This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to best configure Sophos UTM Home with Xfinity Gateway and Google Wifi?

Hello,

 

I have installed Sophos UTM Home v9.409-9 on a fanless PC behind an Xfinity Arris Modem/Gateway in DMZ mode and it's working well.  I do have a new problem though and am unsure how to best re-configure the UTM and/or the network.  I was previously using a Unifi AC Lite AP connected to a switch behind the UTM, but am now trying a Google Wifi (3 pack) mesh wireless network.  The problem is that the Google Wifi is a router and DHCP cannot be disabled so the hosts connected to the Google Wifi are triple NATed and therefore makes routing and inter-network communication challenging.  I've made do by creating a firewall rule from the IP address of the main Google Wifi unit --> ANY --> Internet IPv4 to allow my Nest thermostats to reach the internet, but would like to resolve the triple NAT fiasco while still letting the UTM inspect all traffic from hosts on any of my internal networks.  

The gateway used to be configured in Bridge mode, but it causes the UTM interface to lose connectivity often, which DMZ mode has resolved.  However, the gateway's DHCP server is enabled, the UTM also has DHCP server enabled and the Google Wifi has DHCP server enabled.  Cabling would be ideal, but isn't feasible due to the complexity of cabling through two stories of an existing home without ripping into too many walls.

 

Can anyone provide some advice on the best way to reconfigure the network or reconfigure the UTM to eliminate the triple NAT?  Ideally, I'd like to have both wired and wireless devices on the same subnet and traffic still filtered through the UTM so I'd have more control over the devices behind the UTM.  I also plan to add some IP security cameras connected to the ethernet jack on one of the Google Wifi Nodes but can't foresee how it's going to work with triple NAT.

Below is my current network diagram.  Thanks in advance for your advice and assistance.

 



This thread was automatically locked due to age.
Parents
  • Herman,

    The problem here is too many networks attempting to communicate on an "unmanaged" network.  The issue is in two places - the device acting as the gateway/router, and the mesh wi-fi system.  There are two possible solutions: a quick fix, and a more thorough solution that may not require an additional purchase.  Both solutions require little to no change to your topology map.

    The Quick Fix is to go back to your UniFi AC Lite AP.  Google Wi-Fi and other home mesh networks require double NAT routing, and this causes issues for many users.  They are not compatible with the needs you have here.  You require a Wi-Fi system that can be deployed in a bridge mode, like the Apple Airport Extreme, NetGear NightHawk, or Linksys AC, but this wastes a few features on these devices.  A better fit and more robust solution is your your UniFi AP with a UniFi Cloud controller or something else like Sophos Secure Wireless, or Linksys Business Wi-Fi.  In order to properly deploy your UniFi or a similar solution, you will also need to replace your ethernet switch with a managed POE switch from UniFi, Cisco, or another vendor.  These options provide a mesh-network capability, and they can allow Guest Wi-Fi to operate.  If you need to add more network separation, you must use the more thorough option below.

    The more thorough approach requires more work and more forethought if you intend to remain with your Google Wi-Fi.  The first hurdle is the coordination between the Xfinity Arris Modem and the Sophos SG UTM.   The Arris modem only handles 1-2 networks while the SG UTM handles multiple networks.  The best solution here is to put the Xfinity Modem in bridge mode and the Sophos SG UTM in Gateway mode.  This shifts the Gateway for the modem to the UTM and solves the issue of multiple networks sharing one NAT.  This is the default setup you will see in most cases with a Sophos UTM/Firewall behind an Arris modem.  Replacing your ethernet switch with a managed POE switch is also recommended, but is not required if you only have 1 or 2 networks.   *There is a different variation to this solution which BAlfson described in a discussion with Herman above, but it only allows 1-2 networks with a single NAT*

    At this point, it is best to go back to your UniFi AP with a UniFi Cloud controller or one of the other options in Quick Fix above.  If you decide to keep your Google Wi-Fi in place, it needs to be placed in Bridge Mode with the second, "Not Recommended" option.  The bridged Google Wi-Fi point joins the internal 192.168.1.x network as an AP and relays that same DHCP to the wireless devices connected to it.

    There are a couple of things with this setup that you need to consider if you keep your Google Wi-Fi in place:

    1. By taking the Google Wi-Fi out of Mesh Mode and placing it in bridge mode, you may lose the large coverage area once provided by the mesh capability.  You may be limited to using only one of the Google Wi-Fi points in the 3-pack.  If you feel this is a waste, considering redeploying your UniFi AP with a UniFi Cloud controller or purchasing one of the options above in the Quick Fix.

    2. You may not be able to activate or deploy the native Guest Wi-Fi in the Google Wi-Fi point or any other system when plugged into your Ethernet Switch.  You may have to purchase a managed switch listed in Quick Fix above.

Reply
  • Herman,

    The problem here is too many networks attempting to communicate on an "unmanaged" network.  The issue is in two places - the device acting as the gateway/router, and the mesh wi-fi system.  There are two possible solutions: a quick fix, and a more thorough solution that may not require an additional purchase.  Both solutions require little to no change to your topology map.

    The Quick Fix is to go back to your UniFi AC Lite AP.  Google Wi-Fi and other home mesh networks require double NAT routing, and this causes issues for many users.  They are not compatible with the needs you have here.  You require a Wi-Fi system that can be deployed in a bridge mode, like the Apple Airport Extreme, NetGear NightHawk, or Linksys AC, but this wastes a few features on these devices.  A better fit and more robust solution is your your UniFi AP with a UniFi Cloud controller or something else like Sophos Secure Wireless, or Linksys Business Wi-Fi.  In order to properly deploy your UniFi or a similar solution, you will also need to replace your ethernet switch with a managed POE switch from UniFi, Cisco, or another vendor.  These options provide a mesh-network capability, and they can allow Guest Wi-Fi to operate.  If you need to add more network separation, you must use the more thorough option below.

    The more thorough approach requires more work and more forethought if you intend to remain with your Google Wi-Fi.  The first hurdle is the coordination between the Xfinity Arris Modem and the Sophos SG UTM.   The Arris modem only handles 1-2 networks while the SG UTM handles multiple networks.  The best solution here is to put the Xfinity Modem in bridge mode and the Sophos SG UTM in Gateway mode.  This shifts the Gateway for the modem to the UTM and solves the issue of multiple networks sharing one NAT.  This is the default setup you will see in most cases with a Sophos UTM/Firewall behind an Arris modem.  Replacing your ethernet switch with a managed POE switch is also recommended, but is not required if you only have 1 or 2 networks.   *There is a different variation to this solution which BAlfson described in a discussion with Herman above, but it only allows 1-2 networks with a single NAT*

    At this point, it is best to go back to your UniFi AP with a UniFi Cloud controller or one of the other options in Quick Fix above.  If you decide to keep your Google Wi-Fi in place, it needs to be placed in Bridge Mode with the second, "Not Recommended" option.  The bridged Google Wi-Fi point joins the internal 192.168.1.x network as an AP and relays that same DHCP to the wireless devices connected to it.

    There are a couple of things with this setup that you need to consider if you keep your Google Wi-Fi in place:

    1. By taking the Google Wi-Fi out of Mesh Mode and placing it in bridge mode, you may lose the large coverage area once provided by the mesh capability.  You may be limited to using only one of the Google Wi-Fi points in the 3-pack.  If you feel this is a waste, considering redeploying your UniFi AP with a UniFi Cloud controller or purchasing one of the options above in the Quick Fix.

    2. You may not be able to activate or deploy the native Guest Wi-Fi in the Google Wi-Fi point or any other system when plugged into your Ethernet Switch.  You may have to purchase a managed switch listed in Quick Fix above.

Children
No Data