Sophos UTM is doing NAT + Firewall ? or just Firewall ?

Are you serious? NAT do even a cheap adsl-modem

Yes, i am, i dunno the Sophos UTM function and the things already integrated or not.

On a short note, a UTM will do more than most ever need.

So all types of NAT & Firewall although it can seem to work in mysterious ways at times which is often due to lack of understanding or misconfiguration.

It's a wonderful beast if you do use most of the features although for home, you won't go anywhere near what it's capable of.

Read the Rulz on here so you don't get caught out with the proxies etc

and as Oldeda was alluding to, this ain't no cheap home firewall and may take a bit of a learning curve coming from one.

Does NAT + Firewall is enabled by default ? Nothing to do ?

NAT + Firewall can cohabit together ?

Behind WAN, we must have both activate ?

Sorry but i didn't have specific knowledge on firewall system.

Yes UTM can do it. Firewall + NAT

Yes UTM can do it. Firewall + NAT

Hi,

the UTM does not do NAT by default, you need to either add a MASQ or SNAT/DNAT rule.

The UTM http proxy does not use a NAT rule it is a true proxy.

Ian

Does it have sens to have NAT + Firewall behind WAN (front-end) or not ?

I would like to know if NAT + Firewall can improve security...

Concerning Proxy, i didn't see this feature into admin interface, where is it located ? does it's enabled by default ?

I don't like http proxy, it not usefull for my home usage i figure.

Best Regards.

Hi

NAT gives a false sense of security, it does not improve security, just allows the same IP address ranges to be used in many locations without causing major DNS issues. NAT was implemented when the IP(4) address ranges were running out. NAT was not part of the original IPv6 implementation, but has been added.

HTTP proxy is very useful in your home application, no different to a business, you can scan web pages for content issues, virus, malware, applications you don't want to be used on your network.

You also have a mail proxy and can use the UTM as a mail relay agent added security.

Added security is by enabling the DNS and NTP proxy type functions on the UTM. They provide real isolation of local devices.

On the UTM nothing is enabled by default except to block. You must make a conscious decision to allow traffic through your firewall.

You need NAT if you use 10.x.x.x, 172.16.x.x or 192.168.x.x address ranges otherwise not required.

Ian

I hate NAT..... try going via 4 networks where each hop needs natted. And yes, you're quite right, it gives a false sense of security as once a connection is initalised from within, NAT's not going to do much in terms of stopping it.

And when you think about all those home routers out there just using NAT.... well what more can I say?

This is where I think most ISP's will eventually go to a customer peering with them and the ISP dealing with the security. And the geeks will have to request an opt out or go to a different ISP to do their own security.

Many thanks for your answer.

I plan to have a true DMZ with both UTM, so two different lan, see below, so does it make sens to NAT ?... or it can be better to do not use it ?

Could tell me more about DNS and NTP proxy functions, what they can offer to me, need some use case to understand the interest ?

Thank you in advance for your advise.

my ZTE ZXV10 too, has no port forwoarding (DNAT) enabled by default. It had no http proxy and I am not arguing about NAT proxy

Hi Louis,

most of the more modern home routers and those touted for small business have a stateful packet inspection function, some even offer anti-x subscriptions but I would suspect very few home users are aware or even understand.

Ian

Hi,

to use those address ranges you will need a NAT (MASQ on the UTM) for outgoing traffic on both networks. I don't understand your fixation with a NAT. You do not require a NAT if your ISP provides you with real IP address ranges?

This setup appears to be overly complex for home user? The UTM will not load share across those networks without some extra hardware. You will need to check with the UTM compatibility list for your 4G device, otherwise you will need another router to provide the 4g access.

What advantages do you see in having the AP in the DMZ, won't the local users require access to the secure network of the AP to access the local printers?

Not sure how many NASs you will have but you will need to create a DNAT for the incoming traffic to your DMZ, a different DNAT for each device.

You will need firewall rules to allow the traffic to flow.

The NTP and DNS proxy functions in the UTM provide a security for your local devices so that the UTM is seen as the only DNS and NTP interface and that is more secure than your local devices. More security because the devices do not need to talk to the internet, less avenues of attack.

If you are not going to use any of the security features of the UTM you might as well install a cheap router which will provide you with a NAT, a DMZ and port forwarding, 4g failover and an AP, but no real security.

Ian

Hi,

I don't make fixation on NAT, i just want to be sure to understand :)

I don't want to use a DMZ function from a cheap router, it's not a true DMZ and the security level is not correct for me.

My ISP don't provide me IP address range, it's not a service offer to home user, i can only have one IP address by ISP : one IP for ADSL, one for FTTH, one for LTE 4G.

About 4G or ADSL, these connexion use the modem supplied by ISP, i will setup all device as bridge, so each connexion to UTM is coming with WAN Ethernet IP, so i think that UTM can manage it properly like this ?

For the back-end, you suggest to use NAT+Firewall on UTM, for the front-end, same setup ?

AP in DMZ is just to have internet connexion with complete isolate from LAN, another advantage can be to manage device in DMZ.

There is no need to use device in LAN, following printing use case, it can be usefull to move printer from LAN to DMZ maybe, because it's not a critical, no matter to stay on LAN side.

Best Regards.

Hi,

I still do not understand the use of the AP in the DMZ? If your users are not going to have access to the AP, then why provide it, just becomes another security risk?

What are your aims with having a DMZ? Do you plan to make the NAS accessible from the internet? If not then you are wasting your time setting up a DMZ.

Is the NAS in the DMZ the same NAS as on your LAN?

You can build firewall rules that allow you to access the devices on the DMZ but they cannot see your LAN. Moving the printer to the DMZ does not make sense unless your users will never need to access the printer??

Ian