How to best configure Sophos UTM Home with Xfinity Gateway and Google Wifi?

Question

Hello, 
 
 I have installed Sophos UTM Home v9.409-9 on a fanless PC behind an Xfinity Arris Modem/Gateway in DMZ mode and it's working well. I do have a new problem though and am unsure how to best re-configure the UTM and/or the network. I was previously using a Unifi AC Lite AP connected to a switch behind the UTM, but am now trying a Google Wifi (3 pack) mesh wireless network. The problem is that the Google Wifi is a router and DHCP cannot be disabled so the hosts connected to the Google Wifi are triple NATed and therefore makes routing and inter-network communication challenging. I've made do by creating a firewall rule from the IP address of the main Google Wifi unit --> ANY --> Internet IPv4 to allow my Nest thermostats to reach the internet, but would like to resolve the triple NAT fiasco while still letting the UTM inspect all traffic from hosts on any of my internal networks. 
 The gateway used to be configured in Bridge mode, but it causes the UTM interface to lose connectivity often, which DMZ mode has resolved. However, the gateway's DHCP server is enabled, the UTM also has DHCP server enabled and the Google Wifi has DHCP server enabled. Cabling would be ideal, but isn't feasible due to the complexity of cabling through two stories of an existing home without ripping into too many walls. 
 
 Can anyone provide some advice on the best way to reconfigure the network or reconfigure the UTM to eliminate the triple NAT? Ideally, I'd like to have both wired and wireless devices on the same subnet and traffic still filtered through the UTM so I'd have more control over the devices behind the UTM. I also plan to add some IP security cameras connected to the ethernet jack on one of the Google Wifi Nodes but can't foresee how it's going to work with triple NAT. 
 Below is my current network diagram. Thanks in advance for your advice and assistance.

BAlfson · Accepted Answer

" The first option might be doable, but would require using a USB ethernet dongle since I'm running Sophos on a Zotac CI323 that has two built in Realtek ethernet interfaces only. " 
 The two points work together. It sounds like it's either a new device for the UTM, putting up with a triple NAT or bridging Internal and External. 
 "For the firewall rules, would I just create a rule that allows traffic from the IP assigned by the UTM to the primary Google Wifi (GWF) to the wired network/devices?" 
 Yes. If you only have two NICs, the rule won't be necessary. In any case, as the Google WiFi is masquerading, you won't have access from the wired network to the wireless devices. 
 " Is there a way to configure the UTM to act as a bridge but still route and inspect traffic without assigning IP addresses to attached devices " 
 Yes, it should do that. This is where I would add a Web Filtering Profile in Full Transparent mode for the Google WiFi IP. If bridging internal and external, just change the current profile to Full Transparent and change 'Allowed Networks' to just include the subnet assigned by the Xfinity. 
 Are you certain that Google WiFi can't be put into bridge mode? 
 Cheers - Bob

BAlfson · Answer

You don't need a third NIC, but you can't bridge using a NIC that's already in use in an Interface definition. It will probably be easier to make notes about where the objects associated to your External interface are used in your configuration, delete that interface and then add that NIC to your Internal interface by changing its type to "Ethernet bridge." 
 Once you've bridged, if you're using Transparent mode in Web Filtering, be sure to change that to "Full Transparent." 
 Cheers - Bob

BAlfson · Answer

Change the bridged Interface to have an IP in the subnet assigned by the Xfinity modem. The Google should be communicating with the UTM in that subnet. 
 That's right. 
 That's right - no DHCP done by the UTM. 
 
 Once you've got a reachable IP on the UTM, you should be able to look at the Web Filtering Live Log to see if your accesses are going out via the Proxy. 
 Cheers - Bob

David Birdsall · Answer

Herman, 
 The problem here is too many networks attempting to communicate on an "unmanaged" network. The issue is in two places - the device acting as the gateway/router, and the mesh wi-fi system. There are two possible solutions: a quick fix, and a more thorough solution that may not require an additional purchase. Both solutions require little to no change to your topology map. 
 The Quick Fix is to go back to your UniFi AC Lite AP . Google Wi-Fi and other home mesh networks require double NAT routing, and this causes issues for many users. They are not compatible with the needs you have here. You require a Wi-Fi system that can be deployed in a bridge mode, like the Apple Airport Extreme , NetGear NightHawk , or Linksys AC , but this wastes a few features on these devices. A better fit and more robust solution is your your UniFi A P with a UniFi Cloud controller or something else like Sophos Secure Wireless , or Linksys Business Wi-Fi . In order to properly deploy your UniFi or a similar solution, you will also need to replace your ethernet switch with a managed POE switch from UniFi , Cisco , or another vendor. These options provide a mesh-network capability, and they can allow Guest Wi-Fi to operate. If you need to add more network separation, you must use the more thorough option below. 
 The more thorough approach requires more work and more forethought if you intend to remain with your Google Wi-Fi. The first hurdle is the coordination between the Xfinity Arris Modem and the Sophos SG UTM. The Arris modem only handles 1-2 networks while the SG UTM handles multiple networks. The best solution here is to put the Xfinity Modem in bridge mode and the Sophos SG UTM in Gateway mode. This shifts the Gateway for the modem to the UTM and solves the issue of multiple networks sharing one NAT. This is the default setup you will see in most cases with a Sophos UTM/Firewall behind an Arris modem. Replacing your ethernet switch with a managed POE switch is also recommended, but is not required if you only have 1 or 2 networks. *There is a different variation to this solution which BAlfson described in a discussion with Herman above, but it only allows 1-2 networks with a single NAT* 
 At this point, it is best to go back to your UniFi A P with a UniFi Cloud controller or one of the other options in Quick Fix above. If you decide to keep your Google Wi-Fi in place, it needs to be placed in Bridge Mode with the second, "Not Recommended" option . The bridged Google Wi-Fi point joins the internal 192.168.1.x network as an AP and relays that same DHCP to the wireless devices connected to it. 
 There are a couple of things with this setup that you need to consider if you keep your Google Wi-Fi in place: 
 1. By taking the Google Wi-Fi out of Mesh Mode and placing it in bridge mode, you may lose the large coverage area once provided by the mesh capability. You may be limited to using only one of the Google Wi-Fi points in the 3-pack. If you feel this is a waste, considering redeploying your UniFi A P with a UniFi Cloud controller or purchasing one of the options above in the Quick Fix. 
 2. You may not be able to activate or deploy the native Guest Wi-Fi in the Google Wi-Fi point or any other system when plugged into your Ethernet Switch. You may have to purchase a managed switch listed in Quick Fix above.

David Birdsall · Answer

Unknown said: 
 I might be posting this in the wrong area but It is the only thread I can find about the Google Wifi and Sophos product. 
 I have a Sophos XG85 and 3 pack of Google wifi. 
 I would really like to use them and have found that there is no easy installation of this firewall. 
 Can some one break this triple NAT down in steps or even explain why DMZ is needed? and how to use that. 
 I cannot find anyone describing how to set up a Triple Nat in google searches. 
 This would help me greatly. 
 Thanks Rick M 
 
 Rick, 
 The answer to your question is in my reply to Herman just above this one or in BAlfson's discussion with Herman higher up. If you only need two networks internal and Guest Wi-Fi, the choice on who to follow is up to you. If you need more than 2 networks, you'll have to go with the more thorough option. 
 Your issue is the same as Herman's as there is no difference between in having a Sophos SG UTM or a Sophos XG Firewall in this predicament.

ADogNamedGromet · Answer

OK this is finally working. While sorting out some other things with tech support we got the Google wifi up and running and behind the XG85. 
 I should say that the primary google wifi unit was setup separately and had everything working. (this eliminated confusion when plugging it into the Sophos.) The next google wifi unit is meshing with the first one properly. Then I plugged the primary one into the Sophos and DHCP assigned it an IP address. I then had to go to Google wifi app and go into Settings>Network & General>Advanced networking>Wan and set it to DHCP. The sophos then assigned it and IP address. and everything worked after that. 
 Later I took the Mac address and assigned it a static address under the Sophos XG DHCP. 
 The trick was that we needed a DHCP range set up first in the XG and then to set up the Google wifi separately . 
 To make my Lan across both port 1 and 4 bridge port 1 and 4 (which may not be necessary in some instances.) 
 The Google wifi manages its own users and ip address assignments with static or dhcp. It does not get management by the sophos wifi settings as It manages its own. I am ok with that. We have allot of phones etc and as long as they are all behind the firewall that is ok with me. I do believe the sophos scans that traffic as it crosses the lan to the google wifi. Also it manages its own meshing too which works fine. No need to allow the sophos to interfere with the googles wifi specifics. Google makes things easy to set up actually but has quite fast speeds and nice easy family friendly features. Like the ability to turn off data to kids phones at bedtime and dinner. 
 I would like to see some better screening of kid friendly things in the sophos too. Odd but we have not found a way to screen out things like "pregnant barbie" videos on youtube. All parents go :(..... They get through most parental filters. I want to control some game downloads and other exes that kids do as most kids machines are more virus prone than others. The sophos is perfect for that. 
 Needless to say we also run a home business that needs some decent protection. 
 The printers need to be accessed all across the wifi. So with the google wifi the Lan to Lan rule was necessary to make everything talk to one another. 
 
 Here is my map of the current set up. It is working quite nicely. I have backed up my Sophos setup in case I ever need to redeploy it. Sorry this map took so long to provide. This has been a work in progress and lots of progress has been made. 
 As much as everyone says it can't work, Google WIFI does work with the Sophos, and I just proved it to myself. Fast and secure all in one house. ;)