Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection between Unifi Dream Machine and Sophos XG Home for dynamic traffic filtering.

Hi All,

I would like to connect my Unifi Dream Machina Pro (UDMP) router to Sophos XG Home (SFOS 19.5.3 MR-3) installed on a separate computer with two LAN ports. What I want to do is not obvious and I don't know if it's even possible. In general, the entire network, VLANs, and basic firewall rules are defined in UDMP and it should stay that way, because I am very happy with it. What I miss is the more advanced New Generation Firewall configuration. No SSL Inspection, web filtering configuration, DPI etc. And I wanted to use SFOS for this.

Of course, I can put SFOS in bridge mode, but then I have to pass all the traffic through one interface, which is not necessary and will burden SFOS with analyzing traffic that I do not care about. But in UDMP I have 2 WAN ports and I can define that a specific device or VLAN uses one or the other WAN port. My ISP only provides an ONT with one port, so the idea is to go from the WAN2 port in UDMP, connect to the LAN interface in SFOS and the WAN from SFOS to the LAN in UDMP. This means that for selected devices the traffic actually goes through a double firewall, and for less risky ones only through a UDMP firewall.

In SFOS bridge mode this causes a loop and freezes the entire network, but in router mode it even works. Unfortunately, NAT (which I cannot turn off in UDMP) makes all traffic anonymous in SFOS and I cannot set rules for specific devices. Is it possible to somehow set this traffic to transmit information about the source IP? I tried to do something about setting up a local IPv6 network, but without success. The LAN port in SFOS would have to pretend to be an ISP and provide a network prefix, but it doesn't do that.

I will be grateful for any tips.



This thread was automatically locked due to age.
Parents
  • Why not bridge the SFOS in between your fibre channel and the UDMP? Traffic will flow through the Sophos firewall from one port to the other (it does use both interfaces, not 1) and traffic can be checked while flowing through.

    With using your second WAN interface you create a horrific setup possibly even double-natting.

    PS, while the UDMP is a nice device, I think SFOS can replace it completely. Leaving you with only one device to manage instead of 2.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • As I said, in bridge mode I have to put the whole traffic through Sophos which is not necessary. I want to secure only Internet traffic. I haven't tested it thoroughly but I am not sure whether multicast (Airplay or Chromecast) communication will not stop.

    My drawing is simplified, in my network there are some managed switches, access points and surveillance cameras. UDMP is all-in-one solution to manage all this stuff.

  • [...]If you put the Sophos in between your modem and UDMP it will only scan internet traffic or I am missing something in your drawing.[...]

    How can I? ONT is not a ISP router. It's fiber channel modem. In router mode? SFOS would have to initiate PPPoE session, but I don't see any option to do this. And I will loose Wireguard VPN setup defined in UDMP, because it will be after double NAT.

    I think there are only 2 options:

    1. As a bridge but only between UDMP and switch where most risky stuff and AP's are connected, but in this setup, the whole traffic (even a local streeming etc) will have to run through 1GB ethernet port.

    2. As a router like in my setup. I have defined it (of course with different ip-ranges) and it works. But in this case (and it's the main goal of this discussion) is the problem that everything is presented in SFOS as a single IP.

    I thought maybe there is a possibility to join those separate networks (defined in Sophos and UDMP) somehow different and not lose source ip. I am not a network ekspert.

     

  • If the XG is entirely within your network you do not need NAT.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I know, if I put it in bridge mode between UDMP and switch, there won't be any. If I put it in gateway mode, UDMP will use NAT because it connects to a separate network and it's impossible to disable it. Or rather if I connect LAN port of SFOS to WAN port of UDMP, additional NAT will be automatically set.

  • IPv6 could be an solution. Let's assume that everything I connected like on my drawing and SFOS is in gateway mode. I setup FC00:AAAA:AAAA::1 network in SFOS and SLAAC on every host connected to UDMP. Ideally it should take network prefix from SFOS and add host part automatically. Then each address should be global and visible in Sophos, right? But I didn't make such IPv6 connection working. Hosts aren't visible from SFOS

  • XG still needs a NAT for IPv6.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • How about configuring GRE tunnel between UDMP and SFOS? It might help preserving LAN network visibility to SFOS.

    High level thoughts:

    "LAN to Internet" bounded traffic on UDMP need to be submitted to GRE tunnel which is terminated on SFOS.

    On SFOS side, traffic from GRE tunnel will get decapsulated, inspected based on Firewall policy and submit it back to same (or different) GRE tunnel.

    To prevent loop on UDMP, traffic coming from GRE tunnel should be decapsulated and route on WAN1 link (instead of resubmitting to GRE tunnel again).

    Reverse steps need to be followed for reply traffic from the "Internet to LAN" traffic.

    You may find few hurdles but worth evaluating it, IMHO.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • It's a brilliant idea, but I completely don't know how to do it on physical layer ;) Although UDM doesn't give me much GUI options, but it's linux underneath so let's asume I can define a tunnel from CLI. And maybe future firmware release will not erase my definitions.

    But how to connect a host where SFOS is installed with UDMP? Now I have connected WAN2 Port in UDMP with LAN Port in SFOS and WAN Port in SFOS with LAN port in UDMP. So I have (in default installation) 172.16.16.0/24 network in SFOS with 172.16.16.17 static IP on WAN2 Port in UDMP and 192.168.0.0/24 untaged network in UDMP with 192.168.0.17 static IP on WAN port in SFOS.

    I can disconnect WAN2 port and try to define GRE tunnel that leads from default network in UDMP to 172.16.16.0/24 network, but on which port and IP local and remote? On 192.168.0.17 as the end in SFOS and 192.168.0.1 as the end in UDMP?

    Your idea forced me to think out of the box and I did the connection even simpler. I pluged off the wire between WAN2 UDMP and LAN SFOS and changed WAN2 address to random one. And defined a static route to 172.16.16.0/24 network with hop through 172.16.16.17. It works, I can ping any host in SFOS LAN and see source UDMP IP in Live Connections. But now I don't know yet how to push Internet trafic to a 172.16.16.2 host :-(

  • I have finally done it. Tried everything, even GRE tunnel, intermediate network, static route etc. Every time I had a problem with easy to manage way to push trafic into local SFOS network. So I abandoned those trials.

    I have found a way to disable NAT on WAN2 port in UDMP by editing iptables. Those modifications unfortunatelly are not permanent, because each network, firewall or routing modifications enables NAT again. So I had to put a script which checks every minute whether NAT is enabled and disables it. It's not an elegant solution, but works as I wanted and I can see source IP in SFOS. Maybe future firmware update let me do it natively.

    I have used this script, maybe someone will have similar expectations.

    https://github.com/jadedeane/natanator

  • I have wanted to do this for the longest time. I have a XGS 116. Could you please explain in detail what ports on udmp are used and ports to connect to on XGS. Are any VLANS needed? Specific firewall rules needed?

  • I was looking for a setup as simple as possible and it is very simple. I do not have XSG, but XG Home installed on virtual machine in Proxmox, but it doesn't matter I think.

    You don't need any VLAN, but with VLANs should work as well. On SFOS side you configure LAN port (whatever IP scope you want, but different from any network scope you have in UDMP). I have configured it as gateway 172.16.16.1. WAN port in SFOS can be DHCP or static IP from UDMP scope.

    On UDMP side, you can change WAN2 port from SFP+ to Port8 if you want to use a standard RJ45 connection. Then, define Internet network on WAN2 as a static IP from SFOS LAN scope (DHCP will work as well if you define DHCP serwer in SFOS, but let's assume static 172.16.16.2) and as gateway, 172.16.16.1. Then connect WAN2 port from UDMP with LAN port in SFOS. And you should access SFOS admin page.

    Then, you connect WAN port from Sophos to any LAN port in UDMP. If you set up DHCP on SFOS WAN, you should get IP from UDMP network scope. If you want an IP from a particular VLAN in UDMP you have to configure VLAN tag and static IP on SFOS WAN port or change default network in UDMP port configuration. And that's all.

    Now you can push a traffic from a given host or VLAN from UDMP through SFOS by defining Traffic Routes to WAN2 port. You can do it very simple from GUI in UDMP. And your traffic will go from a host through Sophos Firewall to UDMP, through its firewall to Internet. Very safe, isn't it? Slight smile

    If you don't need to define a special rules for a particular host, that's all. If you need, you have to disable NAT on WAN2 port using a script I have mentioned above. Disabling NAT on WAN2, SFOS will get a source IP of a host from your UDMP network that give you opportunity to define rules by a host.

Reply
  • I was looking for a setup as simple as possible and it is very simple. I do not have XSG, but XG Home installed on virtual machine in Proxmox, but it doesn't matter I think.

    You don't need any VLAN, but with VLANs should work as well. On SFOS side you configure LAN port (whatever IP scope you want, but different from any network scope you have in UDMP). I have configured it as gateway 172.16.16.1. WAN port in SFOS can be DHCP or static IP from UDMP scope.

    On UDMP side, you can change WAN2 port from SFP+ to Port8 if you want to use a standard RJ45 connection. Then, define Internet network on WAN2 as a static IP from SFOS LAN scope (DHCP will work as well if you define DHCP serwer in SFOS, but let's assume static 172.16.16.2) and as gateway, 172.16.16.1. Then connect WAN2 port from UDMP with LAN port in SFOS. And you should access SFOS admin page.

    Then, you connect WAN port from Sophos to any LAN port in UDMP. If you set up DHCP on SFOS WAN, you should get IP from UDMP network scope. If you want an IP from a particular VLAN in UDMP you have to configure VLAN tag and static IP on SFOS WAN port or change default network in UDMP port configuration. And that's all.

    Now you can push a traffic from a given host or VLAN from UDMP through SFOS by defining Traffic Routes to WAN2 port. You can do it very simple from GUI in UDMP. And your traffic will go from a host through Sophos Firewall to UDMP, through its firewall to Internet. Very safe, isn't it? Slight smile

    If you don't need to define a special rules for a particular host, that's all. If you need, you have to disable NAT on WAN2 port using a script I have mentioned above. Disabling NAT on WAN2, SFOS will get a source IP of a host from your UDMP network that give you opportunity to define rules by a host.

Children
No Data