UTM Home: Will this setup work for me

Hello All,

Hopefully this is the correct place for me to post this, if not i do apologize and please kindly inform me where i should be asking this question.
Before i get into my question i need to explain my current setup with you first

I live in a building where the network is managed. I have absolutely no access to the network, and the admins don't want to help out.
There are 14 apartments in this building and everyone is sitting on the same network, same VLAN.. yes that's correct

So when i moved in i just placed a consumer grade router (asus) but now I'm dealing with a double NAT.
My dad lives 2 floors above me, and i have been trying to figure out a way to setup up a connection between us. This is where Sophos comes in.

To give an idea how the infrastructure in the building

ISP -> Building Router -> Building Switch -> My router -> devices.

I have an Intel NUC i7 with 32gb ram, and i was wondering if i could run Sophos UTM of ESXI.
The NUC only has ONE NIC, so i was wondering if creating 2 virtual NIC would work with LAN and WAN setup, this i'm not sure at all

With this in place the setup would look liks this

ISP -> Building Router -> Building Switch -> My router -> Intel NUC + devices.
I will let my router take care of DHCP.

Question being now, would i be able to use Sophos UTM in this way, and if yes can i use it with 1 NIC so my dad can get access to my internal network?
I can't port forward, so i'm not understanding how my dad can reach me if i would use SSL VPN

  • Hoi and welcome to the UTM Community!

    "Question being now, would i be able to use Sophos UTM in this way, and if yes can i use it with 1 NIC so my dad can get access to my internal network?  I can't port forward, so i'm not understanding how my dad can reach me if i would use SSL VPN"

    What access do you want to have? Dad can reach anything in your internal network?  You can reach anything in dad's internal network?  Both networks can reach anything in either network?

    It's not clear to me that port forwarding is necessary - what makes you think it would be and forwarded to where from where?

    Cheers - Bob
    PS I deleted your identical post that was in the General Discussion group - this is a better place for your question.

  • In reply to BAlfson:

    Thank you very very much for taking the time to respond back.
    To answer your question, i want my dad to have access to my internal network while he still keeps the ability to get back on the web on his end

    Please bear with me i'm not very experienced with SophosUTM (hoping to learn it)
    The reason i think why i would need to port forward, how will my dad reach me? There are 14 apartments using the same public static IP
    What hostname do i set in sophos, i cant use services like dyndns without forwarding the port.

    We have the building own connection, then i have my own home connection behind a firewall (double nat) and my dad has his own network behind his own firewall.
    If i can configure the vpn on my end, then my dad would be able to connect to me. Just don't understand how i would set this up on my end

  • In reply to Think Greenn:

    This calls for a site-to-site VPN.  Ideally you and your dad should get rid of the routers and let your home UTMs handle everything.  The following assumes that there's nothing blocking traffic between your existing routers.

    Using SSL VPN, make the Server the where the router is least likely to get an a different IP - I'll assume that's your apartment.  You will also want to configure a free dynamic DNS service for your UTM so that your dad's UTM will know what IP to call - ThinkGreenn.FreeDNS.com.  Here's an example:

    In your UTM:

      

    Download the Client configuration and add in dad's UTM:

    Are we having fun yet?

    Cheers - Bob

  • In reply to BAlfson:

    I came out of bed, just to respond back to you and thank you for taking the time and effort in providing me screenshots as well.
    I believe i may have not correctly put in the correct information.

    Dad's house only has a simple linksys router, not UTM at his place
    In order for site to site vpn to work he would need a UTM as well, this is why i did not look into site to site but remote access. For him to use the SSL Client to get into my network.

    Following your explanation with a free dynamic dns service, this is where port forwarding would come in
    My pubilc ip address is 80.xx.xx.xx, dhcp i get assigned to my router is 192.168.80.90 and my internal network is 10.1.40.x

    For a dynamic dns to work, i would need to forward port 1443 (as per your screenshot), but i would have to do this on my buildings router and not my own.
    Please help me out of this confusion.

    A port checker tool gives me this information
    Problem!  I could not see your service on 80.xx.xx.xx on port (1443).
    Reason: Connection timed out.

    I hope you and i are not mixing up information,

  • In reply to Think Greenn:

    From your dad's apartment, he would need to go to not to your public IP, but to your router's IP which is 192.168.80.90 at the moment.  The FQDN used in the 'Server Settings' should resolve to your router's IP.  Your router can then port forward UDP 1443 to your UTM.

    Cheers - Bob

  • In reply to BAlfson:

    Thank you very much, this makes sense now.

    I'll try it out and report back, i have just but one last question regarding my setup.
    As mention in my opening post i'm running UTM on an intel nuc on ESXI.

    I have 1nic, i created a 2 virtual nic. I'm not sure this will work.
    Can utm be used with 1nic?, only for internal traffic and not external

  • In reply to Think Greenn:

    I think you can do this with a single NIC, but it's hard to be sure without seeing a diagram with IPs and subnets.  Let us know if you hit a speed bump.

    I still say you would be better served by getting rid of the router and letting the UTM handle everything.  Your dad, too.  Even with the router and a single NIC, you should be able to use virtually all of the UTMS capabilities except anything IPsec or related.

    Cheers - Bob