Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 4812 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet pass-through from DMZ to external Wireless Router

Phil White

Hello,

 

First off, I've found this forum an extremely useful resource and mostly managed to find the info I need by searching, alas I can't seem to find the answer to the following.

 

I use an SG115 with the Sophos UTM home license, along with an AP55c AP.  So far I've been fine with the 50 IP limit.  Now, with all my smart plugs etc I'm starting to regularly skirt the 55 IP limit.

 

I'd like to move all my IoT devices onto a segregated network so that they don't count against the IP limit.  They only need internet access and obviously no access back into the internal network, or each other.  I have a Mikrotik wireless router lying around unused so I'd like to use that for this purpose.

 

My theory is that I can use the DMZ port on the SG to pass-through  the Internet connection to the miktrotik, where I can set the wireless rules.  I 'think' I need to do the following, can someone please tell me if I'm way off base here?  thanks in advance:

 

1- Create the DMZ Interface on the UTM, Eth2 (DMZ) and give it an IP e.g. 192.168.88.2

2- Create a Masq rule as follows - Network - Any, Interface DMZ

3 - Firewall Rule - Source - Any, Services - Web Surfing, Destinations - DMZ, ALLOW

 

Then on the Microtik side, the Router IP is 192.168.88.1, set WAN address to 192.168.88.2

will this work?

 

Thanks in advance

-Phil

 



This thread was automatically locked due to age.
Parents
  • 0

    When you hit the IP-limit you could have a look at the (also free) XG firewall product, there's no IP limit anymore (but it's totally different from UTM so you need to relearn a lot).

    Using additional routers to hide IP's from the UTM is probably against the license agreement so I don't recommend it but you could probably do this more easy:

    Connect the additional router inside your LAN with it's WAN port and connect IOT devices to the LAN port of the additional router.

    If no traffic needs to go to the IOT devices, then that's all to it, no additional setup on the UTM needed.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for that, I’ll give that a shot tonight, I wish I could buy a reasonably priced license to cover up to 100 ips, alas I can’t. I have installed xg on a spare box and am in the process of getting into it. Actually waiting for the sg to xg tool becoming available to the masses so I don’t need to re-do my Config from scratch.

  • 0 in reply to Phil White

    I don't know if the migration tool will ever be released to public. 

    As far as current status is that selected Sophos partners now have the ability to use the migration tool. Hopefully it will become publicly available some time, but I'm not betting on that...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to Phil White

    I don't know if the migration tool will ever be released to public. 

    As far as current status is that selected Sophos partners now have the ability to use the migration tool. Hopefully it will become publicly available some time, but I'm not betting on that...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • 0 in reply to apijnappels

    Yeah, maybe if they start to deprecate sg they might realise it?

    Anyway, setup is working fine, just as you said.  Now just need to figure out how to stop traffic coming back into the lan from that router.  Firewall rule (source - host Mikrotik,  destination lan (network) drop didn’t seem to do it.  Better read the rulez....

    Cheers

    Phil

Unfiltered HTML