Sophos UTM is doing NAT + Firewall ? or just Firewall ?

Are you serious? NAT do even a cheap adsl-modem

Yes, i am, i dunno the Sophos UTM function and the things already integrated or not.

Hi,

I don't make fixation on NAT, i just want to be sure to understand :)

I don't want to use a DMZ function from a cheap router, it's not a true DMZ and the security level is not correct for me.

My ISP don't provide me IP address range, it's not a service offer to home user, i can only have one IP address by ISP : one IP for ADSL, one for FTTH, one for LTE 4G.

About 4G or ADSL, these connexion use the modem supplied by ISP, i will setup all device as bridge, so each connexion to UTM is coming with WAN Ethernet IP, so i think that UTM can manage it properly like this ?

For the back-end, you suggest to use NAT+Firewall on UTM, for the front-end, same setup ?

AP in DMZ is just to have internet connexion with complete isolate from LAN, another advantage can be to manage device in DMZ.

There is no need to use device in LAN, following printing use case, it can be usefull to move printer from LAN to DMZ maybe, because it's not a critical, no matter to stay on LAN side.

Best Regards.

Hi,

I still do not understand the use of the AP in the DMZ? If your users are not going to have access to the AP, then why provide it, just becomes another security risk?

What are your aims with having a DMZ? Do you plan to make the NAS accessible from the internet? If not then you are wasting your time setting up a DMZ.

Is the NAS in the DMZ the same NAS as on your LAN?

You can build firewall rules that allow you to access the devices on the DMZ but they cannot see your LAN. Moving the printer to the DMZ does not make sense unless your users will never need to access the printer??

Ian

Why use 2 Sophos UTM's like in this drawing? Also, by doing this your LAN possibly uses double-NAT (or you may choose to route between DMZ and LAN).

You can simply achieve what you want using only 1 Sophos UTM with 5 network interfaces (3 WAN, 1 DMZ, 1 LAN).

I don't want to offend you, but the questions you are asking are really basic networking; if you struggle with that, than the UTM might be a bit too much to configure and maintain.... If you do need functions like the UTM supports, than prepare for a steep learning curve.

I planed to use 2 sophos because i was thinking that my LAN was more secure/protected like this, but if you confirm me that it has no benefits and that the same security level (with more easiest setup), i will use only one UTM.
Does it can have bandwidth impact with 1 sophos utm to manage flow between LAN to DMZ ?

I have the opportunity to recover Sophos SG230 with Flex Port, do you think that it can be enough to manage 1Gbe ISP bandwidth connexion ?

There is no offense to say that my question are really basic, i was here to learn more, i'm ok with that and i will follow all your recommandation

AP in DMZ is only here to provide Wifi connexion to internet (with tablet and laptop) and also give acces to DMZ ressources if necessary, but AP will not have access to LAN.

I have multiple NAS, one in DMZ, three on my LAN, the one in DMZ will be accessed from Internet only, it offer FTP services.

I would like to make transfert from NAS in DMZ to NAS in LAN and reverse, does it can be possible ?

If i put printer on DMZ, LAN user can use it and other user from AP too ? (if add the firewall rulz of course), i figure that it can be better to put the printer in DMZ to serve all users from AP or LAN.

Please take a look just above, i answer and ask some other questions.

Hi TheDark,

at this stage I would suggest you investigate the performance of the UTM product range before going any further with your requests.

That will give you an idea about how your requirements can be provided/met.

I also suggest you do some reading on firewall security. Depending on where you are getting the old SG from you might ask them for some guidance/ training because you will need a reasonable amount of UTM knowledge to achieve what you want.

Ian

It doesn't answer to my previous questions... thanks anyway :(

I hope that apijnappels can help me.

Hi,

you said you were here to learn, then do some investigation yourself as I pointed out review SG hardware and that will solve most of you performance questions.

What you haven't said is what model SG230 vx?

Ian

I am here to learn, but some of my question & answers are not written on the web ;)

I dunno the version number, i see that the last one is v2, but i dunno the difference between both.

It doesn't seems to have information, what are the difference please ?

Best Regards.

You can perfectly use one single UTM for your requirements. I do not now exactly about your 1 GBps internet connection and also we don't know whether or not you want to use web filtering, ips and which other features. The features you use together with the number of users connected to the device will determine what specs you need. I think you could search for UTM sizing and find some sizing charts on the web to indicate a good starting point.

As for the rest of your questions, there is an unwritten rule on forums to only ask 1 question per thread, so please for every question try to make a new thread so everything stays clear and others can also find the right answers in the right threads.

You can perfectly use one single UTM for your requirements. I do not now exactly about your 1 GBps internet connection and also we don't know whether or not you want to use web filtering, ips and which other features. The features you use together with the number of users connected to the device will determine what specs you need. I think you could search for UTM sizing and find some sizing charts on the web to indicate a good starting point.

As for the rest of your questions, there is an unwritten rule on forums to only ask 1 question per thread, so please for every question try to make a new thread so everything stays clear and others can also find the right answers in the right threads.