Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 43 subscribers
  • Views 8700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection between Unifi Dream Machine and Sophos XG Home for dynamic traffic filtering.

Adam Czyżewski

Hi All,

I would like to connect my Unifi Dream Machina Pro (UDMP) router to Sophos XG Home (SFOS 19.5.3 MR-3) installed on a separate computer with two LAN ports. What I want to do is not obvious and I don't know if it's even possible. In general, the entire network, VLANs, and basic firewall rules are defined in UDMP and it should stay that way, because I am very happy with it. What I miss is the more advanced New Generation Firewall configuration. No SSL Inspection, web filtering configuration, DPI etc. And I wanted to use SFOS for this.

Of course, I can put SFOS in bridge mode, but then I have to pass all the traffic through one interface, which is not necessary and will burden SFOS with analyzing traffic that I do not care about. But in UDMP I have 2 WAN ports and I can define that a specific device or VLAN uses one or the other WAN port. My ISP only provides an ONT with one port, so the idea is to go from the WAN2 port in UDMP, connect to the LAN interface in SFOS and the WAN from SFOS to the LAN in UDMP. This means that for selected devices the traffic actually goes through a double firewall, and for less risky ones only through a UDMP firewall.

In SFOS bridge mode this causes a loop and freezes the entire network, but in router mode it even works. Unfortunately, NAT (which I cannot turn off in UDMP) makes all traffic anonymous in SFOS and I cannot set rules for specific devices. Is it possible to somehow set this traffic to transmit information about the source IP? I tried to do something about setting up a local IPv6 network, but without success. The LAN port in SFOS would have to pretend to be an ISP and provide a network prefix, but it doesn't do that.

I will be grateful for any tips.



This thread was automatically locked due to age.
  • 0

    Why not bridge the SFOS in between your fibre channel and the UDMP? Traffic will flow through the Sophos firewall from one port to the other (it does use both interfaces, not 1) and traffic can be checked while flowing through.

    With using your second WAN interface you create a horrific setup possibly even double-natting.

    PS, while the UDMP is a nice device, I think SFOS can replace it completely. Leaving you with only one device to manage instead of 2.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    As I said, in bridge mode I have to put the whole traffic through Sophos which is not necessary. I want to secure only Internet traffic. I haven't tested it thoroughly but I am not sure whether multicast (Airplay or Chromecast) communication will not stop.

    My drawing is simplified, in my network there are some managed switches, access points and surveillance cameras. UDMP is all-in-one solution to manage all this stuff.

  • 0 in reply to Adam Czyżewski

    If you put the Sophos in between your modem and UDMP it will only scan internet traffic or I am missing something in your drawing.

    However, you can likely can define routing rules in UDMP to go to the Sophos machine and back into the LAN as you suggest. Just make sure you don't reuse ip-ranges. Sophos LAN side should be in same range as UDMP WAN2 range. Sophos WAN side should be in UDMP LAN range.

    The setup you suggest would only make (a little bit) sense if you want some internet traffic to be scanned while other traffic would not be scanned, but you could still do that when bridging. I suspect however your drawing is incomplete since you also mention chromecast devices. I suppose those devices connect wirelessly to the ONT router. This will very likely give you headache with a Sophos bridge in between.

    You should really ask yourself the question if your really want the extra features. Managing SSL inspection is an ongoing process in which you will always find new websites that do not (completely) work with SSL inspection. Even applications that have always worked may give troubles later on when they start checking certificates. This added to the setup you suggest will not be a simple solution. You will likely find yourself struggeling to find where and what to alter when you discover something is not working as expected. Especially if things had been going well for some time and you start to forget about the little details.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    [...]If you put the Sophos in between your modem and UDMP it will only scan internet traffic or I am missing something in your drawing.[...]

    How can I? ONT is not a ISP router. It's fiber channel modem. In router mode? SFOS would have to initiate PPPoE session, but I don't see any option to do this. And I will loose Wireguard VPN setup defined in UDMP, because it will be after double NAT.

    I think there are only 2 options:

    1. As a bridge but only between UDMP and switch where most risky stuff and AP's are connected, but in this setup, the whole traffic (even a local streeming etc) will have to run through 1GB ethernet port.

    2. As a router like in my setup. I have defined it (of course with different ip-ranges) and it works. But in this case (and it's the main goal of this discussion) is the problem that everything is presented in SFOS as a single IP.

    I thought maybe there is a possibility to join those separate networks (defined in Sophos and UDMP) somehow different and not lose source ip. I am not a network ekspert.

     

  • 0 in reply to Adam Czyżewski

    If the XG is entirely within your network you do not need NAT.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Yes, I know, if I put it in bridge mode between UDMP and switch, there won't be any. If I put it in gateway mode, UDMP will use NAT because it connects to a separate network and it's impossible to disable it. Or rather if I connect LAN port of SFOS to WAN port of UDMP, additional NAT will be automatically set.

  • 0 in reply to Adam Czyżewski

    IPv6 could be an solution. Let's assume that everything I connected like on my drawing and SFOS is in gateway mode. I setup FC00:AAAA:AAAA::1 network in SFOS and SLAAC on every host connected to UDMP. Ideally it should take network prefix from SFOS and add host part automatically. Then each address should be global and visible in Sophos, right? But I didn't make such IPv6 connection working. Hosts aren't visible from SFOS

  • 0 in reply to Adam Czyżewski

    XG still needs a NAT for IPv6.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    How about configuring GRE tunnel between UDMP and SFOS? It might help preserving LAN network visibility to SFOS.

    High level thoughts:

    "LAN to Internet" bounded traffic on UDMP need to be submitted to GRE tunnel which is terminated on SFOS.

    On SFOS side, traffic from GRE tunnel will get decapsulated, inspected based on Firewall policy and submit it back to same (or different) GRE tunnel.

    To prevent loop on UDMP, traffic coming from GRE tunnel should be decapsulated and route on WAN1 link (instead of resubmitting to GRE tunnel again).

    Reverse steps need to be followed for reply traffic from the "Internet to LAN" traffic.

    You may find few hurdles but worth evaluating it, IMHO.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • 0 in reply to sanket.shah

    It's a brilliant idea, but I completely don't know how to do it on physical layer ;) Although UDM doesn't give me much GUI options, but it's linux underneath so let's asume I can define a tunnel from CLI. And maybe future firmware release will not erase my definitions.

    But how to connect a host where SFOS is installed with UDMP? Now I have connected WAN2 Port in UDMP with LAN Port in SFOS and WAN Port in SFOS with LAN port in UDMP. So I have (in default installation) 172.16.16.0/24 network in SFOS with 172.16.16.17 static IP on WAN2 Port in UDMP and 192.168.0.0/24 untaged network in UDMP with 192.168.0.17 static IP on WAN port in SFOS.

    I can disconnect WAN2 port and try to define GRE tunnel that leads from default network in UDMP to 172.16.16.0/24 network, but on which port and IP local and remote? On 192.168.0.17 as the end in SFOS and 192.168.0.1 as the end in UDMP?

    Your idea forced me to think out of the box and I did the connection even simpler. I pluged off the wire between WAN2 UDMP and LAN SFOS and changed WAN2 address to random one. And defined a static route to 172.16.16.0/24 network with hop through 172.16.16.17. It works, I can ping any host in SFOS LAN and see source UDMP IP in Live Connections. But now I don't know yet how to push Internet trafic to a 172.16.16.2 host :-(

Unfiltered HTML