This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup UTM with what Draytek would have called a Routed Subnet

i currently have a small block of IP addresses from Zen 8ips (5 usable ones) and i use the Routed subnet option on the DrayTek router which works great i just assign a real ip to my linux VM and it gets traffic routed to it as expected.

I want to swap my Draytek for a Sophos UTM (Home Edition) its running on a board with 2 Ethernet ports so one to go into the openreach modem (PPoE) and one for the LAN and into the LAN switch.

Can i set Sophos UTM up in a similar mannerto the DrayTek Router with a routed subnet on the LAN side, or possibly over a Tagged VLAN on the lan side as the servers are VMs and can be tagged in Hyper-V no issue.

is this what is called ProxyARP? after having read around a bit on the subject?



This thread was automatically locked due to age.
Parents
  • You should reconfigure your VMs to use private ip addresses.  Then UTM is used to translate public IP+port to internal IP+port using NAT or WAF.   Proxy ARP is a poor alternative and I don't tbink it fits UTM's design

    .

    WAF provides specialized filtering for http(s) traffic hitting a web server.  User portal provides several options for secure remote access using one time passwords with VPN or RDP.   NAT and firewall are used to ensure that incoming traffic is only able to reach authorized ports on authorized IPs.

    Your router is probably not doing any content filtering, and may not be blocking unneeded ports.  So UTM is a big win.

  • OK thanks guys i will probably do this... though i may do it at the same time i migrate one of my servers..  i basically have a UNIX server that does Postfix (AMAVIS) Edge for Exchange and hosts about 4 very small Apache websites, mailman, BIND, SSH.  the other is a windows box with exchange on it but it only has on its firewall open the ports it needs 80,443 from the outside world (only using exchange for my families personal emails cause i always liked the web interface and active-sync for phones) the last server is the Hyper-V host again with firewall drops everything from the net pretty much and is only now public cause of the setup (the two VMs mentioned before have public ips)... this can go back to private.

    so i will do this at some point when i have a bit of time to reconfigure everything... so when i reconfigure i put all my usable ip addresses onto the WAN interface as Additional Addresses?

    if say i then basically have 2 servers the Windows box i really only need 80 and 443 pass through (for Exchange activesync) but from the specific ip that resolves to in so mail.mydomain.com on ip 88.96.xx.x1 do i use web protection? i don't need SMTP as i will still  use the UNIX box as the Edge Transport  do i use web protection or SNAT and if SNAT where is that?

    then my unix box im going to need a few more services coming through... it is the DNS server for a few of my Domains, i SSH to it and obviously SMTP and ESMTP,  HTTP (for letsencrypt) and HTTPS for Apache web sites.. here i guess i need both Webserver protection and some sort of SNAT on 88.96.xx.x2 ?  it currently uses iptables to drop everything else - oh i also use webmin on it...

     this is the hardware i got to install UTM on http://www.mini-itx.com/~JBC313

    thanks for the help guys :) 

Reply
  • OK thanks guys i will probably do this... though i may do it at the same time i migrate one of my servers..  i basically have a UNIX server that does Postfix (AMAVIS) Edge for Exchange and hosts about 4 very small Apache websites, mailman, BIND, SSH.  the other is a windows box with exchange on it but it only has on its firewall open the ports it needs 80,443 from the outside world (only using exchange for my families personal emails cause i always liked the web interface and active-sync for phones) the last server is the Hyper-V host again with firewall drops everything from the net pretty much and is only now public cause of the setup (the two VMs mentioned before have public ips)... this can go back to private.

    so i will do this at some point when i have a bit of time to reconfigure everything... so when i reconfigure i put all my usable ip addresses onto the WAN interface as Additional Addresses?

    if say i then basically have 2 servers the Windows box i really only need 80 and 443 pass through (for Exchange activesync) but from the specific ip that resolves to in so mail.mydomain.com on ip 88.96.xx.x1 do i use web protection? i don't need SMTP as i will still  use the UNIX box as the Edge Transport  do i use web protection or SNAT and if SNAT where is that?

    then my unix box im going to need a few more services coming through... it is the DNS server for a few of my Domains, i SSH to it and obviously SMTP and ESMTP,  HTTP (for letsencrypt) and HTTPS for Apache web sites.. here i guess i need both Webserver protection and some sort of SNAT on 88.96.xx.x2 ?  it currently uses iptables to drop everything else - oh i also use webmin on it...

     this is the hardware i got to install UTM on http://www.mini-itx.com/~JBC313

    thanks for the help guys :) 

Children
No Data