Sky Q reports broadband connectivity issues with UTM (home) used as router.

Following a suggestion I found in another thread I looked at the live firewall logs.  There was nothing showing blocked from the Sky Q except for ICMP packets.  Globally enabling ICMP on the gateway has almost cured the problem - for some reason one or two thumbnail images refuse to load but I can live with that.  However, the Sophos documentation implies that I should be able to allow ICMP handling via firewall rules if I have not allowed it globally.  Unfortunately the only ICMP facility I can find in the rules generation panels is PING and allowing this for the Sky box does not have the same effect as globally enabling ICMP on the gateway.  Presumably there are other types of ICMP packets still being blocked.  Is there any way to actually do a "Enable ICMP on the gateway only for a specific host"?

Thanks,

Hi, Len, and welcome to the UTM Community!

Just FYI, the version you're using is the identical code to what is used in businesses.  The free home-use license just has limitations in the number of connection, IPs protected and customization.

Good job of finding that suggestion.  #1 in Rulz is often helpful.

As you've discovered, the "Any" object only includes TCP and UDP - not any other IP protocols.  I've only used the "Traceroute" and "Ping" objects.  I haven't tried making an "ICMP" Service definition with IP Protocol 1, but that might do what you want.  Please let us know if you try it and WebAdmin liked it.

Cheers - Bob

Hi Bob,

Thanks for the reply.  I'd picked up on the pedigree of the Sophos code when I decided to replace my aging netgear router and was rapidly becoming very disenchanted with the security provided by commercially available home equipment.  The only real problem I have encountered so far is that the solution is, in this case, rather more competent and sophisticated than the user.  Which makes life interesting.

It is now 10:30 pm and after a recent SICF (Self Induced Cascade Failure, although there is a less polite interpretation) I have established a rule that only essential emergency changes are to be made after 9pm.  The SICF took out my home network so thoroughly that not only could I not reach the internet but no two devices in the house could talk to one another.  So I will give your suggestion a try over the weekend when I am more alert/awake and let you know how I get on.

I am computer literate but networking was not my field and I claim no expertise in network management, so this may seem a naive or even dumb question.  I have set the system up with the firewall set to drop all except for the wizard-defined rules for web browsing and pop3.  I am working on the assumption that nothing originating in the outer darkness should be allowed into my network and that, if I get it set up correctly, more or less nothing should be dropped on its way out as anything which is dropped would indicate unexpected connections were being attempted.  Is this a reasonable and achievable goal or am I making life unnecessarily difficult for myself?

Regards, Len

(Still chuckling.) Great attitude, Len.  You're obviously a lot smarter than you let on!

The UTM firewall lets nothing pass either way by default - all traffic is blocked unless explicitly allowed. There is normally no reason to create a Block rule.

When you first configure the UTM, the Installation Wizard makes some manual firewall rules based on your selections.  When you enable Web Protection and configure it, WebAdmin makes invisible firewall rules, and the same is true of other proxies and for things like the User Portal.  With VPNs and NAT rules, you have the option of selecting 'Automatic firewall rules' which can be seen at the top of the list in 'Firewall'.

Unlike the firewall you're accustomed to in Windows, the UTM firewall is "stateful."  It uses a connection tracker that allows in responses to requests that were allowed out.  For this reason, you don't need to worry about allowing/blocking anything coming in from the outside.

Pleasant dreams.

Cheers - Bob

Bob,

Again thanks for the response.  I have now fixed the issue - the answer was, as is often the case, embarrassingly simple.  I had created a rule to allow ping packets from the Sky satellite box to pass through the gateway.  Of course, the thing was actually pinging the gateway!  Setting the destination of the rule as Internal (Address) rather than Any gave me exactly the behaviour I wanted - the gateway will now respond to ping packets only from the Sky box.  The next step is to ask Sky why they find it necessary to use ping to confirm the existence of the DHCP identified gateway.  I am not hopeful of a sensible response.  However, I am hoping they will tell me which ports they use as currently I have the firewall passing any outgoing IPv4 from the Sky box.  I suppose I could disable that rule and watch the logs.

Bittorrent has proved the biggest challenge so far, in that it is the only thing which can legitimately originate from outside my network.  I have it working by following a couple of guides I found on these boards.  The challenge is to understand precisely what I have done.

Talking of watching the logs, I am not sure this is conducive to sanity - or at least to a good night's sleep.  Internal traffic being dropped now seems to be confined to UDP noise from a SamKnows network status monitor and I am awaiting confirmation from that organisation as to which ports to open.  More worrying are the frequent external probes from strange parts of the world like Icheon/Korea, Poussan/France, Shenzhen/China or even Chicago!  Why these people think they should be able to telnet into my system is one of life's mysteries :)

"Of course, the thing was actually pinging the gateway!  Setting the destination of the rule as Internal (Address) rather than Any gave me exactly the behaviour I wanted - the gateway will now respond to ping packets only from the Sky box."

Len, this is true for the same reason as #4 in Rulz: for a Traffic Selector to apply to packets with a destination of an IP on the UTM, the corresponding "(Address)" object must be used.  Under the covers, it's iptables that does the work.  Using "Any" or a normal Network/Host definition causes the Traffic Selector to apply to packets in the FORWARD chain.  The "(Address)" objects are bound to the interface on which they're defined, so that causes the Selector to apply to the INPUT chain.

To see which Services the Sky box uses, look at the "Top services by client" on the 'Bandwidth Usage' tab in 'Logging & Reporting >> Network Usage'.

If I were to guess, I'd say that the Chinese military has 1,000+ brilliant engineers making/running thousands of computers trying to break into every IP in the world.  They don't just spy on our government and military, they also target intellectual property.  Everyone needs the kind of protection a UTM offers.

Cheers - Bob

"Of course, the thing was actually pinging the gateway!  Setting the destination of the rule as Internal (Address) rather than Any gave me exactly the behaviour I wanted - the gateway will now respond to ping packets only from the Sky box."

Len, this is true for the same reason as #4 in Rulz: for a Traffic Selector to apply to packets with a destination of an IP on the UTM, the corresponding "(Address)" object must be used.  Under the covers, it's iptables that does the work.  Using "Any" or a normal Network/Host definition causes the Traffic Selector to apply to packets in the FORWARD chain.  The "(Address)" objects are bound to the interface on which they're defined, so that causes the Selector to apply to the INPUT chain.

To see which Services the Sky box uses, look at the "Top services by client" on the 'Bandwidth Usage' tab in 'Logging & Reporting >> Network Usage'.

If I were to guess, I'd say that the Chinese military has 1,000+ brilliant engineers making/running thousands of computers trying to break into every IP in the world.  They don't just spy on our government and military, they also target intellectual property.  Everyone needs the kind of protection a UTM offers.

Cheers - Bob

Once again thanks for your help and patience.  It is nice to know why something works as well as what works - makes it much easier the next time round.  The network usage tip reveals that the main culprit is UDP/3700 which will come in useful tomorrow.  Has to be easier than my attempts to find the same info by turning off the permissive rule and seeing what suddenly started to get dropped in the firewall live log.  The unavoidable problem with a product like this is that there is so much available it takes a while to find your way around.

As for the probes, OK I can see the Chinese doing this, but Chicago?  Am I being targeted by the Mafia (don't answer that, I don't think I want to know)  :)

Just one more question for now, if it is not too much trouble (no rush for an answer).  Network Usage defaults to Top Clients/Today and shows 18455 with most of my local devices appearing on the first page.  Am I right in assuming this is simply every machine which has impinged on my firewall in the last 24 hours?  I am old enough to still experience a sense of awe at modern tech and the thought that so many people/organisations are just behind that firewall gives me goosebumps (even if most of them are there for nefarious purposes).

>> "Everyone needs the kind of protection a UTM offers."  <<

This I cannot argue with.  I don't know how much European tech news you see on that side of the pond but in the last couple of weeks several major ISPs in Germany, the UK and Ireland have been hit by Mirai bot attacks directed at poorly secured domestic and SOHO routers, which is the main reason why I converted an old Atom PC into a UTM rather than simply buying a newer router.  Conveniently my old netgear has a wifi AP mode which I will be setting up once I have the main network settled.  I really don't like Wifi but it is occasionally convenient so I will make the effort ... eventually.

Hi Len, I see from your first post that you have connected the UTM directly to your BT modem. How did you get the SKY BB to authenticate using the WAN on the Sophos?

SKY uses MAC authentication which requires that you supply the username and password during handshake and on my current, non sky router, I have to use a custom script for this. But I'd rather use Sophos UTM if I can.

Sorry, I can't help you with that - I don't use Sky BB.  PlusNet requires a login_id and password (supplied via the WAN interface) but there is no further verification.

//edit// Oops - I slightly misread your note.  If all that is required is a username and password the Sophos system will provide these when logging in to the broadband provider.  The setup wizard will automatically prompt you for this info but you can change it later by editing the WAN(External) interface.  I'm slightly surprised that your current router doesn't handle this - my old netgear router (now a wireless access point) and the technicolour thing PlusNet gave me (now an emergency fallback device) both do this for me.