Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 2765 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up a UTM infront of another router (Unifi)

Peter Evans

After some help.

I currently have a Unifi USG as my router. I would like to introduce a Sophos UTM as the USG is very underpowered for IPS and is missing some of the function of the UTM.

 

So i just want to check my config.

Fibre modem --> Sophos UTM --> USG --> switch etc

The Sophos UTM WAN port is setup as PPPOE, Sophos UTM LAN port - static IP 10.0.0.2/31 

USG WAN port - static IP 10.0.0.1/31, USG LAN port setup with 3 subnets/vlans.

 

On the USG i have disabled NAT, so the Sophos UTM should see all devices. - not sure how i confirm this?

Created the 3 VLANs on the Sophos UTM under Network definitions. 

Created a static route on the UTM. All Subnets on the USG --> USG Wan Port 10.0.0.1

DNS - Allowed all the Subnets on USG to use the system as a DNS resolver

Firewall - created a rule to Allow - All --> Any --> All (just for testing)

NAT Masquerading - create a rule - Any --> WAN Interface on UTM

 

I also created NAT rules to port forward from the Internet to my web server.

 

Does this all sound right? How do i know if the NAT on the USG is disabled, should the devices show in the UTM?

 

Also i have setup a managment interface on the UTM which connects to my switch. It seems that any traffic accessing the internet from the same VLAN as the management VLAN goes out through the management interface rather than to the USG and then to the UTM.



This thread was automatically locked due to age.
  • 0

    Hi  

    In order to check whether UTM is getting traffic without NAT, please take SSH access of the Sophos UTM and use TCPDUMP and monitor the traffic coming from Internal Interface. You should be able to check using tcpdump -nei eth0 where eth0 is the LAN port of UTM. It can be something different for your device. You may refer to this KBA Sophos UTM: How to capture packets and download the Packet Capture if you want to monitor and download the traffic for analysis.

    Rest of the configuration seems good to me.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    thanks for the info. 

     

    So it looks like it is sort of working.

     

    I have 3 subnets on the USG. The USG is my DHCP and default gateway for those subnets.

    The Sophos UTM is the default gateway for the USG. 

     

    The UTM looks like it can only see 1 of the subnets behind the USG. For example

     

    Device 192.168.100.100 accesses a website

    The UTM sees traffic from Subnet 1 Source IP 192.168.100.100 - great

     

    Device 192.168.200.100 accesses a website

    The UTM see traffic from the USG IP address and not the originating device on subnet 2

     

    I have created a network definition for each subnet, didnt seem to do anything. also created a new interface with ethernet VLAN but also didnt seem to do anything. It looks like the UTM cant see the all the subnets behind the USG.

  • +1 in reply to Peter Evans

    think i have found my error. 

     

    On the USG i only disabled the NAT for Subnet 1. Oops....

  • 0 in reply to Peter Evans

    Glad to know you've found it. I hope it's working fine now.

    Regards

    Jaydeep

Unfiltered HTML