This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Home - Set up with existing Cable modem and WLAN router

Hi there, i seek advice on how to set up an UTM behind an existing Archer C7 WLAN router, that is connected to the WAN of an existing cable modem (no special functions like wlan, just providing internet and connected with an ethernet cable to the WLAN router). 

I would like to try out the UTM, which I install on a spare PC that has a build in NIC and - if neccessary - an additional USB to RJ45 adapter. 

My goal is to have all the traffic from all my devices routed through the UTM instead through the wlan router. I have plenty of wlan devices, and some LAN devices. How can in configure the wlan router, in order to keep using it for wlan? i do not want to replace it with an additional AP, because the wlan signal and speed of the archer c7 wlan router is quite good. 

Can I turn of the DHCP server on the wlan router, and have it enabled in the UTM in order to have the wlan devices connect to the wlan router, but have their traffic routed through the UTM? 

The WLAN router has the following functions: DHCP server, DYNDNS login, static ip reservation of ip addresses via MAC address, and then the standard NAT function and basic "firewall" functions that are build in the normal tp-link routers.



This thread was automatically locked due to age.
Parents
  • There are several things you can do, however using a USB to RJ45 adapter will most likely not work due to a lack of drivers inside UTM.

    If you want to keep you current router and you would like the wireless clients to be protected by UTM you need to place the UTM in between the cable modem and your current router. You can choose to use the UTM as a separate router/firewall (that does NAT from outside to inside) but then you will have double nat which can bring some trouble depending on services you would like to use (ie. VPN).

    If you can setup your current router as a bridged connection (and still keep WLAN), then you can disable DHCP and all connected devices will get an IP-address from the UTM's DHCP-scope (it must be set-up of course).

    What you could also do is place the UTM behind the current router and connect all fixed devices behind the UTM. In this case however your wireless clients will not be protected by the UTM, but they are completely separated from the fixed devices.

    So quite a lot of possibilities depending on what you want, but the best setup IMHO is to use the UTM as the first device behind the cable modem.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi, thank you for your reply. You wrote:

     

    If you can setup your current router as a bridged connection (and still keep WLAN), then you can disable DHCP and all connected devices will get an IP-address from the UTM's DHCP-scope (it must be set-up of course).

     

    Does that mean that the connected WLAN devices would also be protected by the UTM if I would go this way? 

  • Chris Jones9 said:

    Hi, thank you for your reply. You wrote:

     

    If you can setup your current router as a bridged connection (and still keep WLAN), then you can disable DHCP and all connected devices will get an IP-address from the UTM's DHCP-scope (it must be set-up of course).

     

    Does that mean that the connected WLAN devices would also be protected by the UTM if I would go this way? 

     

    Yes, correct since the UTM will be the between your cable modem and your router so all traffic will also need to travel through the UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • No, i meant if i put the UTM after the Router on a free LAN port of the router.

     

    But that makes sense, that i put the UTM before the router. I just have to figure out the correct settings and setup (my first UTM playground...)

  • The easiest setup to start with is to have the UTM completely transparent in between the cable modem and your current router (bridged in between). That is also how it will sometimes be implemented during a Proof of Concept phase where the UTM's primary function is to NOT interfere with the current setup where it can still monitor and report about the traffic.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • apijnappels said:

    The easiest setup to start with is to have the UTM completely transparent in between the cable modem and your current router (bridged in between). That is also how it will sometimes be implemented during a Proof of Concept phase where the UTM's primary function is to NOT interfere with the current setup where it can still monitor and report about the traffic.

     

     

    Thank you for your reply, i will try to setup UTM and my network accordingly.

  • Unfortunately, my setup does not work. 

     

    I have set the UTM directly between the cable modem (that provides me with a dynamic IP address from my ISP) and my archer c7 wlan router. 

    I then bridged eth0 (lan) and eth1 (wan) on the UTM and i see that eth1 gets an external IP from my ISP. First, I set up eth1 as a normal ethernet connection with no bridge, it got the external IP, then i bridged it with eth0, it says that br0 has been created with the two NICs and i still see the external IP on that eth1 dialog.

    I deactivated DHCP server on my wlan router an put the bridged UTM eth0 port in the wlan router, and eth1 of the UTM is being connected to the cable modem obviously. 

    I cannot get any device that is connected to the wlan router to have access to the internet, there is always that yellow exclamation mark on the network icon in the windows task bar. the IP of the clients is correctly assigned via DHCP server from the UTM (IP 192.168.0.50, SUB 255.255.255.0, GW 192.168.0.8 (internal network))

    On the other hand, if i try to connect my laptop directly to the eth0 port of the UTM, it also has no connection to the internet. I can access all my internal devices like my NAS.

    But i even cannot ping or DNS web site addresses in the UTM menu support > tools. so I guess my problem has something to do with the internal routing? 

    The UTM is freshly installed and setup with the installation wizard, the default firewall rules apply (internal devices allowed to connect to the outside), the masquerading ist setup as default, for internal LAN --> external WAN. there is no NAT rule applied. 

    The DHCP server is set up, the DNS settings are: internal network for DNS reverse and empty settings for DNS forwarder (there are shown 2 DNS entries provided by the ISP). I also have an internal DNS forwarder for ad blocking (pihole), that i have not yet integrated into my setup.

    I also tried to add the permisssion to the firewall rule "any IP --> any service --> any IP" when in bridge mode, still no success. 

    The UTM works internally, but does not communicate with the outside world, but it gets the ISP IP. Oh, and i get firewall log entries from the outside, hammering onto my external IP and being blocked, there was even a SSH login attempt. 

     

    any clues? 

  • Did you define a masquerading rule?

    Network protection/Nat/masquerading

    Internal_port2 is the lan network (not address or broadcast object, but network object). And interface is internet/wan pointing interface.

  • Jay Jay said:

    Did you define a masquerading rule?

    Network protection/Nat/masquerading

    Internal_port2 is the lan network (not address or broadcast object, but network object). And interface is internet/wan pointing interface.

     

     

    Hi Jay Jay,

     

    that masquerading rule is set up by default if i am not wrong. There is a default rule that says "internal network --> external network (wan)

  • No need to quote when replying to a post directly above.

    Yes, that is a default rule if you went through the setup wizard.

    Next step to check is the interfaces.  That is, is your wan interface getting a public ip/gateway?

    If it's not getting an IP for external_wan, need to figure out why.

Reply
  • No need to quote when replying to a post directly above.

    Yes, that is a default rule if you went through the setup wizard.

    Next step to check is the interfaces.  That is, is your wan interface getting a public ip/gateway?

    If it's not getting an IP for external_wan, need to figure out why.

Children
  • It just occurred to me, if you're using a cable provider, chances are the account is provisioned for a single IP address.  Once an address is assigned to your router, pc, or some other connected device, the modem will not assign any more addresses. You must either reboot the modem or clone the mac of the last assigned device in the utm.  Rebooting the modem clears the assignment.

  • sorry for that quote mistake.

    yes, the external nic receives an IP address from my ISP.

    i do not quite understand your second sentence. why would the public IP needed to be duplicated?

    maybe the problem has sth to do with the fact that i cannot even ping from the UTM support tools menu to outside IPs or sites, like google.com or 8.8.8.8. the UTM does not communicate to the outside, even though the masquerading is set and the interfaces are set up (all has been set according to the default wizard settings, then i connected the WAN port to the modem and received a public IP from the ISP)

     

    Edit: I found a user that had some similar problem with the non-ability to ping to the outside.

    He wrote sth i do not quite understand, maybe you can help?

    Quote:

    I had specified the default gateway as the external ip in the internal but had not checked default Ipv4 gateway in the external.

  • Pinging requires a separate firewall rule to allow such activity to pass. There's also ICMP settings in network protection/firewall/icmp that must be enabled for UTM to be able to ping outside.

    For testing purposes you can create a firewall rule that allows everything to pass out.

    local lan (network) -> any -> any (or internet ipv4).  Don't forget to put this at the top and turn it on once created.  Also make sure that web protection/web filtering is disabled.  This should allow any and all traffic to pass from the lan to the internet.

  • unfortunately that rule does not help either. still no internet connection. i also tried bridge mode but that did not help either :(

    Edit: I found a user that had some similar problem with the non-ability to access the outside.

    He wrote sth i do not quite understand tough.

    Quote:

    I had specified the default gateway as the external ip in the internal but had not checked default Ipv4 gateway in the external.

  • I'm not sure what that means either.

    Post screen shots of your internal and external interface definitions after clicking edit on each. 

  • Not at home right now, will post screenshots after coming home. Thinking about it, i cannot remember right now what i set for the gateway setting on external network (default gw checked or not)