VMWare + Transparent Mode/Bridge Mode + DMZ

Ray,

I think you post this thread on the wrong place. You are using a Sophos UTM and not the XG. The steps to configure the XG are a litte bit different than UTM but for both you need an additional virtual switch on Vmware so a dedicated NIC or use VLAN.

Yes, sorry. I am new to the board and still learning. My apologies.

So I have 3 Virtual NICS configured for the guest in VMWare.

1st is for the Local LAN IP

The 2nd and 3rd are bridged together for the external.

It's working in bridge mode but I am unsure how I can move it into a DMZ.

Here is a screenshot of my sophos interfaces:

And here is my vmware:

Do I just configure the external IP for the DMZ network?

Right now it's on the same subnet as the Local Lan.

Ray,

there is something strange. I mean, to configure UTM in bridge mode, only 2 vnics are required and both vnic shoud belong to different vswitch in vmware (in promiscous mode). A third vnic is required for DMZ and from your vmware, DMZ vswitch does not have a physical nic associated.

Hello and thank you for your response.

Yes, I understand what you are saying.

I have configured other virtual machines for DMZ while using 1-2 NICS.

However, the Sophos installation/configuration would not allow me to bridge the nic card with just 2 NICS (internal and then the WAN).

The documentation that I followed started 3 nics were needed (Internal, WAN and the 3rd for Bridging).

Sophos Interface configuration would not allow me to create the bridge without a adding 2 NICS together to form the bridge.

Here is the documentation I followed:

http://fastvue.co/sophos/blog/easily-evaluate-sophos-utm-9-3-using-full-transparent-mode/

As for the Vswitch, I am using pfSense (as a virtual guest).

The DMZ Vswitch is virtual.

Here is a quick synopsis of how it is configured:

https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

Do you have an applicable How To for Sophos Transparent/Brige and DMZ configuration?

Ray,

during the wizard it is possible to configure UTM as bridge and only 2 nics are required. The other option is to convert the current configuration into bridge mode. In the configuration you are using at the moment, you have 2 different subnet and you are adding a third one (DMZ).

You said DMZ is managed by pfSense, I do not understand. For the DMZ, you have to create a DMZ vSwitch and add a physical NIC, then connect that nic to your DMZ switch or a VLAN.

Maybe a network map could help us to understand what you are trying to achieve.

I tried multiple times (with multiple re installations) to configure UTM for bridge mode. And with no success.

The 1st Internal LAN IP is easy.

The second IP configuration (for the WAN) asks for IP (Static or Dynamic).

If I entered the Static WAN IP, it took down my network.

If I entered dynamic IP, well the IP would constantly change and this caused a problem with EndPoint Management not working after awhile.

FYI: I have static IP's from my ISP.

Also, the sophos live connect would error out. Giving it a static IP from within the DHCP scope solved this problem but the UTM was not in Transparent/Bridge Mode.

So if there is a way to configure this, I would love to see a How To or some sort of documentation.

Because it just did not work.

There are 2 Networks

1) LAN - 192.168.1.0/24

2) DMZ - 192.168.2.0/24

The WAN is where pfSense must be configure in VMWare in order to "communiate" to the WAN connection and the Network.

Here is an updated capture without pfSense being blurred out.

These networks have also been defined on the pfSense router as well.

Yes, pfSense is managing the DMZ connection via the Vswitch in VMWare ESXI.

You can see that from the screen shot above. Even though there is no physical nic attached to it, pfsense is managing the connection as the server has 2 NIC cards attached. It works because I have a couple devices in the DMZ running just fine (192.168.2.0/24 network). A physical Network card for the DMZ is not needed.

Hello and good evening.

Just wondering if anyone had any insight into this?

lferrara

Any word, update, follow up or recommendation for this?

RayEason - did you ever figure this out?  I'm trying to run Sophos UTM in a VM on ESXi 5.5 in a home lab, and cannot seem to get Full Transparent mode to work.  Like you, I use pfSense as my firewall, and don't really want to replace it just for UTM functionality.

Please let me know if you figured this out!

S

Hello,

Just a thought, not sure if it would work well or not. I know double NAT can sometimes cause certain things not to work very well or not at all.

I have been Using the product since Astaro 7 / Sophos UTM 9, and just in the last 40 days gone from UTM v9 to XG ver 16.

I have always had my Internet modem in Bridge mode and let the UTM \ XG do everything for me.  It's WAN port is getting the ISP's WAN Address. The product as I see it, is a firewall, router, and IPS all in one, as UTM - Unified Threat Management device.   I have had great luck letting it be my front end main gateway / firewall device, and not using any firewall in front of it. My XG is running on my VMWare ESXi 5.5 server. I have 4 physical interfaces set to four virtual switches.

I have seen where places use two firewall's or two routers, one behind the other and have the first one do certain things and then the second one behind it perform the rest. And both are in gateway mode. I do know that between latency and double NAT or NAT to many times can cause issues for some services and applications, so this concept still might not work for you. But if you have a lab and the time to explore the idea, it is a thought.

Just a thought, since you want to keep your current firewall, I assume it is doing some NAT for you and acting as your Gateway / Router and I assume on it's LAN interface it is using NAT and providing your LAN with DHCP.  Would it make things easier or cause other issues to set up the XG / UTM in gateway mode and not Bridge mode?  Would you maybe want to move your HDCP services to the XG and not the firewall? And what the firewall is using for a LAN subnet for DHCP, change that so the XG gets it's WAN address from the firewall's LAN DHCP or create a private /30 or /29 network between the Firewall's LAN port and XG's WAN? Move your current LAN DHCP scope to the XG's DHCP. Then on your firewall device, port forward ports or services to the XG and let the XG/UTM route to its DMZ? Something like a "no man's land" the DMZ would be behind the firewall and yet in front of the UTM on the UTM DMZ.

 For certain things, I have done just that, taken a cheep router and letting it do it's own NAT across it behind my UTM / XG system. Where UTM  gives the Linksys router its WAN address from the UTM's LAN DHCP and then the Linksys router NAT's and provides DHCP for the LAN network hanging off the Linksys LAN side. (each network subnet is different scope) I have used this when I was setting up a backup UTM machine and when experimenting with some VM's. That way I could then copy a UTM backup file over to the 2nd backup UTM machine and allow the UTM to pull updates. An easy way to have a fully identical configured backup UTM machine on the network getting updates and not causing issues with the current UTM. (I was not using the HA mode) That was how I isolated the backup UTM from the main one, Since on the backup UTM, it did not like having the WAN on the same /24 address of the LAN.  I just added a basic router / firewall between it and the main LAN and UTM.

Thank you for asking your question. When I was configuring my XG on the VM, I stopped and thought hard about if I wanted to install XG v16 in gateway or bridge mode. Since I have always ran my Astaro / UTM in gateway mode, I went with that. May you find a solution that works well for you.

Chad