This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Combine Sophos UTM 9.1 (Free Edition) Firewall with Mikrotik Router at the Perimeter of Private Network

Hi all:

I have implemented a Mikrotik RB2011 series router/firewall that works great with the exception that I have realized the Mikrotik firewall is very lacking compared to the UTM firewall that was on the old Fortinet router/firewall.  I'm thinking of taking a mini PC and installing UTM 9 software firewall on it.  Then using that UTM 9 software firewall computer/device between my Internet connection and my Mikrotik router/firewall which serves DHCP, performs NAS, queuing, etc. (all the stuff the Mikrotik does well).

Have any of you ever attempted such a configuration to combine UTM with a Mikrotik device before?  Should I turn the firewall in the Mikrotik completely off and just use it as the router (dhcp server, qos, etc.) and let the Sophos UTM software firewall do it's thing as the sole perimeter firewall? In summary, separate out the firewall from the router.  Which is how we do things on the big complex telecom networks. 

In addition to the base needs of a firewall which I'm sure this Sophos software firewall can do well, the reason I want to use the Sophos is to block remote access applications (Teamviewer primarily, it's a threat to my network.  Please don't say that this remote access software policing a policy issue. For certain reasons, I can't control every computer in our work space.  But I don't want Teamviewer to work behind my firewall on my network (even my guest network, I don't want remote access software to work).  On the old Fortinet, blocking Teamviewer and a range of applications was a 10 minute configuration task.

I can block websites OK on the Mikrotik router, but even Mikrotik themselves don't seem to have a clue how to block the Teamviewer app (been a question on their forum for going back probably 10 years without a valid answer.  Amazing).  I've seen the most nonsense I've seen on a topic with regards to trying to get the Mikrotik firewall to successfully block the Teamviewer app. Most of the people on the Mikrotik community board have no idea about proper security. They are just interested in getting retail Internet to as many downstream clients as possible. 

If someone that has some knowledge of pairing the of the Sophos UTM firewall with a standard router appliance at the perimeter of the network it would be appreciated.  Specifically, if they could guide on how I can set up the Sophos software firewall to block Teamviewer?  Also, how would I do the NAT for my internal applications.  Just do NAT on the Sophos software firewall and turn off the NAT on the Mikrotik? 

Thanks for your help and time.  Appreciated.



This thread was automatically locked due to age.
Parents
  • I do exactly this, a Mikrotik Hex performing routing and all outbound traffic sent to a Sophos UTM on a /30 subnet, which connects to a PPP DSL link. NAT is done only on the UTM, most firewall rules are setup there too, and I have a couple of VPNs setup there as well. There are a couple of motivations behind doing it this way. In no particular order: I like the way Mikrotik does routing and find it very fast and flexible to setup, e.g. with VLANs; the Home version comes with a 50 IP address restriction and I'm pretty close to falling foul of that, so I have also setup some firewall rules on the Mikrotik e.g. to stop outbound traffic from CCTV cameras; the VPN tunnels were a little resource intensive on the Hex, so needed to find another solution anyway, instead of running a standalone VPN server, why not terminate these directly on the UTM; it also adds a layer of protection, which means I can make significant changes to the Mikrotik config without exposing my network to the outside world accidentall.

    One thought, which I haven't tested, which may also work for the internal network if you have enough space NICs on your box, is to also put the UTM inline/transparently bridged on one of the internal network legs, this could also provide additional application control if you wanted? You'd obviously need 4 NICs minimum, 1x WAN, 1x /30 to the Mikrotik, 2x bridged. Not sure how well this plays with the UTM but I have done something similar in a previous job with Sonicwall units.

  • First I have to admit that I don't have any experience with Mikrotik, but why would anyone like to manage 2 firewall/utm devices whereas it's also possible to just use 1? Managing 2 devices means having to keep 2 devices up-to-date and thus possibly more downtime. TCO increases when 2 devices have to be managed not to mention the extra hassle there might be when the 2 devices block something the other needs.

    IMHO choose either the Mikrotik OR the Sophos UTM. I'm sure Sophos UTM is more than capable of handling anything you need.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • First I have to admit that I don't have any experience with Mikrotik, but why would anyone like to manage 2 firewall/utm devices whereas it's also possible to just use 1? Managing 2 devices means having to keep 2 devices up-to-date and thus possibly more downtime. TCO increases when 2 devices have to be managed not to mention the extra hassle there might be when the 2 devices block something the other needs.

    IMHO choose either the Mikrotik OR the Sophos UTM. I'm sure Sophos UTM is more than capable of handling anything you need.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • apijnappels said:

    First I have to admit that I don't have any experience with Mikrotik, but why would anyone like to manage 2 firewall/utm devices whereas it's also possible to just use 1? Managing 2 devices means having to keep 2 devices up-to-date and thus possibly more downtime. TCO increases when 2 devices have to be managed not to mention the extra hassle there might be when the 2 devices block something the other needs.

    IMHO choose either the Mikrotik OR the Sophos UTM. I'm sure Sophos UTM is more than capable of handling anything you need.

     

    The issue here is the 50 IP limit of the Home edition, a single box solution would mean dropping Sophos and using Mikrotik only; I feel the additional admin (which is minor: I haven't had to touch the UTM config much given it's a very simple setup in this context, 1 WAN and 1 LAN interface and a simple firewall ruleset; I admin a number of other Mikrotik boxes so am current with the solution) is outweighed by the security benefits (UTM clearly provides superior firewall protection, Mikrotik is primarily a router), plus e.g. better/easier VPN setup. (I also have a professional interest here). Using a Mikrotik device behind the firewall is a very effective way of managing the local network/IP count.