Cisco RV Router after Sophos?

Hi,

I fail to understand why you would spend money on Cisco RV router for home use when you have a free UTM that does the same functions?

The UTM does not do routing unless you tell it to. You can enable firewall rules only, maybe IPS but that seems a big waste of functionaltiy.

You will need a firewall rule and an MASQ and that is all. If you really wanted to you could put the UTM in bridge mode so the RV does all the work.

Ian

Thanks so much Ian. I bought the RV awhile ago and before I knew about Sophos UTM. So that is why I was thinking I'd like to still utilize it. I guess the only reason I would not was if it would be less secure to have Modem > UTM > Cisco > LAN than Modem > UTM > LAN.

So I can have UTM after the modem and have it act as a firewall and perform content filtering, and then have the RV still act as a firewall and perform it's currently set content filtering? If I set the UTM in bridge mode, would I still need to a firewall run and MASQ?

Hi

the UTM can do all that you want without the RV. What are you trying to achieve?

In bridge mode the UTM will still act as a firewall and pass the external authenticating functions to the RV.

With your setup the RV is not adding any value, the UTM in standard mode with do your content filtering and provide m management all in the one place.

Putting the UTM ahead of the RV will give you double firewall features but I fail to see any advantages just more management trying to resolve which box is not working correctly. With your  opposed setup you could disable the MASQ in the RV because the UTM will reform that function.

If you are using a 192.168 or a 172.16 address range then you will need a MASQ/NAT on your internet interface.

Ian

Thanks, makes sense. I guess all I was trying to achieve was not wasting the money on the RV. Guess I could try to sell it.

If there is no added value in having UTM > RV for extra security with redundant firewall etc. then I may just consider selling the RV. Maybe initially I will try it with Modem > UTM > RV to see how it is.

So I would set the UTM in bridge mode and then create a rule on the UTM and RV?

Hi,

I have never setup a UTM in bridge mode, so some of this is guess work or from reading other threads.

In Bridge mode the UTM acts as a firewall and some of the other functions you enable, not all functions are available. You would in the very least need a rule to allow traffic through the bridge and have your other rules in the RV. The UTM in stir setup does the inspection etc but is not the end point, that would be the RV.

Ian

I am guessing that your Cisco device is also a firewall.  If so, I do not recommend double-nat, so one of the firewall functions should be disabled.  I suggest putting the Cisco firewall in front with UTM behind it in bridge mode.   See my posts in the Wiki and other post about UTM port usage.

OK thanks, could you explain a little more? My initial thought was that the UTM is a better firewall than the Cisco RV, so that why I wanted it in front. 

So what would the purpose be for having the Cisco RV Router with Firewall in front of UTM in bridge mode? 

Sounds like option 3 in the Wiki would be the way to go to test a setup like Modem > UTM > Cisco RV > LAN. And if that didn't work just do option 4 and replace.

You can do switch jobs with the Cisco. VLAN, ARP, Port traffic etc. The home network will be faster PC<->PC, PC<->UTM. But let the other services to UTM! (Firewall, DHCP, DNS)

UTM is not a traditional firewall, which is probably why the word "firewall" is not in the product name.  It is a series of packetfilters, with the "Firewall Rules" layer being the fallback that is used if none of the other packetfilters are applicable.   This creates some complexity for system configuration.  To create a global block rule, you need to use a DNAT-to-DeadEnd rule, which is not intuitive.  A novice does not know this needs to be done at all, and the experienced user has to work hard to determine which which ports need to be blocked using this method.   I have tried to document everything I know about UTM port usage and which DNAT rules are needed in my post about "UTM Port Usage".   But if you have a firewall in fronbt, you can avoid all of the DNAT-to-DeadEnd mess.   Let the firewall do pure firewall processing based on sourceIP&Port-DestinationIP&port.  Then let UTM do the sophisticated packet filtering about which traffic is allowed based on reputation and content.

The hardest part about bridge mode is getting it set up.  You need two unused ports to create the bridge, and you need at least one working interface to make the change.  This is best done with a laptop connected directly to UTM.   For example, if your internal network is on 192.168.*.*, configure your laptop on a port using 10.10.10.*.   Once the bridge is established, it looks like any other interface.   You give it an IP address and subnet mask, specify the default gateway (the other firewall address) on the bridge interface, and configure static routes for internal network addresses.

Thanks. I guess the main reason I was considering UTM (or even something like pfSense) was I was thinking they were more traditional firewalls and/or better firewalls than the firewall in the Cisco RV Router.

But if UTM was not a better or more secure firewall then I would probably be fine no even implementing. I was just looking for the best security and firewall to put before the router or replace the router with.