Unifi USG behind Sophos XG - vlan config

Hi,

my current network looks like this. This is a double NAT scenario but works quite well.

Now I got a Unifi USG for testing purposes. I'd like to add it between the Sophos XG and the Unifi Switch. The Sophos should keep on managing DHCP, DNS as well as VLANs. The only reason for adding the USG is that I'd like to test the traffic analysis functionality of the USG - even tough most people say it's worthless :-) It should look like this

However, I can't get a internet connection in this tripple nat scenario but don't know how to establish it. If I take out the Sophos and connect Fritzbox directly to the USG, the connection works for the native vlan as it should. Since VLANs are managed by Sophos, of course VLANs won't work in this testing scenario.

So the question is, what kind of settings in Sophos am I missing to make it work?

Best

Added TAGs
[edited by: Erick Jan at 12:14 PM (GMT -7) on 5 Aug 2024]

Top Replies

sanket.shah 1 month ago in reply to FFin +2 suggested

DHCP traffic can't travel L3 router (in this case "Unifi USG") so clients behind "Unifi switch" can't get IP lease dynamically. If Unifi USG is capable of relaying DHCP traffic (using DHCP relay configuration…

0 FFin 1 month ago

As the Unifi USG will only do filtering on LAN to WAN you will not be able to use same Network Ranges for Sophos and USG. Or you can do that with static routing but that will bypass most USG Features as well.

So create another Network between Sophos and USG, and let USG do DHCP and VLAN-Routing or temporarily replace Sophos with USG for testing.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Peter Mueller 1 month ago in reply to FFin

Hi FFin,

thanks for your answer.

I want the sophos to do DHCP and VLAN routing like it is set up today. The only reason for adding the USG in between is to use its traffic analysis and monitoring.

Does that mean I need static routes in Sophos XG for each Vlan?

i.e for vlan10.:

Destination: 192.168.10.0/24

Gateway: 192.168.1.1

Interface: Port2.10-192.168.10.1
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FFin 1 month ago in reply to Peter Mueller

I'm quite sure that will not work - you cannot do traffic analysis and monitoring on usg when it's not gateway.
Sophos can be run transparent in bridge mode (see https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/HowToArticles/NetworkBridgeModeDeploy/index.html) but i think usg will only run in "gateway mode"
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 sanket.shah 1 month ago in reply to FFin

DHCP traffic can't travel L3 router (in this case "Unifi USG") so clients behind "Unifi switch" can't get IP lease dynamically.

If Unifi USG is capable of relaying DHCP traffic (using DHCP relay configuration like SFOS has) then I believe, you can resolve DHCP lease issue.

Regards,

Sanket Shah

Director, Software Development, Sophos Firewall
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Peter Mueller 1 month ago in reply to sanket.shah

thanks for the hint. I guess the only way to make it work the way I'd like to solve it, is to put the USG in bridge mode. In Unifi Network version 8.3.32 there is supposed to be an option to disable NAT entirely but unfortunately this option doesn't exist in my unifi setting for whatever reason.

Maybe I gotta wait.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 JimtheITguy 25 days ago in reply to Peter Mueller

The USG is now EOL, it wont get any of the new features coming, honestly you would save yourself alot of issues just leaving it out and leveraging the Sophos properly or swapping the sophos for a UXG/Cloud Gateway if you want the full Unifi details

Sophos XG Engineer

Sophos Silver Partner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel