Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 18877 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

setting up two UTM instances to overcome license.

DavisDarvish
i was wondering if anyone has sucessfully deployed two sophos UTM instances in virtual machines w/ the free 50 ip license in order to overcome going over license limit. If so how did you design your network topology? also is there anyway to put certain IP addresses out of the scope of the UTM such that they don't count towards the license? i would only require simple routing to those ips not content filtering or anything else..


This thread was automatically locked due to age.
Parents
  • 0
    From a legal standpoint, you can't do that.  Only one live instance with a single license.  There's two things you can do to reduce the license IP count:

    1)  Any devices that don't need internet access, network printers being a good example, remove the default gateway address from their settings.

    2)  Run devices through another router behind the UTM NATed.  For example if you use a wireless router.  The wireless routers WAN address will be within the scope of the subnet on the UTM internal interface, while the wireless devices will be NATed on a different subnet.  The only IP address the UTM will count is the external address of the wireless router.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply
  • 0
    From a legal standpoint, you can't do that.  Only one live instance with a single license.  There's two things you can do to reduce the license IP count:

    1)  Any devices that don't need internet access, network printers being a good example, remove the default gateway address from their settings.

    2)  Run devices through another router behind the UTM NATed.  For example if you use a wireless router.  The wireless routers WAN address will be within the scope of the subnet on the UTM internal interface, while the wireless devices will be NATed on a different subnet.  The only IP address the UTM will count is the external address of the wireless router.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Children
  • 0 in reply to Scott_Klassen
    From a legal standpoint, you can't do that.  Only one live instance with a single license.  There's two things you can do to reduce the license IP count:

    1)  Any devices that don't need internet access, network printers being a good example, remove the default gateway address from their settings.

    2)  Run devices through another router behind the UTM NATed.  For example if you use a wireless router.  The wireless routers WAN address will be within the scope of the subnet on the UTM internal interface, while the wireless devices will be NATed on a different subnet.  The only IP address the UTM will count is the external address of the wireless router.



    what do you mean from a legal standpoint i can't do it. i wouldn't use the same license on two installs, but simply signup for two accounts and get two of 50ip free for home use license and install one on each machine... each install would have its own license .. would that not work? has no one else done that? 

    Double NAT is really out of the question, and while the suggestion to remove the gateway ip from devices is a good idea that means i would have to make those devices have static IP's which wont really work as i need them to all work with DHCP. i wish sophos was a little more realistic with the licensing because its total bs.. had i known i wouldnt have spent the countless hours setting up the system.. i am far too invested in the way i set it up to just switch to another UTM. they ****ed up by being upfront about the way the count out the license which if you ask me is is absolutely stupid and ultimately is making them lose business because i do not recommend them to anyone who asks me if they are any good
  • 0 in reply to DavisDarvish
    ... i wouldn't use the same license on two installs, but simply signup for two accounts and get two of 50ip free for home use license and install one on each machine... each install would have its own license ...

    Oh the irony in that statement. Dude, why do you come here and ask us to verify licensing workarounds. I think everyone explained it to you pretty clearly why the licensing is setup the way it is https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29852

    Yet you seem hell bent on validation from us. I thought you said pfsense was working out really good for you[8-)] Yet here you are leeching free advice and trying to steal something that is given to you for free.
  • 0 in reply to Scott_Klassen

    RE: #2, if you setup another router (route #2) behind UTM (route #1), how do you enable devices to communicate with one another? For example. My Sophos UTM (Router #1) settings are shown below.  What should be the Subnet and Gateway values in Router #2 to ensure devices to connect to one another without adding to the Sophos UTM IP count?

    Router 1

    LAN IP 192.168.0.1

    Subnet 255.255.255.0

    Gateway 192.168.0.1

    DHCP Range 192.168.0.10-40

  • 0 in reply to JasonMiles

    Say the subnet behind your wireless router is 192.168.2.0/24 and the wireless router has 192.168.0.254 in your UTM's internal network, you will want a Static Gateway route in the UTM like '192.168.2.0/24 -> 192.168.0.254'.

    Is that what you were looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    Say the subnet behind your wireless router is 192.168.2.0/24 and the wireless router has 192.168.0.254 in your UTM's internal network, you will want a Static Gateway route in the UTM like '192.168.1.0/24 -> 192.168.0.254'.

    Is that what you were looking for?

    Cheers - Bob

    Thanks Bob for your guidance.  Just double-checking. Would the static gateway route be:

    192.168.1.0/24 -> 192.168.0.254 OR 192.168.0.1/24 -> 192.168.0.254?

  • 0 in reply to JasonMiles

    Can't quite get this to work.  The details:

    Sophos UTM 192.168.0.1 (/24)

    NM 255.255.255.0

    GW 192.168.0.1

    DHCP 192.168.0.10-40

     

    Wireless router

    LAN IP 192.168.0.90

    Subnet behind router 192.168.2.0/24

    NM 255.255.255.0

    GW 192.168.0.1

     

    Under Sophos UTM > Interfaces & Routing > Interfaces > Static Routing

    I've created a New Static Route as Gateway Route.

    Network: Internal (Network) (aka 192.168.0/24)

    Gateway: 192.168.0.90 (the LAN IP of Wireless Router)

  • 0 in reply to JasonMiles

    Sorry, I had a typo that I corrected above.  You want 192.168.2.0/24 -> 192.168.0.254 and no other.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML