Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unifi USG behind Sophos XG - vlan config

Hi,

my current network looks like this. This is a double NAT scenario but works quite well.

Now I got a Unifi USG for testing purposes. I'd like to add it between the Sophos XG and the Unifi Switch. The Sophos should keep on managing DHCP, DNS as well as VLANs. The only reason for adding the USG is that I'd like to test the traffic analysis functionality of the USG - even tough most people say it's worthless :-) It should look like this

However, I can't get a internet connection in this tripple nat scenario but don't know how to establish it. If I take out the Sophos and connect Fritzbox directly to the USG, the connection works for the native vlan as it should. Since VLANs are managed by Sophos, of course VLANs won't work in this testing scenario.

So the question is, what kind of settings in Sophos am I missing to make it work?

Best



This thread was automatically locked due to age.
Parents Reply
  • DHCP traffic can't travel L3 router (in this case "Unifi USG") so clients behind "Unifi switch" can't get IP lease dynamically.

    If Unifi USG is capable of relaying DHCP traffic (using DHCP relay configuration like SFOS has) then I believe, you can resolve DHCP lease issue.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

Children
  • thanks for the hint. I guess the only way to make it work the way I'd like to solve it, is to put the USG in bridge mode. In Unifi Network version 8.3.32 there is supposed to be an option to disable NAT entirely but unfortunately this option doesn't exist in my unifi setting for whatever reason.

    Maybe I gotta wait.

  • The USG is now EOL, it wont get any of the new features coming, honestly you would save yourself alot of issues just leaving it out and leveraging the Sophos properly or swapping the sophos for a UXG/Cloud Gateway if you want the full Unifi details

    Sophos XG Engineer

    Sophos Silver Partner