Sophos UTM is doing NAT + Firewall ? or just Firewall ?

my ZTE ZXV10 too, has no port forwoarding (DNAT) enabled by default. It had no http proxy and I am not arguing about NAT proxy

Hi Louis,

most of the more modern home routers and those touted for small business have a stateful packet inspection function, some even offer anti-x subscriptions but I would suspect very few home users are aware or even understand.

Ian

Hi,

to use those address ranges you will need a NAT (MASQ on the UTM) for outgoing traffic on both networks. I don't understand your fixation with a NAT. You do not require a NAT if your ISP provides you with real IP address ranges?

This setup appears to be overly complex for home user? The UTM will not load share across those networks without some extra hardware. You will need to check with the UTM compatibility list for your 4G device, otherwise you will need another router to provide the 4g access.

What advantages do you see in having the AP in the DMZ, won't the local users require access to the secure network of the AP to access the local printers?

Not sure how many NASs you will have but you will need to create a DNAT for the incoming traffic to your DMZ, a different DNAT for each device.

You will need firewall rules to allow the traffic to flow.

The NTP and DNS proxy functions in the UTM provide a security for your local devices so that the UTM is seen as the only DNS and NTP interface and that is more secure than your local devices. More security because the devices do not need to talk to the internet, less avenues of attack.

If you are not going to use any of the security features of the UTM you might as well install a cheap router which will provide you with a NAT, a DMZ and port forwarding, 4g failover and an AP, but no real security.

Ian

Hi,

I don't make fixation on NAT, i just want to be sure to understand :)

I don't want to use a DMZ function from a cheap router, it's not a true DMZ and the security level is not correct for me.

My ISP don't provide me IP address range, it's not a service offer to home user, i can only have one IP address by ISP : one IP for ADSL, one for FTTH, one for LTE 4G.

About 4G or ADSL, these connexion use the modem supplied by ISP, i will setup all device as bridge, so each connexion to UTM is coming with WAN Ethernet IP, so i think that UTM can manage it properly like this ?

For the back-end, you suggest to use NAT+Firewall on UTM, for the front-end, same setup ?

AP in DMZ is just to have internet connexion with complete isolate from LAN, another advantage can be to manage device in DMZ.

There is no need to use device in LAN, following printing use case, it can be usefull to move printer from LAN to DMZ maybe, because it's not a critical, no matter to stay on LAN side.

Best Regards.

Hi,

I still do not understand the use of the AP in the DMZ? If your users are not going to have access to the AP, then why provide it, just becomes another security risk?

What are your aims with having a DMZ? Do you plan to make the NAS accessible from the internet? If not then you are wasting your time setting up a DMZ.

Is the NAS in the DMZ the same NAS as on your LAN?

You can build firewall rules that allow you to access the devices on the DMZ but they cannot see your LAN. Moving the printer to the DMZ does not make sense unless your users will never need to access the printer??

Ian

Why use 2 Sophos UTM's like in this drawing? Also, by doing this your LAN possibly uses double-NAT (or you may choose to route between DMZ and LAN).

You can simply achieve what you want using only 1 Sophos UTM with 5 network interfaces (3 WAN, 1 DMZ, 1 LAN).

I don't want to offend you, but the questions you are asking are really basic networking; if you struggle with that, than the UTM might be a bit too much to configure and maintain.... If you do need functions like the UTM supports, than prepare for a steep learning curve.

I planed to use 2 sophos because i was thinking that my LAN was more secure/protected like this, but if you confirm me that it has no benefits and that the same security level (with more easiest setup), i will use only one UTM.
Does it can have bandwidth impact with 1 sophos utm to manage flow between LAN to DMZ ?

I have the opportunity to recover Sophos SG230 with Flex Port, do you think that it can be enough to manage 1Gbe ISP bandwidth connexion ?

There is no offense to say that my question are really basic, i was here to learn more, i'm ok with that and i will follow all your recommandation

AP in DMZ is only here to provide Wifi connexion to internet (with tablet and laptop) and also give acces to DMZ ressources if necessary, but AP will not have access to LAN.

I have multiple NAS, one in DMZ, three on my LAN, the one in DMZ will be accessed from Internet only, it offer FTP services.

I would like to make transfert from NAS in DMZ to NAS in LAN and reverse, does it can be possible ?

If i put printer on DMZ, LAN user can use it and other user from AP too ? (if add the firewall rulz of course), i figure that it can be better to put the printer in DMZ to serve all users from AP or LAN.

Please take a look just above, i answer and ask some other questions.

Hi TheDark,

at this stage I would suggest you investigate the performance of the UTM product range before going any further with your requests.

That will give you an idea about how your requirements can be provided/met.

I also suggest you do some reading on firewall security. Depending on where you are getting the old SG from you might ask them for some guidance/ training because you will need a reasonable amount of UTM knowledge to achieve what you want.

Ian

It doesn't answer to my previous questions... thanks anyway :(

I hope that apijnappels can help me.