This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Combine Sophos UTM 9.1 (Free Edition) Firewall with Mikrotik Router at the Perimeter of Private Network

Hi all:

I have implemented a Mikrotik RB2011 series router/firewall that works great with the exception that I have realized the Mikrotik firewall is very lacking compared to the UTM firewall that was on the old Fortinet router/firewall.  I'm thinking of taking a mini PC and installing UTM 9 software firewall on it.  Then using that UTM 9 software firewall computer/device between my Internet connection and my Mikrotik router/firewall which serves DHCP, performs NAS, queuing, etc. (all the stuff the Mikrotik does well).

Have any of you ever attempted such a configuration to combine UTM with a Mikrotik device before?  Should I turn the firewall in the Mikrotik completely off and just use it as the router (dhcp server, qos, etc.) and let the Sophos UTM software firewall do it's thing as the sole perimeter firewall? In summary, separate out the firewall from the router.  Which is how we do things on the big complex telecom networks. 

In addition to the base needs of a firewall which I'm sure this Sophos software firewall can do well, the reason I want to use the Sophos is to block remote access applications (Teamviewer primarily, it's a threat to my network.  Please don't say that this remote access software policing a policy issue. For certain reasons, I can't control every computer in our work space.  But I don't want Teamviewer to work behind my firewall on my network (even my guest network, I don't want remote access software to work).  On the old Fortinet, blocking Teamviewer and a range of applications was a 10 minute configuration task.

I can block websites OK on the Mikrotik router, but even Mikrotik themselves don't seem to have a clue how to block the Teamviewer app (been a question on their forum for going back probably 10 years without a valid answer.  Amazing).  I've seen the most nonsense I've seen on a topic with regards to trying to get the Mikrotik firewall to successfully block the Teamviewer app. Most of the people on the Mikrotik community board have no idea about proper security. They are just interested in getting retail Internet to as many downstream clients as possible. 

If someone that has some knowledge of pairing the of the Sophos UTM firewall with a standard router appliance at the perimeter of the network it would be appreciated.  Specifically, if they could guide on how I can set up the Sophos software firewall to block Teamviewer?  Also, how would I do the NAT for my internal applications.  Just do NAT on the Sophos software firewall and turn off the NAT on the Mikrotik? 

Thanks for your help and time.  Appreciated.



This thread was automatically locked due to age.
  • Hi and welcome to the UTM Community!

    Normally, someone would have responded to your post already, but this forum works best with specific questions instead of a general request for help in design and implementation.  An unwritten rule here is "One topic per thread."  That makes it easier for people to find answers here without creating a new thread for a topic that's already been addressed.

    The free license for the UTM is the "Essential Firewall" and it doesn't include the capability to stop Teamviewer, so I'll assume that you're talking about the free home-use license.  In general, to avoid double-NAT, I would suggest completely replacing the Mikrotik with the UTM.  I would use the latest version of UTM, 9.506, instead of 9.1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your reply. Understand your point about specific questions.  Usually those types of things (a = question to b = straightforward answer to question) I'm able to handle myself via either the documentation from the vendor or just reading the forum. I understand the forum format works best for that.  But sometimes, questions come up that have many factors. 

    Understand your point about double NAT.  Let's leave double NAT aside.  Can treat as a separate topic.  Note: I quite like the Mikrotik router/firewall and can understand why the routers/firewalls have become so popular.  The product flexibility, while having a simplicity about it, and the ability to manage and distribute traffic (the key feature) is exceptional.

    I'm a bit confused by your answer.  With regards to there being a version of the Sophos UTM that has the ability to block applications?  I guess they call it application layer filtering. 

    This is the Sophos 9.1 UTM (software UTM) product I'm seeing on the web site and trying to assess if it can do application blocking  https://www.sophos.com/en-us/products/free-tools/sophos-utm-essential-firewall.aspx  (it's says it's for business application on this page, so I'm confused if there is a home vs business version of 9.1.  It's not clear on this page at least)

    I looked into UTM 9.5.  Looks like full comprehensive security system but has flexibility to be a software or hardware UTM (similar to Fortinet hardware security devices that I'm familiar with).  UTM 9.5 at first glance is a lot security capability, when all I want is the ability to monitor & then if needed, block applications (both web apps and local apps) at the perimeter of the network. This is UTM 9.5 App Control feature is what I'm looking for.  9.1 does not have this feature? https://vimeo.com/97575579  That's the first question for this post.

    The second question is would the App Control feature/functionality be available as a stand alone software product that I could deploy either on my own Linux hardware locally or via a Linux local VPS or cloud based Linux VPS? 

    That's the two questions for this post.  Thanks.

     

     

     

  • The newest version of 9.1 is over 3.5 years old, so I have no idea what the status of App Ctrl was then.  I don't remember when it was re-designed.

    You should download the 9.506 software version: https://www.sophos.com/de-de/support/utm-downloads.aspx

    There may be another stand-alone AppCtrl tool, but there's no way to split anything off from or add to what's included with UTM - it's a stripped-down, hardened version of Suse Enterprise 11.

    Again, if this is for business use, the free Essential Firewall license does not include Application Control.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank for the information on Sophos 9.506.  Appreciated. 

    I've re-used the Fortinet (Fortigate) firewall in transparent mode (behind the Mikrotik router, which sits at the perimeter of the network). I quite like that Mikrotik with Fortigate in transparent mode configuration.  It works extremely well for anything on the physical LAN ports for the Fortigate. Only issue is the Fortigate in transparent mode and the Wifi LANs on the Fortinet and obviously the wifi LANs on the the Mikrotik don't get the benefit of the app control on the Fortigate.  That's a very frustrating, but gets me 80% of the way.  Maybe I'm missing it (looked everywhere), but Fortigate doesn't even mention app control for the wifi radios in their documentation for the Fortigate in transparent mode. Big omission in my view (maybe someone has their own solution to handle the wifi LANs with the Fortigate in transparent mode for app control). 

    If decided it's time get together a small form factor PC and get a second NIC and a decent size SSD and test out PfSense and Sophos software UTMs along side the Mikrotik.  See if one of them can cover off my specific needs in terms of getting app control on all my physical LANs and Wifi LANs as the Fortigate in transparent mode is falling short.  

    Thanks for all the info.  I'll come back and add some notes over the next weeks/months to this thread.

  • I do exactly this, a Mikrotik Hex performing routing and all outbound traffic sent to a Sophos UTM on a /30 subnet, which connects to a PPP DSL link. NAT is done only on the UTM, most firewall rules are setup there too, and I have a couple of VPNs setup there as well. There are a couple of motivations behind doing it this way. In no particular order: I like the way Mikrotik does routing and find it very fast and flexible to setup, e.g. with VLANs; the Home version comes with a 50 IP address restriction and I'm pretty close to falling foul of that, so I have also setup some firewall rules on the Mikrotik e.g. to stop outbound traffic from CCTV cameras; the VPN tunnels were a little resource intensive on the Hex, so needed to find another solution anyway, instead of running a standalone VPN server, why not terminate these directly on the UTM; it also adds a layer of protection, which means I can make significant changes to the Mikrotik config without exposing my network to the outside world accidentall.

    One thought, which I haven't tested, which may also work for the internal network if you have enough space NICs on your box, is to also put the UTM inline/transparently bridged on one of the internal network legs, this could also provide additional application control if you wanted? You'd obviously need 4 NICs minimum, 1x WAN, 1x /30 to the Mikrotik, 2x bridged. Not sure how well this plays with the UTM but I have done something similar in a previous job with Sonicwall units.

  • First I have to admit that I don't have any experience with Mikrotik, but why would anyone like to manage 2 firewall/utm devices whereas it's also possible to just use 1? Managing 2 devices means having to keep 2 devices up-to-date and thus possibly more downtime. TCO increases when 2 devices have to be managed not to mention the extra hassle there might be when the 2 devices block something the other needs.

    IMHO choose either the Mikrotik OR the Sophos UTM. I'm sure Sophos UTM is more than capable of handling anything you need.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Tere Muswellbrook and welcome to the UTM Community!

    I didn't follow your bridge idea, but you will want to be certain that you don't run afoul of #3.1 in Rulz.  Having both a bridged and un-bridged NIC in the same Ethernet segment may cause problems.  Please let us know what happened if you try this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • apijnappels said:

    First I have to admit that I don't have any experience with Mikrotik, but why would anyone like to manage 2 firewall/utm devices whereas it's also possible to just use 1? Managing 2 devices means having to keep 2 devices up-to-date and thus possibly more downtime. TCO increases when 2 devices have to be managed not to mention the extra hassle there might be when the 2 devices block something the other needs.

    IMHO choose either the Mikrotik OR the Sophos UTM. I'm sure Sophos UTM is more than capable of handling anything you need.

     

    The issue here is the 50 IP limit of the Home edition, a single box solution would mean dropping Sophos and using Mikrotik only; I feel the additional admin (which is minor: I haven't had to touch the UTM config much given it's a very simple setup in this context, 1 WAN and 1 LAN interface and a simple firewall ruleset; I admin a number of other Mikrotik boxes so am current with the solution) is outweighed by the security benefits (UTM clearly provides superior firewall protection, Mikrotik is primarily a router), plus e.g. better/easier VPN setup. (I also have a professional interest here). Using a Mikrotik device behind the firewall is a very effective way of managing the local network/IP count.

  • BAlfson said:

    Tere Muswellbrook and welcome to the UTM Community!

    I didn't follow your bridge idea, but you will want to be certain that you don't run afoul of #3.1 in Rulz.  Having both a bridged and un-bridged NIC in the same Ethernet segment may cause problems.  Please let us know what happened if you try this.

    Cheers - Bob

     

    Thanks, useful link to the Rulz! I think the bridge idea still works (not that I've done this here), the bridge and the standalone NICs would be on distinct segments. If I ever get round to doing this, I'll report back.