Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I signed up for a UTM home license several years ago and never got around to actually configuring it (looked too complicated). More recently, I've had another crack but I'd like some pointers into where the thing should be positioned.
I have a Fritz! router to the outside world and a number of devices LAN and WLAN connected. One of my PC's hangs off another router (acting as a Gb switch) running Windows 10 with Hyper-V enabled. I've run up the UTM Home on that and given it two vNics (same network though) since the set-up required and internal and an external. I did only a quick config and set up the web filter/proxy, and pointed one of my browsers at it.....didn't sit like that for long as it seemed to get slow. That was a few weeks ago, but I thought I'd come here for help before totally giving up :)
FWIW - I have a RaspberryPi running PiHole and have it's IP address added as the DNS address supplied by the Fritz! DHCP. For now, IP4 only since I can more easily understand it :)
I also have some other VM's running and exposed to the Internet via NAT: Nextcloud and a wordpress, with an Nginx VM I'm trying to use as a reverse proxy.
1) Would I need to set the internal vNic address of the UTM as the default gateway for clients? If yes, I'm not sure I can do that from the Fritz! so may have to use DHCP from either Pi-Hole or the UTM itself. If no....then how does UTM monitor the traffic
2) Can/should the UTM act the reverse proxy for Nextcloud and wordpress? I currently have the Nginx VM grabbing TLS certificated from LetsEncrypt; would UTM do this also?
3) How will this change if I enabled IP6? I'm sure I read somewhere that the default gateway concept is removed in IP6 so really not sure how to position the UTM in that situation.
4) Do I need to rethink the entire set-up? I'm happy to entertain most changes (perhaps when my wife isn't here :)) but I don't have funds to buy another PC to act as a dedicated UTM at the moment. In case it makes a difference - we're currently ADSL but should be getting 'NBN' (Australia) going live this month (FttB which I believe is VDSL2). Other than a provider change, I don't believe there'll be any changes (i.e., no additional modem added)
I forgot to add what I'm hoping to get out of this; I'm hoping I'll be able to see which devices are using the most bandwidth in real-time, as well as the total volume of traffic consumed. If I could drill down and see which websites (eg, is it a streaming service), even better.
In addition to that, I'd like to be able see incoming requests for Nextcloud/Wordpress and know they're being protected. Finally, I'd hope that if I NMAP (or similar) my network it'll generate an alert :)
I'll answer each question in the order you asked it.
1) It's not necessary to use UTM's internal Interface(vNIC) as a Gateway for your devices if you want to control their Web traffic only. UTM can work as a Standard proxy where you can point all your Internal devices and it will proxy the traffic. You can specify the ports for which UTM should act as a proxy. You can refer to this KBA: Sophos UTM: Understanding Sophos Web Filtering But you will not get the standard IPS and other Firewall configuration flexibility with that.
My suggestion would be(only if it's feasible for you) to configure UTM's Internal NIC as a Gateway address and that way, you will be able to protect using IPS as well as also use WAF for your Websites(Nextcloud & WordPress). And I guess this answers your 2nd question as well. You can refer to this KBA: Sophos UTM: How to configure Webserver Protection Sophos UTM now creates a Let's Encrypt account and allows you to create a certificate from UTM itself. This requires HTTP traffic for the certificate domains to reach the UTM. (More on that later)
Using UTM as a Gateway will allow you to use the Reporting feature in UTM where you will able to see the traffic type and data bytes consumed by each device. It will also give you some more control over DHCP configuration.
3) I've never personally had an IPv6 setup to comment on this. There are some gray areas in what will work and what will not.
4) Ideally, you should be able to provide UTM an Internet connection from an upstream device (DHCP or Static does not matter).
Since you're new to the Sophos UTM, I'd recommend reading this amazing guide RULZ by Bob and if you would like to see configuration videos, jump over to Sophos UTM YouTube videosHope this helps.
In reply to Jaydeep:
Thank you so much for replying. I started looking through the Rulz and and will start to read more links soon. So far, I have created a new DHCP scope on the UTM and disabled the DHCP scope on my router (using a slightly different range within the same network to avoid conflicts) as that seemed the simplest way to easily configure the default gateway, and then renewed my address on my main PC.....and I am able to continue to browse the Internet and am starting to see some breakdown of traffic on the UTM [I followed the first video and set the web filter to transparent]. Great :)
Will wait to see if there's any complaints later before I start trying to fiddle with other things. One thing I noticed already - The we protection statistics show the 'users' as the internal IP address. Is there a setting somewhere to change that to hostname? I can get the info from my router, but it's less convenient - especially now the numbers changed :)
I've now figured out how to create the Letsencrypt certs on the UTM and enabled the webserver protection (and enabled port forwarding on the router); I can get rid of the nginx VM now I guess.
I'm seeing more info - such as attempted RDP over the exposed web ports, so I know IPS is working :)
In reply to Dave99:
Glad to know it's working fine. Regarding your question, no you will not be able to display names there. Unless maybe you try with static DHCP or creating Host definitions with DNS settings like shown in the image.
But I've not tried it for myself to be honest.
One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered without starting a new thread. Using an appropriate title, please ask your second question in the Web Protection forum where I'll give another suggestion about names instead of IPs.
Cheers - Bob