Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using with ONE LAN interface GATEWAY

Hello,

I try@home to migrate from UTM zu SFOS. On the good old UTM there was only one LAN Interface. This was the gateway for some PCs.

At the network configuration on the UTM, I configured the real-router-getway as gateway in this one UTM NIC. It has worked.

Now at SFOS I cant configure a gateway at the LAN (also only one NIC) interface.

What would be the 1:1 configuration for SFOS like the UTM was?

best regards

michael



This thread was automatically locked due to age.
  • SFOS follows the principle of Zones. So you can have one interface in one zone. 
    Do you use VLANs? If not, how did you use it with UTM ? Because this opens a lot of routing questions. 

    Essentially you can use it with VLANs easily. 

    If you have only one LAN interface without VLANs, you need to get the routing straight, which can be painful. 

    __________________________________________________________________________________________________________________

  • Until now no VLANs.

    At UTM thats all:

    maybe the SFOS needed a LAN and WAN Interface.

  • And how are you routing "on this firewall"? 
    Or whats your outcome here? 
    Because yeah, you can do this on SFOS too, and it will work. But how does a client interact with this firewall? Is the default GW for your client the 192.168.0.200? 
    Essentially: You can get this working on SFOS too, but not sure if this is really something worth following up. VLANs and a clean cut of interfaces are more applicable. 

    You would have to MASQ the traffic on the same subnet and send it weirdly in the network from a to b. 

    And you would do this by using a static route. Simply build a static route for 0.0.0.0 to the 192.168.0.25. 
    Do not forget the MASQ Rule. 

    __________________________________________________________________________________________________________________

  • Thank you - I will try it.

    It seams the UTM needs NO gui-configured routing... it routed all to 192.168.0.25 only with the configured GW at NIC level.

    yes .200 is the default gw for some clients at home. Until now no vlan at home is needed - maybe the children will do some hacks at layer2-x level ...

    Also .200 is an 'exposed host' via german fritzbox; so I can .200 use with ssl vpn from external or do some NAT from external through the fritzbox.

  • SFOS only allows a standard gateway to be placed on a WAN interface. Doing a WAN interface has other implications like device access acls and certain mechanism are not working. 
    Therefore its easy to work with a LAN zone and using 0.0.0.0 route to your GW instead. 

    __________________________________________________________________________________________________________________

  • Hi,

    I'm a bit confused by the design.
    you place 2 doors within the same network and hope your users & devices use the correct one?
    Some other applications may "see" the other door and ignore the correct way.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Moin, its only for home-use and family. Theoretically every smartphone via USB on a PC is a door :-) They have no local admin/root-rights on the devices, so the GW is 'secure'. The main use-case are the proxy-blacklists.

  • While your setup may fit your needs and they have no local admin on the devices they might be able to start their devices with a linux live environment and go directly to the fritzbox as gateway.
    Why not simply add a 2nd NIC in the machine and do proper LAN to WAN routing with no easy options to bypass the firewall (other than physically plugging cables)?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • For routing I need 2 different networks. But I wont change all LAN Client-IPs and I will not change the IP of the Fritzbox-Router and the Router can only handle 1 IP on its LAN Interface. To be really secure I also need a tresor to prevent plugin a RJ45 Cable to the Router, better a MDM, NAC, glue up all USB-Ports and lock up all pc-housing, authenfication only with an RFID Implantat to every family members forehead.

  • Sure, you could do all that. But I see now you don't want anything to change and are not willing to change LAN Client IP's which may all have static IP's now to have a reservation in the DHCP server so they still have a "fixed" address.

    We just tried to advise you on a situation that would give better protection and would make better use of the capabilities of the firewall. If that is not what you are looking for then I think in that case Lucar Toni's answer might be your best option.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.