This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

setting up two UTM instances to overcome license.

i was wondering if anyone has sucessfully deployed two sophos UTM instances in virtual machines w/ the free 50 ip license in order to overcome going over license limit. If so how did you design your network topology? also is there anyway to put certain IP addresses out of the scope of the UTM such that they don't count towards the license? i would only require simple routing to those ips not content filtering or anything else..


This thread was automatically locked due to age.
  • From a legal standpoint, you can't do that.  Only one live instance with a single license.  There's two things you can do to reduce the license IP count:

    1)  Any devices that don't need internet access, network printers being a good example, remove the default gateway address from their settings.

    2)  Run devices through another router behind the UTM NATed.  For example if you use a wireless router.  The wireless routers WAN address will be within the scope of the subnet on the UTM internal interface, while the wireless devices will be NATed on a different subnet.  The only IP address the UTM will count is the external address of the wireless router.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • Use another firewall, or other firewalls, to split the single network into multiple networks.  The free Essential Firewall from Sophos might be one to consider.

    Firewall for Small Business | UTM Essential Firewall for Small Business

    I am not a fan of the "hiding" multiple devices behind a NAT for the purposes of "overcoming" licensing limitations.
  • From a legal standpoint, you can't do that.  Only one live instance with a single license.  There's two things you can do to reduce the license IP count:

    1)  Any devices that don't need internet access, network printers being a good example, remove the default gateway address from their settings.

    2)  Run devices through another router behind the UTM NATed.  For example if you use a wireless router.  The wireless routers WAN address will be within the scope of the subnet on the UTM internal interface, while the wireless devices will be NATed on a different subnet.  The only IP address the UTM will count is the external address of the wireless router.



    what do you mean from a legal standpoint i can't do it. i wouldn't use the same license on two installs, but simply signup for two accounts and get two of 50ip free for home use license and install one on each machine... each install would have its own license .. would that not work? has no one else done that? 

    Double NAT is really out of the question, and while the suggestion to remove the gateway ip from devices is a good idea that means i would have to make those devices have static IP's which wont really work as i need them to all work with DHCP. i wish sophos was a little more realistic with the licensing because its total bs.. had i known i wouldnt have spent the countless hours setting up the system.. i am far too invested in the way i set it up to just switch to another UTM. they ****ed up by being upfront about the way the count out the license which if you ask me is is absolutely stupid and ultimately is making them lose business because i do not recommend them to anyone who asks me if they are any good
  • ... i wouldn't use the same license on two installs, but simply signup for two accounts and get two of 50ip free for home use license and install one on each machine... each install would have its own license ...

    Oh the irony in that statement. Dude, why do you come here and ask us to verify licensing workarounds. I think everyone explained it to you pretty clearly why the licensing is setup the way it is https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29852

    Yet you seem hell bent on validation from us. I thought you said pfsense was working out really good for you[8-)] Yet here you are leeching free advice and trying to steal something that is given to you for free.
  • RE: #2, if you setup another router (route #2) behind UTM (route #1), how do you enable devices to communicate with one another? For example. My Sophos UTM (Router #1) settings are shown below.  What should be the Subnet and Gateway values in Router #2 to ensure devices to connect to one another without adding to the Sophos UTM IP count?

    Router 1

    LAN IP 192.168.0.1

    Subnet 255.255.255.0

    Gateway 192.168.0.1

    DHCP Range 192.168.0.10-40

  • Say the subnet behind your wireless router is 192.168.2.0/24 and the wireless router has 192.168.0.254 in your UTM's internal network, you will want a Static Gateway route in the UTM like '192.168.2.0/24 -> 192.168.0.254'.

    Is that what you were looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    Say the subnet behind your wireless router is 192.168.2.0/24 and the wireless router has 192.168.0.254 in your UTM's internal network, you will want a Static Gateway route in the UTM like '192.168.1.0/24 -> 192.168.0.254'.

    Is that what you were looking for?

    Cheers - Bob

    Thanks Bob for your guidance.  Just double-checking. Would the static gateway route be:

    192.168.1.0/24 -> 192.168.0.254 OR 192.168.0.1/24 -> 192.168.0.254?

  • Can't quite get this to work.  The details:

    Sophos UTM 192.168.0.1 (/24)

    NM 255.255.255.0

    GW 192.168.0.1

    DHCP 192.168.0.10-40

     

    Wireless router

    LAN IP 192.168.0.90

    Subnet behind router 192.168.2.0/24

    NM 255.255.255.0

    GW 192.168.0.1

     

    Under Sophos UTM > Interfaces & Routing > Interfaces > Static Routing

    I've created a New Static Route as Gateway Route.

    Network: Internal (Network) (aka 192.168.0/24)

    Gateway: 192.168.0.90 (the LAN IP of Wireless Router)

  • How much money did you willingly spend to acquire devices that consume more than 50 IP addresses in your home?  

    Each of your cell phones probably cost more than one commercial license for UTM.   

    Do you have any sense of obligation to the people who work hard to keep those 50+ devices away from the bad guys?

    Consumers, both business and residential, always want a deal, but we also need our suppliers to stay in business.

    Treat Sophos fairly.   They could drop the home license program in a heartbeat and be none the worse for it.

    For the record, it seems foolish to ask how to violate a contract in a public forum, especially, the public forum of the people whose contract you want to violate.

  • To be clear, my intent wasn't to violate any agreement, but rather understand how to work within Sophos UTM's 50 IP limit for home use.  I certainly wouldn't have been opposed to paying for additional IPs for the home license though I understand that isn't an option.  Regardless it was a bit peculiar that Sophos UTM was reporting > 50 active IPs within my network when I have fewer than 35, many with static IPs.  Only using IPv4 w/ IPv6 disabled).

    Have since attempted to setup and configure the latest Sophos XG Home v17 platform without success.  I simply found it too cumbersome to configure and operate relative to UTM.

    At this point, have moved over to Untangle NG HomePro license (no IP limit) and confirmed my active IP quantity to be 33 as suspected.  This is with all devices (home and guest) operating simultaneously.  While I didn't like it quite as much as UTM 9 upon install, it's addressed my concerns and the UI and capabilities are growing on me.

    Would recommend Untangle v13 NG HomePro license ($50/yr) as a viable alternative to Sophos UTM 9 Home.