Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 5 subscribers
  • Views 22956 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Combine Sophos UTM 9.1 (Free Edition) Firewall with Mikrotik Router at the Perimeter of Private Network

o g

Hi all:

I have implemented a Mikrotik RB2011 series router/firewall that works great with the exception that I have realized the Mikrotik firewall is very lacking compared to the UTM firewall that was on the old Fortinet router/firewall.  I'm thinking of taking a mini PC and installing UTM 9 software firewall on it.  Then using that UTM 9 software firewall computer/device between my Internet connection and my Mikrotik router/firewall which serves DHCP, performs NAS, queuing, etc. (all the stuff the Mikrotik does well).

Have any of you ever attempted such a configuration to combine UTM with a Mikrotik device before?  Should I turn the firewall in the Mikrotik completely off and just use it as the router (dhcp server, qos, etc.) and let the Sophos UTM software firewall do it's thing as the sole perimeter firewall? In summary, separate out the firewall from the router.  Which is how we do things on the big complex telecom networks. 

In addition to the base needs of a firewall which I'm sure this Sophos software firewall can do well, the reason I want to use the Sophos is to block remote access applications (Teamviewer primarily, it's a threat to my network.  Please don't say that this remote access software policing a policy issue. For certain reasons, I can't control every computer in our work space.  But I don't want Teamviewer to work behind my firewall on my network (even my guest network, I don't want remote access software to work).  On the old Fortinet, blocking Teamviewer and a range of applications was a 10 minute configuration task.

I can block websites OK on the Mikrotik router, but even Mikrotik themselves don't seem to have a clue how to block the Teamviewer app (been a question on their forum for going back probably 10 years without a valid answer.  Amazing).  I've seen the most nonsense I've seen on a topic with regards to trying to get the Mikrotik firewall to successfully block the Teamviewer app. Most of the people on the Mikrotik community board have no idea about proper security. They are just interested in getting retail Internet to as many downstream clients as possible. 

If someone that has some knowledge of pairing the of the Sophos UTM firewall with a standard router appliance at the perimeter of the network it would be appreciated.  Specifically, if they could guide on how I can set up the Sophos software firewall to block Teamviewer?  Also, how would I do the NAT for my internal applications.  Just do NAT on the Sophos software firewall and turn off the NAT on the Mikrotik? 

Thanks for your help and time.  Appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    I do exactly this, a Mikrotik Hex performing routing and all outbound traffic sent to a Sophos UTM on a /30 subnet, which connects to a PPP DSL link. NAT is done only on the UTM, most firewall rules are setup there too, and I have a couple of VPNs setup there as well. There are a couple of motivations behind doing it this way. In no particular order: I like the way Mikrotik does routing and find it very fast and flexible to setup, e.g. with VLANs; the Home version comes with a 50 IP address restriction and I'm pretty close to falling foul of that, so I have also setup some firewall rules on the Mikrotik e.g. to stop outbound traffic from CCTV cameras; the VPN tunnels were a little resource intensive on the Hex, so needed to find another solution anyway, instead of running a standalone VPN server, why not terminate these directly on the UTM; it also adds a layer of protection, which means I can make significant changes to the Mikrotik config without exposing my network to the outside world accidentall.

    One thought, which I haven't tested, which may also work for the internal network if you have enough space NICs on your box, is to also put the UTM inline/transparently bridged on one of the internal network legs, this could also provide additional application control if you wanted? You'd obviously need 4 NICs minimum, 1x WAN, 1x /30 to the Mikrotik, 2x bridged. Not sure how well this plays with the UTM but I have done something similar in a previous job with Sonicwall units.

  • 0 in reply to Muswellbrook

    Tere Muswellbrook and welcome to the UTM Community!

    I didn't follow your bridge idea, but you will want to be certain that you don't run afoul of #3.1 in Rulz.  Having both a bridged and un-bridged NIC in the same Ethernet segment may cause problems.  Please let us know what happened if you try this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Muswellbrook

    Tere Muswellbrook and welcome to the UTM Community!

    I didn't follow your bridge idea, but you will want to be certain that you don't run afoul of #3.1 in Rulz.  Having both a bridged and un-bridged NIC in the same Ethernet segment may cause problems.  Please let us know what happened if you try this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    BAlfson said:

    Tere Muswellbrook and welcome to the UTM Community!

    I didn't follow your bridge idea, but you will want to be certain that you don't run afoul of #3.1 in Rulz.  Having both a bridged and un-bridged NIC in the same Ethernet segment may cause problems.  Please let us know what happened if you try this.

    Cheers - Bob

     

    Thanks, useful link to the Rulz! I think the bridge idea still works (not that I've done this here), the bridge and the standalone NICs would be on distinct segments. If I ever get round to doing this, I'll report back.

Unfiltered HTML