XG Firewall and Ubiquiti Dream Machine Pro — work together?

Hi,

if you put the Ubiquiti on the outside of the XGI suspect you will loose access to the users data you are try into capture.

The XG does have a bridge mode.

You could try double trunking one of the LAN ports on the XG to see if you can parallel the traffic so that your requirements are met.

Ian

Hi,

if you put the Ubiquiti on the outside of the XGI suspect you will loose access to the users data you are try into capture.

The XG does have a bridge mode.

You could try double trunking one of the LAN ports on the XG to see if you can parallel the traffic so that your requirements are met.

Ian

Thanks for the reply! I'm not 100% sure of the user data loss. If the Dream Machine Pro can see the internal Ubiquiti switch and the Ubiquiti switch can see the Dream Machine pro then theoretically I should be Ok with having the data between the switch and the Dream Machine Pro propagate... or so I would assume.

Configuring the XG firewall for double trunking and what that diagram would look like is a bit above my experience level. Would I be right to assume that I'm creating two VLANs on the XG—one with the Ubiquiti Dream Machine Pro and the second with the Ubiquiti Switch?

Since the Dream Machine Pro would also act as the controller for the Ubiquiti setup, the Ubiquiti switch would need to see it.

Hi,

you could put the dream machine on the outside and setup rules so that the two devices can see each other, but then you sort of defeat the purpose of the XG because the switch is then on the outside and you are relying on the switch to asses the traffic, so what function does the XG play?

ian

I have reviewed the dream machine. It sounds like a very good wifi device but not much else. The specifications talk about various features but there is nothing in the documentation about how to configure them. Lots of information about the wifi performance. Lots of talk about analysis but not details or even screenshots or examples of the reports.

Putting the dream machine outside the XG does not appear to add any value in my opinion. You could connect the dream machine up to one port on your switch to provide the wifi management and if you set the port up as a mirror you might be able to capture the statistics your are looking for.

Ian

Ian, appreciate the insights. The Dream Machine Pro is a controller, FW, router, and security camera NVR hub all in one. It's a nice product but in my opinion steps lower than the power of the  Sophos XG. I'm not using the Dream Machine Pro it for Wi-Fi.  I have Sophos APs tied directly into the XG that I'm using.

The Dream Machine Pro doesn't give you granular control like the XG, so you get a super-easy GUI that's fast and functional.  

In my ideal scenario, I'd like to do XG--> Ubiquiti Dream Machine Pro (functioning as a transparent network device) --> Ubiquiti PoE+ switch. If I do that, then I'll get double NAT scenarios. Practically, speaking, I'm not sure what might "break" or not "break" internally.

Since I can't do that the next best option would seem to be Ubiquiti DMP on the edge handling routing and FW --> XG --> Ubiquiti PoE+.  Can the XG then function as a transparent device that provides all the FW and security options that I love without introducing other networking problems? I know enough to be dangerous but I'm not a L3 network engineer by any means.

My primary goal is keeping the XG's superior cybersecurity features and protection intact and without compromise.

It sounds like if I put the Sophos box in Bridge mode: https://support.sophos.com/support/s/article/KB-000035688?language=en_US it will quite possibly do much of what I'm looking for.  And it also looks as though if I wanted I could deploy the Sophos box into Mixed mode. 

Because I'm using Sophos APs with a guest network, is there any downside to using the Sophos XG in bridge mode?

Hi,

I was reading about the dream machine, not the dream machine pro. Some of my comments still apply about the lack of setup documentation. You can setup the XG with a bridge between WAN and LAN and have seperate LANs.

I have not tried Sophos APs on an XG in bridge mode, but in theory they should work. It will depend on which version of XG you are using v18.0.3 should cover all you ideas.

Ian

Yes I’m current with XG v18. 

Based on what your insights were I’m leaning towards the following: Right now my thought is to put the DMP at the edge acting as a router with DHCP services with the ISP then put the XG firewall in bridge mode with the Sophos APs managed by the XG. Then connect to the XG Firewall to the Ubiquiti PoE+ switch (connect the Sophos APs via PoE to the switch) with the rest of the networking gear. In this architecture the security cameras are the only things that would then lie beyond the XG but everything else in the network would be behind the XG bridge and all APs would be managed by the XG in concert with the XG security model. 

The lack of documentation is indeed frustrating. However everything is pretty binary in the Ubiquiti GUI and done with graphical toggles. It’s a very different scenario than the XG which has both a combo of a GUI plus the ability to really put in some granular elements to customize a set up—that’s why the XG still shines :-)