSL.
3. If the certificate file is in pkcs12 format: (if it is in .pem format, then you can immediately proceed to Subparagraph d):

If it is written in the certificate --BEGIN ENCRYPTED PRIVATE KEY--, then you need to decrypt it using the OpenSSL utility. Command to decrypt: openssl rsa -in certificate.pem -out certificate_decoded.pem. certificate.pem is the file that you received after conversion in Step d; certificate_decode.pem is the result of decryption. If in the certificate it says --BEGIN PRIVATE KEY--, then the certificate file has already been decrypted. You can proceed to the next step.

4. Create an empty file with extension .pem (my_certificate.pem).
5. Open it with a text editor.
6. Open the file that you got in Step 3 (certificate_decode.pem). From this file you need to copy the text of the type (private key):

-----BEGIN PRIVATE KEY-----
..............
..............
-----END PRIVATE KEY-----

7. Paste the copied text into the file created in Step 4 (my_certificate.pem).
8. Go to the file created in Step 3 (certificate_decode.pem). From this file you need to copy the text of the type (your domain certificate):

-----BEGIN CERTIFICATE-----
..............
..............
-----END CERTIFICATE-----

9. Paste the copied text into the file created in Step 4 (my_certificate.pem).
10. The CA, in addition to your certificate, should have sent you a certificate bundle (there may be several of them) and a root certificate. If you don't have these certificates, you can download them online or request them from your CA.
11. From the certificate bundle and the root certificate, copy the text of the type:

```text
-----BEGIN CERTIFICATE-----
..............
..............
-----END CERTIFICATE-----
```

12. Paste the copied text into the file created in Step 4 (my_certificate.pem). In the beginning, you will need to insert the text from the certificate bundle, and at the very end the text of the root certificate.
13. As a result, you will get a file of blocks:

```
Private key
domain certificate
Certificate from the vendor-certificates bundle
Certificate from the vendor-certificates bundle
.........
Root certificate
```

14. Upload the resulting file to UTM. To do this, go to Services -> TLS Certificates.