This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to best configure Sophos UTM Home with Xfinity Gateway and Google Wifi?

Hello,

 

I have installed Sophos UTM Home v9.409-9 on a fanless PC behind an Xfinity Arris Modem/Gateway in DMZ mode and it's working well.  I do have a new problem though and am unsure how to best re-configure the UTM and/or the network.  I was previously using a Unifi AC Lite AP connected to a switch behind the UTM, but am now trying a Google Wifi (3 pack) mesh wireless network.  The problem is that the Google Wifi is a router and DHCP cannot be disabled so the hosts connected to the Google Wifi are triple NATed and therefore makes routing and inter-network communication challenging.  I've made do by creating a firewall rule from the IP address of the main Google Wifi unit --> ANY --> Internet IPv4 to allow my Nest thermostats to reach the internet, but would like to resolve the triple NAT fiasco while still letting the UTM inspect all traffic from hosts on any of my internal networks.  

The gateway used to be configured in Bridge mode, but it causes the UTM interface to lose connectivity often, which DMZ mode has resolved.  However, the gateway's DHCP server is enabled, the UTM also has DHCP server enabled and the Google Wifi has DHCP server enabled.  Cabling would be ideal, but isn't feasible due to the complexity of cabling through two stories of an existing home without ripping into too many walls.

 

Can anyone provide some advice on the best way to reconfigure the network or reconfigure the UTM to eliminate the triple NAT?  Ideally, I'd like to have both wired and wireless devices on the same subnet and traffic still filtered through the UTM so I'd have more control over the devices behind the UTM.  I also plan to add some IP security cameras connected to the ethernet jack on one of the Google Wifi Nodes but can't foresee how it's going to work with triple NAT.

Below is my current network diagram.  Thanks in advance for your advice and assistance.

 



This thread was automatically locked due to age.
  • Hi Rick - you're right, you will want to post your XG question in the XG Community - this is the UTM Community.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Herman,

    The problem here is too many networks attempting to communicate on an "unmanaged" network.  The issue is in two places - the device acting as the gateway/router, and the mesh wi-fi system.  There are two possible solutions: a quick fix, and a more thorough solution that may not require an additional purchase.  Both solutions require little to no change to your topology map.

    The Quick Fix is to go back to your UniFi AC Lite AP.  Google Wi-Fi and other home mesh networks require double NAT routing, and this causes issues for many users.  They are not compatible with the needs you have here.  You require a Wi-Fi system that can be deployed in a bridge mode, like the Apple Airport Extreme, NetGear NightHawk, or Linksys AC, but this wastes a few features on these devices.  A better fit and more robust solution is your your UniFi AP with a UniFi Cloud controller or something else like Sophos Secure Wireless, or Linksys Business Wi-Fi.  In order to properly deploy your UniFi or a similar solution, you will also need to replace your ethernet switch with a managed POE switch from UniFi, Cisco, or another vendor.  These options provide a mesh-network capability, and they can allow Guest Wi-Fi to operate.  If you need to add more network separation, you must use the more thorough option below.

    The more thorough approach requires more work and more forethought if you intend to remain with your Google Wi-Fi.  The first hurdle is the coordination between the Xfinity Arris Modem and the Sophos SG UTM.   The Arris modem only handles 1-2 networks while the SG UTM handles multiple networks.  The best solution here is to put the Xfinity Modem in bridge mode and the Sophos SG UTM in Gateway mode.  This shifts the Gateway for the modem to the UTM and solves the issue of multiple networks sharing one NAT.  This is the default setup you will see in most cases with a Sophos UTM/Firewall behind an Arris modem.  Replacing your ethernet switch with a managed POE switch is also recommended, but is not required if you only have 1 or 2 networks.   *There is a different variation to this solution which BAlfson described in a discussion with Herman above, but it only allows 1-2 networks with a single NAT*

    At this point, it is best to go back to your UniFi AP with a UniFi Cloud controller or one of the other options in Quick Fix above.  If you decide to keep your Google Wi-Fi in place, it needs to be placed in Bridge Mode with the second, "Not Recommended" option.  The bridged Google Wi-Fi point joins the internal 192.168.1.x network as an AP and relays that same DHCP to the wireless devices connected to it.

    There are a couple of things with this setup that you need to consider if you keep your Google Wi-Fi in place:

    1. By taking the Google Wi-Fi out of Mesh Mode and placing it in bridge mode, you may lose the large coverage area once provided by the mesh capability.  You may be limited to using only one of the Google Wi-Fi points in the 3-pack.  If you feel this is a waste, considering redeploying your UniFi AP with a UniFi Cloud controller or purchasing one of the options above in the Quick Fix.

    2. You may not be able to activate or deploy the native Guest Wi-Fi in the Google Wi-Fi point or any other system when plugged into your Ethernet Switch.  You may have to purchase a managed switch listed in Quick Fix above.

  • Unknown said:

    I might be posting this in the wrong area but It is the only thread I can find about the Google Wifi and Sophos product.  

    I have a Sophos XG85 and 3 pack of Google wifi.  

    I would really like to use them and have found that there is no easy installation of this firewall.

    Can some one break this triple NAT down in steps or even explain why DMZ is needed? and how to use that.  

    I cannot find anyone describing how to set up a Triple Nat in google searches.

    This would help me greatly.

    Thanks Rick M

    Rick,

    The answer to your question is in my reply to Herman just above this one or in BAlfson's discussion with Herman higher up.  If you only need two networks internal and Guest Wi-Fi, the choice on who to follow is up to you.  If you need more than 2 networks, you'll have to go with the more thorough option.

    Your issue is the same as Herman's as there is no difference between in having a Sophos SG UTM or a Sophos XG Firewall in this predicament.

  • Both the UTM and the XG are so similar that I don't see a difference.  It helps both sections.

    What I need to know is if google WiFi is working on the DMZ or on another port.

     

    I have it connected straight into port4 and have it as WIFI . (not the DMZ)

    DHCP seems to get it further than any other setting in the google WiFi system.

     

    If it will only work in DMZ then I need to know that.    It is one piece of a complex puzzle.

     

  • ADogNamedGromet said:

    Both the UTM and the XG are so similar that I don't see a difference.  It helps both sections.

    What I need to know is if google WiFi is working on the DMZ or on another port.

    I have it connected straight into port4 and have it as WIFI . (not the DMZ)

    DHCP seems to get it further than any other setting in the google WiFi system.

    If it will only work in DMZ then I need to know that.    It is one piece of a complex puzzle.

    Rick,

    Yes, for your needs, the SG UTM and the XG Firewall are very similar.  The problem here is not the Sophos product you choose.

    The problem is the Wi-Fi system.  Google WiFi/OnHub and other similar Wi-Fi systems (Netgear Orbi, Linksys Velop, TP-Link Deco, Eero Pro) have their own gateway/router that causes conflicts behind security systems.  These all-in-one Wi-Fi systems are designed to replace your Firewall/UTM and be their own independent network.  This is what makes them a problem and makes the problem complicated.

    If you decide to keep your Google Wi-Fi, there is no easy answer.  There will always be a catch with these types of Wi-Fi systems.  You could solve this problem by connecting your Google WiFi to the DMZ, so it can act independently.  But then, this would put your our Google WiFi devices would be on their own independent network with their own internet connection.  What would be the point of your UTM/Firewall then? 

    The easy and proper way to do this is to use standard Wi-Fi system that simply connects your wireless LAN to your wired LAN with no issue in between, like the Sophos Secure Wireless Add-On for both the SG UTM and XG Firewall.  For the same price as Google Wi-Fi, you could get an affordable enterprise Wi-Fi system like Ubiquiti UniFi.  To replicate your Google WiFi system, you need 3 UniFi UAP-AC-LITE with 1 UniFi Cloud Key (if you don't have a computer that operates 24/7).  If you need a little more range or want to put APs outside, get UniFi UAP-AC-PRO APs instead.  Both Sophos and Ubiquiti wireless systems would allow you to customize your Wi-Fi and provide more capability such as having more than 2 SSIDs and connecting them to whatever LAN/VLAN you want.

  • Hi Herman.

     

    I like that you tackled something general that most people would try to set up.    I would like to see what your fire wall rules are for this set up.

     

    I understand that your Nest must be wireless connected and must be a DMZ as it is sending information as an outside server would.

     

    How do you have your google wifi rules set for this set  up.  I am still doing something very similar and would like a clear explanation of your rule setup.

    This would help me not guess as I fumble through my own settings.

     

    Thanks

    Rick M

  • I haven't had time to get back to this, but am looking at converting the Google Wifi APs to bridge mode, which eliminates Google's mesh, disables DHCP and routing and reverts all nodes to plain APs.  Although, I'm not sure this is even doable with more than one Google AP.  I might go back to Unifi APs with the UTM handling the routing and DHCP and drop Google Wifi and it's  requirements altogether.

    I have rules that allow the Nest thermostats out without a DMZ.  

     

    Create Network Definitions (Reserve IP for Nest devices using MAC address/Static IP)

     

    Create Service Definitions:

     

    Create your Firewall rules referencing the network and service definitions you defined earlier

  • OK this is finally working.  While sorting out some other things with tech support we got the Google wifi up and running and behind the XG85.  

    I should say that the primary google wifi unit was setup separately and had everything working.  (this eliminated confusion when plugging it into the Sophos.)    The next google wifi unit is meshing with the first one properly.   Then I plugged the primary one into the Sophos and DHCP assigned it an IP address.  I then had to go to Google wifi app and go into Settings>Network & General>Advanced networking>Wan and set it to DHCP.  The sophos then assigned it and IP address. and everything worked after that.    

    Later I took the Mac address and assigned it a static address under the Sophos XG DHCP.

    The trick was that we needed a DHCP range set up first in the XG and then to set up the Google wifi separately.  

    To make my Lan across both port 1 and 4 bridge port 1 and 4 (which may not be necessary in some instances.)  

    The Google wifi manages its own users and ip address assignments with static or dhcp.  It does not get management by the sophos wifi settings as It manages its own.  I am ok with that.  We have allot of phones etc and as long as they are all behind the firewall that is ok with me.   I do believe the sophos scans that traffic as it crosses the lan to the google wifi.      Also it manages its own meshing too which works fine.  No need to allow the sophos to interfere with the googles wifi specifics.     Google makes things easy to set up actually but has quite fast speeds and nice easy family friendly features.    Like the ability to turn off data to kids phones at bedtime and dinner.

    I would like to see some better screening of kid friendly things in the sophos too.    Odd but we have not found a way to screen out things like "pregnant barbie" videos on youtube.  All parents go :(.....  They get through most parental filters.   I want to control some game downloads and other exes that kids do as most kids machines are more virus prone than others.  The sophos is perfect for that.

    Needless to say we also run a home business that needs some decent protection.

    The printers need to be accessed all across the wifi.   So with the google wifi the Lan to Lan rule was necessary to make everything talk to one another. 

     

    Here is my map of the current set up.  It is working quite nicely.  I have backed up my Sophos setup in case I ever need to redeploy it.  Sorry this map took so long to provide.  This has been a work in progress and lots of progress has been made.

    As much as everyone says it can't work, Google WIFI does work with the Sophos, and I just proved it to myself.  Fast and secure all in one house.  ;)

  • Hi Dog,

    Glad you figured it out.  I'm still running with GWF haven't completely moved back to Unifi out of laziness and lack of time to troubleshoot. 

    For me, GWF still isn't an ideal solution because I'd like to be able to monitor and filter traffic per device or group of devices (e.g. kids have access to traffic through 80 and 443, monitor all other traffic include decrypting https, while allow an NVR, myself and other adults more customized access).  Once your devices are getting IPs from GWF, Sophos sees all only aggregate traffic from the GWF main node.  Aggregate traffic reports make it really difficult to track and troubleshoot problematic or compromised devices as well.