Internet pass-through from DMZ to external Wireless Router



First off, I've found this forum an extremely useful resource and mostly managed to find the info I need by searching, alas I can't seem to find the answer to the following.


I use an SG115 with the Sophos UTM home license, along with an AP55c AP.  So far I've been fine with the 50 IP limit.  Now, with all my smart plugs etc I'm starting to regularly skirt the 55 IP limit.


I'd like to move all my IoT devices onto a segregated network so that they don't count against the IP limit.  They only need internet access and obviously no access back into the internal network, or each other.  I have a Mikrotik wireless router lying around unused so I'd like to use that for this purpose.


My theory is that I can use the DMZ port on the SG to pass-through  the Internet connection to the miktrotik, where I can set the wireless rules.  I 'think' I need to do the following, can someone please tell me if I'm way off base here?  thanks in advance:


1- Create the DMZ Interface on the UTM, Eth2 (DMZ) and give it an IP e.g.

2- Create a Masq rule as follows - Network - Any, Interface DMZ

3 - Firewall Rule - Source - Any, Services - Web Surfing, Destinations - DMZ, ALLOW


Then on the Microtik side, the Router IP is, set WAN address to

will this work?


Thanks in advance



  • When you hit the IP-limit you could have a look at the (also free) XG firewall product, there's no IP limit anymore (but it's totally different from UTM so you need to relearn a lot).

    Using additional routers to hide IP's from the UTM is probably against the license agreement so I don't recommend it but you could probably do this more easy:

    Connect the additional router inside your LAN with it's WAN port and connect IOT devices to the LAN port of the additional router.

    If no traffic needs to go to the IOT devices, then that's all to it, no additional setup on the UTM needed.

  • In reply to apijnappels:

    Thanks for that, I’ll give that a shot tonight, I wish I could buy a reasonably priced license to cover up to 100 ips, alas I can’t. I have installed xg on a spare box and am in the process of getting into it. Actually waiting for the sg to xg tool becoming available to the masses so I don’t need to re-do my Config from scratch.

  • In reply to Phil White:

    I don't know if the migration tool will ever be released to public. 

    As far as current status is that selected Sophos partners now have the ability to use the migration tool. Hopefully it will become publicly available some time, but I'm not betting on that...

  • In reply to apijnappels:

    Yeah, maybe if they start to deprecate sg they might realise it?

    Anyway, setup is working fine, just as you said.  Now just need to figure out how to stop traffic coming back into the lan from that router.  Firewall rule (source - host Mikrotik,  destination lan (network) drop didn’t seem to do it.  Better read the rulez....



  • Hi Phil - your first thread - welcome to the UTM Community!

    Interesting - the first time I've seen this question asked in such a way that I thought about how to "hide" a subnet and not contravene the licensing agreement...

    If you're not using anything other than NAT and Firewall for your IoT network, I think you would be in compliance:

    • Make an Exception for for everything in Intrusion Prevention.
    • Don't include in Web Filtering.
    • Exclude in Application Control.
    • Add to 'Threat Exceptions' in 'Advanced Threat Protection'.

    If anyone sees something I missed, please comment.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks very much Bob, you’re right it’s not my intention to circumvent the license, I only need these devices to have basic Nat protection (provided by the mikrotik) and internet access to allow them to function and get updates. If I could split my internet connection in two that would be ideal but since I can’t...hence the dmz idea. I will add that config to my utm. Many thanks for the response


  • Hi again,

    I would like to stop traffic from the IoT network (Mikrotik) accessing the lan on my sophos. The devices attached only need to access the Internet, nothing else.

    Any suggestions on how best to achieve that? The Mikrotik has a fixed IP of and I’ve tried to create a fw rule to block it from accessing the lan but that didn’t seem to work  (source Mikrotik wan —- service any ——- destination  lan (network))

    Thanks in advance

  • In reply to Phil White:

    Hmmm, are the other Mikrotik-related firewall rules before or after the one you just described?

    Most likely, #2 in Rulz has your answer.  You weren't specific about the traffic that's getting through, but I suspect the 'ICMP' tab and Web Filtering in Transparent mode.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob