I have a Sophos SG135w which used to be for the work office, but we have moved and no longer require it. It was previously setup by the work MSP who we purchased the device from. It has been sitting idle for about 18 months now and I am going to set it up at home. I've got it working on a home license.
I have it connected to my modem/router which works on 192.168.20.40 on 1 interface. I have another interface configured for DHCP as I want the Sophos to control that (192.168.0.0/24).
Now the Sophos isn't running all DHCP yet, I have it connected on its on. When I am my desktop on 192.168.20.0/24 I can connect to 192.168.20.40. When I am connected to the Sophos on 192.168.0.0/24 I can connect to the Sophos of 192.168.0.1.
But, I have no internet connectivity. I suspect I need to do a route somehow? Or a DNS configure? Just not sure where I need to do any of this stuff and googling hasn't given me the answer.
Any tips or pointers would be great.
Hi Cohen Lewis,
Thank you for reaching out to the Community!
Could you please share the screenshot of the network interfaces configured on your UTM?
Did you configure the DHCP server on the internal interface? You can add DNS servers under Network services > DNS > Forwarders. You also need to add the internal network under DNS > Global > Allowed Network.
Did you configure the firewall rule for internet access and SNAT? Could you please share the screenshots with us?
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
See screenshots below:
Let me know if you need anything else! Appreciate the prompt reply.
You need several things to get this flying.
You say „modem“ but having a transfer network 192.168.20.0/24 indicates you are having a router.
That router has to know about the net behind the Sophos, either by setting up a route or by setting up what is called an „exposed host“.
Then, you need to „Masquerade“ that internal net behind the Sophos to your uplink connecting to the router.
Third you have to allow DNS usage to the clients of your internal net.
Mit freundlichem Gruß, Regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hopefully this makes sense?
jprusch said:You say „modem“ but having a transfer network 192.168.20.0/24 indicates you are having a router.
Correct, I said "modem/router". I want the Sophos to do all the network routing though, so the modem/router will only have 1 device connected being the Sophos which will be 192.168.20.40
jprusch said:That router has to know about the net behind the Sophos, either by setting up a route or by setting up what is called an „exposed host“.
It is Internet > Modem/Router provided by ISP > Sophos > All other devices (Wireless/LAN)
How is this now?
Recommend reading this Sophos UTM: Options for deploying the UTM into your Network - Recommended Reads - UTM Firewall - Sophos Community
delete that static route entry first! This is not needed. Routing is done by the correct GW setting.
Then, if I understand you correctly, your Modem/router has an address of 192.168.20.40. Then you cannot assign the same address to the transfer network interface of the Sophos going to that modem into direction "outside".
Additionally, you told the Sophos that your default GW is 192.168.20.1. If above IP 192.168.20.40 for the Modem is correct, then this GW entry is wrong. The GW IP has to be the IP of the Modem side.
You could either change the IP of the Sophos to something else like 192.168.20.10 and correct the GW entry to 192.168.20.40 or you change the modem IP to 192.168.20.1.
So it should look like:
Sophos - 192.168.20.10 ----- (Internet Link to router) ----- 192.168.20.40 - Modem(internal) ------ (external) ---- Internet
Sophos - 192.168.20.40------ (Internet Link to router) ------ 192.168.20.1-Modem(internal) ------ (external)------Internet
(With GW= 192.168.20.1)
BUT: all the above is only half of the game:
You need an "exposed host" definition ON THE ROUTER.
OR, at least, you router has to know about "that other network" behind the Sophos firewall. Otherwise your router would only know about the 192.168.20.0/24 network and not send any packets for the 192.168.0.0/24 network at all.
This would work with a "DMZ" (sometimes called "exposed host") setting, which points to your "external" Sophos IP
or with a static route setting AT THE ROUTER:
This entry has to be like 126.96.36.199 /24 GW=192.168.20.40 (the "external" Sophos IP)
NEXT you will perhaps need a Masquerading entry at "Network protection/NAT", depending on how your router handles the uplink traffic.
Hi Lewis and welcome to the UTM Community!
Philipp and Patrick have given you good advice. If possible, you should put the modem into bridge mode so that the UTM can have a public IP on the "Internet" interface. Doing this will make your life much easier in the future. In addition to the link provided by Patrick, you might read through Rulz (last updated 2020-11-12) and DNS best practice.
Cheers - Bob
Thanks all for the replies. Weird thing is, the WiFi on the Sophos works and internet connectivity is there, but the ethernet doesn't? I've replicated the settings for WLAN to the Internal LAN and no luck. I've created another Internal LAN and no luck.
Am I missing something? It looks like a DNS issue...... as nothing resolves.
I'd rather not setup the modem in Bridge Mode.