This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to best configure Sophos UTM Home with Xfinity Gateway and Google Wifi?

Hello,

 

I have installed Sophos UTM Home v9.409-9 on a fanless PC behind an Xfinity Arris Modem/Gateway in DMZ mode and it's working well.  I do have a new problem though and am unsure how to best re-configure the UTM and/or the network.  I was previously using a Unifi AC Lite AP connected to a switch behind the UTM, but am now trying a Google Wifi (3 pack) mesh wireless network.  The problem is that the Google Wifi is a router and DHCP cannot be disabled so the hosts connected to the Google Wifi are triple NATed and therefore makes routing and inter-network communication challenging.  I've made do by creating a firewall rule from the IP address of the main Google Wifi unit --> ANY --> Internet IPv4 to allow my Nest thermostats to reach the internet, but would like to resolve the triple NAT fiasco while still letting the UTM inspect all traffic from hosts on any of my internal networks.  

The gateway used to be configured in Bridge mode, but it causes the UTM interface to lose connectivity often, which DMZ mode has resolved.  However, the gateway's DHCP server is enabled, the UTM also has DHCP server enabled and the Google Wifi has DHCP server enabled.  Cabling would be ideal, but isn't feasible due to the complexity of cabling through two stories of an existing home without ripping into too many walls.

 

Can anyone provide some advice on the best way to reconfigure the network or reconfigure the UTM to eliminate the triple NAT?  Ideally, I'd like to have both wired and wireless devices on the same subnet and traffic still filtered through the UTM so I'd have more control over the devices behind the UTM.  I also plan to add some IP security cameras connected to the ethernet jack on one of the Google Wifi Nodes but can't foresee how it's going to work with triple NAT.

Below is my current network diagram.  Thanks in advance for your advice and assistance.

 



This thread was automatically locked due to age.
Parents
  • Hi Herman.

     

    I like that you tackled something general that most people would try to set up.    I would like to see what your fire wall rules are for this set up.

     

    I understand that your Nest must be wireless connected and must be a DMZ as it is sending information as an outside server would.

     

    How do you have your google wifi rules set for this set  up.  I am still doing something very similar and would like a clear explanation of your rule setup.

    This would help me not guess as I fumble through my own settings.

     

    Thanks

    Rick M

Reply
  • Hi Herman.

     

    I like that you tackled something general that most people would try to set up.    I would like to see what your fire wall rules are for this set up.

     

    I understand that your Nest must be wireless connected and must be a DMZ as it is sending information as an outside server would.

     

    How do you have your google wifi rules set for this set  up.  I am still doing something very similar and would like a clear explanation of your rule setup.

    This would help me not guess as I fumble through my own settings.

     

    Thanks

    Rick M

Children
  • I haven't had time to get back to this, but am looking at converting the Google Wifi APs to bridge mode, which eliminates Google's mesh, disables DHCP and routing and reverts all nodes to plain APs.  Although, I'm not sure this is even doable with more than one Google AP.  I might go back to Unifi APs with the UTM handling the routing and DHCP and drop Google Wifi and it's  requirements altogether.

    I have rules that allow the Nest thermostats out without a DMZ.  

     

    Create Network Definitions (Reserve IP for Nest devices using MAC address/Static IP)

     

    Create Service Definitions:

     

    Create your Firewall rules referencing the network and service definitions you defined earlier