Untangle NG Firewall's app-store model separates the core firewall from security features. Understanding the technical implications of this architecture helps evaluate whether the flexibility is worth the cost — and the operational overhead.
Untangle's plugin architecture
Untangle runs on Debian Linux. The core platform provides the packet filtering, network management, and the app framework. Security features ("apps") are installed on top:
- Web Filter: URL categorisation and policy enforcement
- Virus Blocker: Antivirus scanning via ClamAV or commercial engine
- SSL Inspector: TLS inspection / MITM
- Application Control: Deep packet inspection for app identification
- WAN Failover / Balancer: Multi-WAN management
Each app:
- Has its own version, release notes, and update cycle
- Is managed through the Untangle Command Center subscription
- Requires a license token validated against Untangle's infrastructure
- Integrates with the core via Untangle's proprietary UVM (Untangle Virtual Machine) API
Plugin API stability
Untangle's UVM provides a Java-based API layer that apps hook into. Major platform version upgrades (e.g., 16.x → 17.x) may change API interfaces, requiring corresponding updates to all installed apps. If an app is not updated for the new platform version, it stops loading.
This creates the same update coordination problem as plugin-based open-source platforms — with the additional constraint that the compatibility matrix is maintained by Untangle, not the operator.
Feature gaps that no plugin covers
Despite the extensible architecture, two significant features are absent from Untangle's app catalog:
Web Application Firewall: Untangle has no WAF app. HTTP request inspection against attack signatures (SQL injection, XSS, path traversal) is not available at any subscription tier. Organisations running web applications must deploy a separate WAF.
Reverse proxy / load balancer: Not available. SSL offloading and backend load distribution require a separate product.
Cost analysis: Complete bundle vs integrated free alternative
The Untangle Complete bundle includes: Web Filter, Virus Blocker, SSL Inspector, Application Control, WAN Failover, and others.
Approximate pricing (2025):
- Complete (up to 12 devices, 3yr): ~$720 ($240/yr)
- Complete (up to 100 devices): ~$1,890/yr
- Complete (up to 250 devices): ~$3,500/yr
These costs are ongoing — discontinuing the subscription downgrades functionality to the free tier (firewall only).
CacheGuard comparison:
| Tier | Untangle | CacheGuard |
|---|---|---|
| Firewall | Free | Free |
| Web antivirus | Paid (Virus Blocker) | Free (ClamAV integrated) |
| URL filtering | Paid (Web Filter) | Free (Squid + category lists) |
| SSL inspection | Paid (SSL Inspector) | Free (integrated) |
| WAF | Not available | Free (ModSecurity + OWASP CRS) |
| Reverse proxy | Not available | Free (Apache mod_proxy) |
| Multi-WAN | Paid (WAN Failover) | Free (integrated) |
| QoS | Paid | Free (HTB + SFQ) |
| Multi-site management | Paid (Command Center) | Free (CacheGuard Manager) |
Features that Untangle has but CacheGuard does not: OpenVPN/SSL VPN, IPS (Intrusion Prevention), Active Directory integration via Directory Connector, application-level traffic identification.
→ https://www.cacheguard.com/untangle-alternative/
Originally published on the CacheGuard Blog. CacheGuard is free and open source — GitHub.
Top comments (0)