@Some Dude: First of all, welcome to the forums! Before I reply, just want to make it known that I'm a home user too, I don't resell Untangle into businesses or anything like that. I'm not a network engineer either, so forgive or point out any errors!


I hear your frustration, but maybe the fact that request has been on the list since 2018 without being added is all the answer you need? That's not to say that Untangle shouldn't just say "It's never gonna happen" if that's the case, but the truth is that it might... someday - who knows.

What we need to remember is that Untangle's overwhelming customer base is enterprise and education. So their time is probably being spent working on things that those customers want to see in the product. I should imagine that customers like that (who are spending thousands on licences) have a direct line into the ear of an account manager or real person at Untangle. Perhaps the feature request list is not the only way that what gets done soonest is decided? Just because something is number one, two, three or four on the list, it doesn't mean that it's actually anywhere near being the top on the list of things to do. But yes... to anyone who is interested in those features, Untangle could do a better job of sharing their plans. Do they do a worse job of that than any other company who lets you submit feature requests? I don't know. I'm also not saying that home users don't matter; just that most companies will probably focus on what the majority of their users are asking for - and I don't think Untangle's home users are their majority. To be honest though, if I had to choose, I'd rather Untangle focused on features and improvements that made my network as secure as possible - the kind of features that enterprise customers want in their NGFW.

If you want to stick IoT devices into a separate VLAN (I've done that too...) then you're kinda saying that putting those devices in their own broadcast domain is a good way to go. If you then realise that now they don't work as intended and you look for a technology to essentially break the separation you put in place, then maybe a VLAN isn't the best answer for those devices? If you're worried about them being attacked and accessing the rest of the devices on that network, then a VLAN is not the only option you've got to stop that.

In my humble opinion, Untangle beats all of those on the factors that matter in an NGFW way more than mDNS support; so if that's the price I have to pay, so be it. Deep down, that's probably why you went with Untangle too, but sure... there's always room for improvement.

Indeed. And I too had the same grief trying to get certain IoT devices to play nice over VLANs. I wanted to see how the pros do it and I reached out to a few of my colleagues that install high-end home cinema/automation systems etc. The answer was basically if something needs to be controlled from within a VLAN, then they provide a means of doing that from within the VLAN. So that might be a dedicated control/touchpad, dedicated PCs or rPIs etc etc. mDNS works fine and is easy, convenient in a home setup, but it's considered a workaround.

The funny thing is, "ease of use", "plug and play", "user-friendly" etc, etc are typically the things that go hand-in-hand with something being less secure. As you've seen... Security tends to get in the way of things "just working".

Should they be in their own VLAN? Im not attacking you here... Like I said, I've done the same with my IoT devices. I only have one (ChromeCast) that is useless if not in with my trusted devices, but it's not hard to lock that down. Since you mention "the key use cases for these devices" I think it's fair to say that use case was probably never intended to be across VLANs and if it was, then many like Amazon, Philips, Ubiquity have figured out how to make their apps work by essentially going out and in again.

As I said earlier; Untangle could probably do a better job of keeping the wider community in the loop. And you're right, people can vote with their feet and their dollars too. But in all honesty, if you're looking for a grown-up security product that gives you everything Untangle does, in the way that it does it, (and crucially) at that price - you'd be hard-pressed to find somewhere better to spend those dollars - mDNS or not.

mDNS is actively removed from all of my networks, as it has zero place on any of them... it represents a HUGE security fault, and is actually designed to be abused. I have similar issues with uPnP. Since Untangle is a security product, implementing it must be done extremely carefully, lest Untangle be blamed for a poor configuration down the line.

How about demanding IoT devices that are actually maturely designed and don't need to rely on broken, easily exploited technology? Google is a huge offender here, ChromeCast specifically is HORRIFIC. You'd think a company that runs networks as large as Google's would know how to engineer things properly... sadly they very much don't.

Also, don't get me started on the products you listed as alternatives... We'll be here until doomsday.

Finally, Armshouse is correct. Untangle prioritizes features that get them paid, that means they focus on education, then corporate needs. Home users are an afterthought, a marginal customer base. Untangle does seem to be angling to support them more though, but Untangle also has historically had limited resources. So I guess we'll see how the next decade goes. But, and I'll be more blunt... it all boils down to how much Untangle can EARN while selling Home subscriptions. Even the mere potential of earning, will drive investment. Does it exist? I have no idea... I can tell you my own attempts to monetize that entire market have met with nothing but dismal failure.

In a corporate network, the IT department might be able to ban IoT devices (or manage them in a secure way that requires a lot of manual work so that they can still do their job) - but that does not work for home networks where a "mostly secure, home user friendly" solution is needed.

Maybe IT professionals simply don't care about those of us who use Untangle in a home network, but let's not forget that Untangle is actively licensed and advertised for home use - there are 2 different Home subscription plans now.

So since we cannot avoid IoT devices in at least one environment that is supported by Untangle, putting IoT devices on a separate VLAN + mDNS at least seems "more secure" than not doing that, right?

So unless you have a better idea I do think that Untangle should finally add that highly requested feature (among many others).

Also this is an honest question, if there is a better solution I want to know about it because I want to move the IoT devices in my home onto a separate VLAN while not breaking/degrading the user experience / their function.

Actually... it isn't "supported by Untangle".

It's SOLD by Untangle, but support specifically is booted to these forums. Where people like me help with volunteer time.

This is semantics, but it's very important to understand. I don't speak for Untangle, but I will reiterate... they're going to invest in changes that are likely to get them paid more. That means more attention to larger customers than smaller ones... UNLESS the home sub becomes so absurdly popular it cannot be ignored. It's a high volume, low margin product! If the volume gets high enough, you'll see investment made!

I just just once again reiterate, it's not easy to get that volume.

As far as I can tell there is no marketing effort to home users. Without marketing it will never grow. Word of mouth is all I have ever seen for untangle, home or otherwise. Well other than their junk mail. lol

I can't comment on that much because exactly none of the marketing I've ever attempted has ever worked.

But I do chuckle at people complaining about the Home subscription prices when Netgear is making a killing selling Orbi.

LoL

A subscription for "a router" is a new concept for many people.

But everyone I showed what I do with untangle in my home did see the benefit they get from the apps included in the Home plans and never complained (to me) about the costs again afterwards.

I got a good amount of people to use Untangle for their home and they are all very happy with it.

Personally I just miss 2 things. CAKE for QoS/SQM and I want to do something about those IoT devices - a "solution" that is feasible for a home environment.

Hey Stefan, can you help me out?

I just tried this on a test install.
eth1 is 192.168.2.0
eth1.10 is 192.168.10.0

I did not setup any firewall rules to block traffic between the networks

Via the IP I can access any device across the networks.

But the Sonos app can't see the sonos speakers on the other network, the YT app see the TV on the other network and windows fails to discover the network printer when it is on the other network.

So this does not appear to work for me but I don't know what I did wrong since I followed your steps.

I'm chiming in here because, after several years of enjoying Untangle, the lack of VLAN mDNS support is frustrating.

I've read through pretty much all forum topics discussing mDNS and despite a clear desire from Untangle users to have it implemented, the developers choose not to.

I find it interesting that the reason not to is because it's a security issue but uPNP is still implemented and with a few clicks within the untangle GUI you can compromise your system (incorrect port forwarding or access rules, WebGUI/ssh enabled to wan, etc). Heck, just inputting a compromised DNS server into your interface settings could introduce a whole host of issues.

It would be great if Untangle would come out formally and say either 1) They refuse to implement it, ever 2) They don't know how to correctly implement it or 3) They've implemented it and use it at your own risk. Maybe even disable it on untangle appliances to further CYA.

Just 2 cents from a 99.9% happy untangle user that just wants mDNS across VLANs.

I'm good for a solid rant, I've been known to write a few myself. But you should know that forums are a TERRIBLE place to get good information unless you consider the source first.

Here, have some actual information from someone with a small amount of knowledge: https://untanglengfirewall.featureupvote.com/

Done, thank you.

One more or one hundred will not make it happen unless they start listening to their customers again. Heck they haven't taken up a free offer of help.
https://untanglengfirewall.featureup...ncy-management