Sorry, I had a typo that I corrected above. You want 192.168.2.0/24 -> 192.168.0.254 and no other.
Cheers - Bob
I am regretting being so difficult. I am sorry.
Your question got me thinking about the "Internet of Things" (IoT for short). "Experts" are worried that the IoT is a huge security problem, because vendors either fail to design security into their products or because the products are too stripped-down to have room for security features. Either way, the end-user (often the homeowner) doesn't know until a breach occurs. One website infamously showed the security cameras from many homeowner's not-very-secure security systems. On another occasion, home cameras were used to create a DDOS attack against the DNS root servers. So protecting our appliances and our TVs from bad stuff is necessary, but is it possible?
I am guessing that most of these devices create https sessions back to the vendor(s). You cannot do https inspection because you cannot install a UTM CA certificate on the device, and you cannot see anything useful if you cannot do https inspection. TVs and other streaming media may not use https, but even the UTM configuration pages do not recommend filters on streaming media because it is likely to create performance problems.
For any of you homeowner who are hitting the 50-license limit, is it occurring because of IoT devices? If so, do you see any evidence that UTM is useful for protecting these devices?
If only a few devices are receiving value-added services from UTM, then the reasonable answer to your question would be to split the network. Use UTM to protect the devices that can benefit (PCs and tablets), and bypass it for the others. Putting UTM in bridge mode behind a residential-grade firewall should allow you to have one subnet and one external IP address. But because most home devices are wireless, you would probably need two WiFi networks on separate hardware.
If IoT is the next big threat to our networks, and we don't have a way to protect ourselves from sloppy vendors, what hope is there?
If you're problem is just the 50 IP-limit, then you could change to XG firewall instead of UTM. In XG there's no limit on the number of IP's (but instead there's a limit on memory and I believe processor cores).
Trying to use all kind of "tricks" to circumvent the IP-limit brings you into a grey area of what is and is not allowed. Having a different routed subnet behind your UTM will probably not help you, since these IP's are all traveling the UTM when they need to access the UTM"s internal network. Only preventing some devices to use a default gateway or using double NAT will help in achieving this, but I think it's better to either buy a license or switch to another product (like ie. XG).
Yes I do think having a real next-gen firewall in a home environment adds to the overall security of at least your own devices and data (and privacy), but it's not something for every home (not everyone will be able to manage it).
Having said this; security is not only implemented by having firewall technology; it should be something that is "by design" starting with the end-user; the end-user should check upfront if any new devices they are preparing to acquire are secure and/or have a record of fixing security holes when found and not walk to a store to blindly buy the first internet-connected device they see which has an attractive price.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
I am wondering what will happen when somebody calls a manufacturer support line to say,
"I think my laundry appliances have malware! My firewall indicates abnormally high traffic volumes coming from those devices and going to an unexpected country."
I doubt that it will be an easy conversation...