Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 43 subscribers
  • Views 9571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection between Unifi Dream Machine and Sophos XG Home for dynamic traffic filtering.

Adam Czyżewski

Hi All,

I would like to connect my Unifi Dream Machina Pro (UDMP) router to Sophos XG Home (SFOS 19.5.3 MR-3) installed on a separate computer with two LAN ports. What I want to do is not obvious and I don't know if it's even possible. In general, the entire network, VLANs, and basic firewall rules are defined in UDMP and it should stay that way, because I am very happy with it. What I miss is the more advanced New Generation Firewall configuration. No SSL Inspection, web filtering configuration, DPI etc. And I wanted to use SFOS for this.

Of course, I can put SFOS in bridge mode, but then I have to pass all the traffic through one interface, which is not necessary and will burden SFOS with analyzing traffic that I do not care about. But in UDMP I have 2 WAN ports and I can define that a specific device or VLAN uses one or the other WAN port. My ISP only provides an ONT with one port, so the idea is to go from the WAN2 port in UDMP, connect to the LAN interface in SFOS and the WAN from SFOS to the LAN in UDMP. This means that for selected devices the traffic actually goes through a double firewall, and for less risky ones only through a UDMP firewall.

In SFOS bridge mode this causes a loop and freezes the entire network, but in router mode it even works. Unfortunately, NAT (which I cannot turn off in UDMP) makes all traffic anonymous in SFOS and I cannot set rules for specific devices. Is it possible to somehow set this traffic to transmit information about the source IP? I tried to do something about setting up a local IPv6 network, but without success. The LAN port in SFOS would have to pretend to be an ISP and provide a network prefix, but it doesn't do that.

I will be grateful for any tips.



This thread was automatically locked due to age.
  • +1 in reply to Adam Czyżewski

    I have finally done it. Tried everything, even GRE tunnel, intermediate network, static route etc. Every time I had a problem with easy to manage way to push trafic into local SFOS network. So I abandoned those trials.

    I have found a way to disable NAT on WAN2 port in UDMP by editing iptables. Those modifications unfortunatelly are not permanent, because each network, firewall or routing modifications enables NAT again. So I had to put a script which checks every minute whether NAT is enabled and disables it. It's not an elegant solution, but works as I wanted and I can see source IP in SFOS. Maybe future firmware update let me do it natively.

    I have used this script, maybe someone will have similar expectations.

    https://github.com/jadedeane/natanator

  • 0 in reply to Adam Czyżewski

    I have wanted to do this for the longest time. I have a XGS 116. Could you please explain in detail what ports on udmp are used and ports to connect to on XGS. Are any VLANS needed? Specific firewall rules needed?

  • 0 in reply to Jeffrey Bodine

    I was looking for a setup as simple as possible and it is very simple. I do not have XSG, but XG Home installed on virtual machine in Proxmox, but it doesn't matter I think.

    You don't need any VLAN, but with VLANs should work as well. On SFOS side you configure LAN port (whatever IP scope you want, but different from any network scope you have in UDMP). I have configured it as gateway 172.16.16.1. WAN port in SFOS can be DHCP or static IP from UDMP scope.

    On UDMP side, you can change WAN2 port from SFP+ to Port8 if you want to use a standard RJ45 connection. Then, define Internet network on WAN2 as a static IP from SFOS LAN scope (DHCP will work as well if you define DHCP serwer in SFOS, but let's assume static 172.16.16.2) and as gateway, 172.16.16.1. Then connect WAN2 port from UDMP with LAN port in SFOS. And you should access SFOS admin page.

    Then, you connect WAN port from Sophos to any LAN port in UDMP. If you set up DHCP on SFOS WAN, you should get IP from UDMP network scope. If you want an IP from a particular VLAN in UDMP you have to configure VLAN tag and static IP on SFOS WAN port or change default network in UDMP port configuration. And that's all.

    Now you can push a traffic from a given host or VLAN from UDMP through SFOS by defining Traffic Routes to WAN2 port. You can do it very simple from GUI in UDMP. And your traffic will go from a host through Sophos Firewall to UDMP, through its firewall to Internet. Very safe, isn't it? Slight smile

    If you don't need to define a special rules for a particular host, that's all. If you need, you have to disable NAT on WAN2 port using a script I have mentioned above. Disabling NAT on WAN2, SFOS will get a source IP of a host from your UDMP network that give you opportunity to define rules by a host.

Unfiltered HTML