This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM connected behind another router

Hi,

I have this following network architecture.

Internet --> EdgeRouter Pro ---> Network Switch.

I have connected my Sophos UTM SG135 appliance (from eth0 interface with ip address 192.168.40.2/24) to the EdgeRouter (at eth2 inteface with ip address 192.168.40.1/24).

My question is how can to configure the Sophos UTM to have internet access? I tried to tick the box for default gateway with 192.168.40.1 on eth0 but its getting error message of "Default Gateways only allowed on Uplink Balancing interfaces. Interface will be added to Uplink Balancing.".

Thanks!



This thread was automatically locked due to age.
Parents
  • Hello James,

    Thank you for contacting the Sophos Community.

    Eth1 is the one usually configured as WAN interface, in the UTM, if you want to use eth0 make sure to disable Eth1 if it is already configured, and configure Eth0 as you just did.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi  

    So I have successful configuration below.

    Sophos UTM -->
      Interfaces & Routing:
        Interfaces:
          eth1:

             IP: 192.168.40.2
             Netmask: /24 (255.255.255.0)
             IPv4 Default GW address: 192.168.40.1

      Network Protection:
        NAT:
         Masquerading:
           VPN Pool Custom (10.242.40.0/24) --> eth1 (192.168.40.2).


    I have VPN client remote access enabled with custom Virtual IP Pool (10.242.40.0/24). I noticed that when I am connected to VPN client (which gives me ip address 10.242.40.2) and accessing servers to other network, the source of my ip address is 192.168.40.2 and not 10.242.40.2.

    Is there any missing and/or wrong settings in my UTM?

  • Hi James and welcome to the UTM Community!

    First, some comments about the UTM culture that will make it easier to get help from this community and Sophos Support.

    In general, it's always best to have a public IP on eth1.  If possible, I would put the EdgeRouter Pro in bridge mode to achieve that.

    My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve 10.0.0.0/8 for giant multinationals, ISPs, etc.

    I also recommend against changing the VPN Pool used unless you have too many remote users to fit in a /24.  As it is, we don't know which remote access method you're using.

    Rather than describe your setup, show us pictures of the Edits of your configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for your time and sharing your knowledge with recommendations on this thread for best practice of using internal subnets and reserved network. I really appreciate it :)

    Here's how it looks like of my configuration [deleted by mod - please insert pictures directly here]

    I am using SSL VPN Remote Access method with custom VPN pool as shown in the picture. So when vpn client users send all traffic over vpn, they will have unique public ip address 230.x.x.20 for some purpose and 203.x.x.21 for the user portal site and ssl vpn.

    I have figured out that since I am using NAT Masquerading, this will recognized as my source ip address when accessing internal subnets. What I want to achieve is to be able to show the real source of ip address (SSL VPN pool) when accessing internal subnets. However, when I turned off the NAT Masquerading, I can connect to SSL VPN but I cannot reach the internal subnets. I tried to configure on the Firewall but not successful.

    I would appreciate of any advise on how to make this the right configuration.

  • I opened that link in a sandbox.  It seems to be infected, so I've deleted it from your post.  Please Edit that post, and insert your image(s) into the post. We can't know if that external site is properly protected. The only malware I've gotten in over 15 years was from an external link to a picture in this forum almost 10 years ago.  Thanks in advance!

    Show us a picture of the Edit of the SSL VPN Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello James,

    I have followed-up to your PM.

    As mentioned by Bob it would be better if you could post the screenshot instead of the link to avoid any issue. 

    For me, it looks like you might be missing a static route in your main router, to send the traffic back when the Masquerading is not in place. 

    Regards,
     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data