Connection between Unifi Dream Machine and Sophos XG Home for dynamic traffic filtering.

Question

Hi All, 
 I would like to connect my Unifi Dream Machina Pro (UDMP) router to Sophos XG Home (SFOS 19.5.3 MR-3) installed on a separate computer with two LAN ports. What I want to do is not obvious and I don't know if it's even possible. In general, the entire network, VLANs, and basic firewall rules are defined in UDMP and it should stay that way, because I am very happy with it. What I miss is the more advanced New Generation Firewall configuration. No SSL Inspection, web filtering configuration, DPI etc. And I wanted to use SFOS for this. 
 Of course, I can put SFOS in bridge mode, but then I have to pass all the traffic through one interface, which is not necessary and will burden SFOS with analyzing traffic that I do not care about. But in UDMP I have 2 WAN ports and I can define that a specific device or VLAN uses one or the other WAN port. My ISP only provides an ONT with one port, so the idea is to go from the WAN2 port in UDMP, connect to the LAN interface in SFOS and the WAN from SFOS to the LAN in UDMP. This means that for selected devices the traffic actually goes through a double firewall, and for less risky ones only through a UDMP firewall.

In SFOS bridge mode this causes a loop and freezes the entire network, but in router mode it even works. Unfortunately, NAT (which I cannot turn off in UDMP) makes all traffic anonymous in SFOS and I cannot set rules for specific devices. Is it possible to somehow set this traffic to transmit information about the source IP? I tried to do something about setting up a local IPv6 network, but without success. The LAN port in SFOS would have to pretend to be an ISP and provide a network prefix, but it doesn't do that. 
 I will be grateful for any tips.

Adam Czyżewski · Accepted Answer

I have finally done it. Tried everything, even GRE tunnel, intermediate network, static route etc. Every time I had a problem with easy to manage way to push trafic into local SFOS network. So I abandoned those trials. 
 I have found a way to disable NAT on WAN2 port in UDMP by editing iptables. Those modifications unfortunatelly are not permanent, because each network, firewall or routing modifications enables NAT again. So I had to put a script which checks every minute whether NAT is enabled and disables it. It's not an elegant solution, but works as I wanted and I can see source IP in SFOS. Maybe future firmware update let me do it natively. 
 I have used this script, maybe someone will have similar expectations. 
 https://github.com/jadedeane/natanator

Adam Czyżewski · Answer

I was looking for a setup as simple as possible and it is very simple. I do not have XSG, but XG Home installed on virtual machine in Proxmox, but it doesn't matter I think. 
 You don't need any VLAN, but with VLANs should work as well. On SFOS side you configure LAN port (whatever IP scope you want, but different from any network scope you have in UDMP). I have configured it as gateway 172.16.16.1. WAN port in SFOS can be DHCP or static IP from UDMP scope. 
 On UDMP side, you can change WAN2 port from SFP+ to Port8 if you want to use a standard RJ45 connection. Then, define Internet network on WAN2 as a static IP from SFOS LAN scope (DHCP will work as well if you define DHCP serwer in SFOS, but let's assume static 172.16.16.2) and as gateway, 172.16.16.1. Then connect WAN2 port from UDMP with LAN port in SFOS. And you should access SFOS admin page. 
 Then, you connect WAN port from Sophos to any LAN port in UDMP. If you set up DHCP on SFOS WAN, you should get IP from UDMP network scope. If you want an IP from a particular VLAN in UDMP you have to configure VLAN tag and static IP on SFOS WAN port or change default network in UDMP port configuration. And that's all. 
 Now you can push a traffic from a given host or VLAN from UDMP through SFOS by defining Traffic Routes to WAN2 port. You can do it very simple from GUI in UDMP. And your traffic will go from a host through Sophos Firewall to UDMP, through its firewall to Internet. Very safe, isn't it? 
 If you don't need to define a special rules for a particular host, that's all. If you need, you have to disable NAT on WAN2 port using a script I have mentioned above. Disabling NAT on WAN2, SFOS will get a source IP of a host from your UDMP network that give you opportunity to define rules by a host.

sanket.shah · Answer

How about configuring GRE tunnel between UDMP and SFOS? It might help preserving LAN network visibility to SFOS. 
 High level thoughts: 
 "LAN to Internet" bounded traffic on UDMP need to be submitted to GRE tunnel which is terminated on SFOS. 
 On SFOS side, traffic from GRE tunnel will get decapsulated, inspected based on Firewall policy and submit it back to same (or different) GRE tunnel. 
 To prevent loop on UDMP, traffic coming from GRE tunnel should be decapsulated and route on WAN1 link (instead of resubmitting to GRE tunnel again). 
 Reverse steps need to be followed for reply traffic from the "Internet to LAN" traffic. 
 You may find few hurdles but worth evaluating it, IMHO.

apijnappels · Answer

Why not bridge the SFOS in between your fibre channel and the UDMP? Traffic will flow through the Sophos firewall from one port to the other (it does use both interfaces, not 1) and traffic can be checked while flowing through. 
 With using your second WAN interface you create a horrific setup possibly even double-natting. 
 
 PS, while the UDMP is a nice device, I think SFOS can replace it completely. Leaving you with only one device to manage instead of 2.

Connection between Unifi Dream Machine and Sophos XG Home for dynamic traffic filtering.

Top Replies