Sophis UTM and Unifi

You can place the UTM where you wish. My advice? Connect the fibre modem directly to the UTM. Completely remove the USG as it will complicate things.

The i3 will be ok. make sure you have enough ram and hard drive space (80gb) and if possible, place it on an SSD

ok thanks for the advice. going to build the UTM tomorrow and see what happens. will test it in both locations. I would like to keep the USG at the moment. 

the PC i have has 8GB ram and a 120GB SSD so should be fine. in the future i would like to look at something lower powered. possibly a intel N3150. i see the gigabyte one has dual lan. i know they are realtek but it looks like other have used this board with success.

You can keep the USG without issue but I would put the UTM as the forward facing firewall and possibly disable at the firewall functions etc on the USG and just use it for routing etc.

Having two firewalls in the mix with 2 sets of rules will complicate the setup although it can be done. Doing it that way would result in a DMZ with the outside interface of the USG becoming the DMZ.

Don't forget the UTM can be a bit of a hungry beast as well depending on what you are asking it to do.

testing today hasnt gone so well. i had it setup up   fibre modem --> usg --> sophos utm --> lan switch.

i setup a bridge using 2 lan ports and had a third for management. management was fine. the bridge got an IP from the correct range. internally all my devices were working however none could access the internet. when trying to get to any site i got a network unreachable. i was intermittently able to ping outside 8.8.8.8

the problem seems to be 2 issues, the unifi controller was seeing the mac on the UTM as the Unifi USG. so was causing some weird issues with the usg. then im guessing the network unreachable issue was due to DNS. 

if i install in this config  fibre modem --> utm --> usg --> switch     the fibre modem require pppoe, if i install it in transparent bridge mode will it work? what IP would the LAN side get?

The UTM can easily handle the PPPoE. My home setup is like that. You can't install the UTM in bridge mode doing this. Bridge mode is for when your USG is in front and the UTM sits between the USG and LAN.

I've never set the UTM up in bridge mode as I normally put the UTM as front facing due to its capabilities. If you want to keep the USG, you will be dealing with a two NAT scenario and routing as the front facing router will not be aware of the inner most lan network and will need guidance particually if you plan on exposing some services from that lan.

UTM WAN = 7.7.7.7
UTM LAN = 10.0.0.1/24

USG WAN = 10.0.0.2/24   <<<< this has to be on the same subnet as the UTM LAN and has to have the UTM LAN ip as it's gateway. This could be your DMZ network
USG LAN = your current LAN

The above is one way of doing it. There are others.

again thanks for the help. i like having the USG WAN facing as its simple to configure with the GUI, however it looks like i may have to put the UTM at the front. I'm guessing in Standard Mode. I do have services behind my USG so i spose the options are to have the firewall on the UTM open and let the USG deal with it, or the opposite way around firewall the UTM and have the USG open.

I think i know where my testing was going wrong. when in bridge mode and fully transparent do i set the bridge IP to 0.0.0.0 or DHCP? i had it on DHCP so it was getting an IP from my internal network and then causing havoc with my USG. i'm guessing it needs to be 0.0.0.0 to be in seamless mode.

Not sure about bridging mode. You can have your USG at the front too but I think it would be a waste compared to what the UTM can offer you.

Not sure about bridging mode. You can have your USG at the front too but I think it would be a waste compared to what the UTM can offer you.