This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced configuration question (or attempt to replace WiFi with Sophos UTM?)

Hello everyone!

I'm brand new to the world of UTMs, and I stumbled upon them (and Sophos) because I'm trying to better secure my network, so I'm planning on buying a mini-box/network PC to install/run Sophos UTM on. I'm trying to perform country/region blocking, but I'd also like better overall security of my network--wifi included--because I have a home file server with various sensitive documents.

I asked a previous question regarding how the UTM was to be positioned on the network, and it appears that for my situation I have two possibilities (I had to do some adjusting to the spacing, so I hope this appears correctly!):

A) Incoming Internet (ISP Modem) ----> WiFi Router ----> Sophos UTM ----> File Server/Wired connections
                                                                                                    / | \
                                                                                      All wireless devices


With this configuration, only the router is open to the net. If it's hacked, then all the attacker gains is free internet access. ;-D However, I can't perform country/region blocking since the router is outside the UTM.


B) Incoming Internet (ISP Modem)----> Sophos UTM ----> WiFi Router
                                                                                                                                       /             \
                                                                                                All wireless devices         File Server/Wired connections


With this configuration, I can perform country/region blocking, and the file server is secure from hacks from the internet...but in theory, someone could wirelessly hack the WiFi router--less likely, but I've been told there are still "wardrivers" out there--and if they do, they potentially gain access to the entire network.


So, after thinking a bit, I'm wondering: is the following configuration possible? (and practical?)

C) Incoming Internet (ISP Modem)----> Sophos UTM (MULTI-NIC mini PC)
                                                                                               (eth port 1)            (eth port 2)
                                                                                                       /                               \
                                                                                          Wi-Fi Router                      File Server
                                                                                                  /
                                                                                 All wireless devices

  
That's the only configuration I see that would allow me to accomplish what I'm trying to do. Failing that, does anyone have any experience with using the Sophos UTM to COMPLETELY REPLACE their wireless router? Some of the mini-PC's I'm considering buying for the UTM come with wireless connectivity built in, but I'm very worried about their broadcast range capacities (I purchased the wifi router I have now to upgrade a previous router that had range/connectivity issues).

I know this is complicated, and I appreciate everyone's time! THANKS!



This thread was automatically locked due to age.
  • Hi, B.H., and welcome to the UTM Community!

    If you search here, you will find that the only WiFi cards that work are the Atheros cards used in the SG 1x5 Sophos appliances.

    You got good advice from Doug on that other thread.  If you were to study the Community, you would see that the preferred solution is to turn off DHCP in the router and either bridge the WAN port or just not use it.  You then have a wireless switch that you can place behind the UTM, thus requiring only two Ethernet NICs in solution C (the preferred one).

    The primary disadvantage of A is that the UTM does not have a public IP.  The primary disadvantage of B is that all traffic is double-NAT'd.

    Let us know what you decide to do.  Also, check out the thread at the top of the Hardware forum to see what people are using successfully and then add a post if you try something else and it works or doesn't.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob (and others!):

    I recently got my UTM PC and installed Sophos on it with a few hiccups along the way.  What I did was turn my wireless router into a simple access point (it has a setting that allows for this)...that automatically turns off various router-related functions (DHCP, etc.) and, I'm guessing, makes it into something akin to a wired/wireless switch.  That allowed me to place it behind the UTM.  I'm not certain, but it appears that regardless of how a connection is made to the wireless router now, it sends it straight to the UTM for routing (is that how switches/access points normally function?)...so, I've left my file server attached to the wireless router (via a wired connection) at the moment.   I'm still trying to iron out a couple of issues (posted in separate threads, in case others have the same problems).