Sophos

[TheDubiousDubber]

I had the live log open when trying to connect, and nothing shows up except a few unrelated things from another device. As I said before, I had this working previously, so I wouldn't be surprised if it had nothing to do with the firewall. I thought it might be because my Plex Server was out of date, but I updated it last night and its still not working.

 

[TheDubiousDubber]

I also have web filtering turned off, so that is not causing the issue. I'm beginning to think it may have something to do with my settings in FreeNAS as the server is run in a jail. Possibly some network settings got messed up which is causing the issue, but I don't know enough about that stuff to know where to begin. Everything works locally, but remote access is impossible. It worked before and now it doesn't. Just like the VPN I had set up. It worked and then it didn't and no settings were ever changed that could have caused the issues.

 

[joeschmuck]

What version of Sophos are you running? Are you able to isolate the things you may have changed since the last time it worked, both FreeNAS, Sophos, any other network stuff? Also, to rule out the Sophos system, just pop in a normal router and see what happens and open up a DMZ if you must. This would tell you with certainty if Sophos was the culprit.

Just a thought.

 

[ChriZ]

I would like to ask a question here, because I honestly hate the new Sophos forum...
If anyone can help I would be happy (not really important, though)
So here it goes:
My WAN nic is connected to an ADSL router (bridged mode)
I read that you can go to Interfaces and add an additional address in order to be able to access the modem. Has anyone done this?
Asking because I tried giving an additional address but I see no place to bind it with my ADSL router. No matter what address I enter, it is always up and active and the network can ping it normally.
Makes sense since I guess it creates a virtual address, but how to bind that to the ADSL router, in order to access its interface?
EDIT: OK, till now I was trying to access the additional address using http. I gave it a try using https an it redirected to the VPN user portal...lol...
Something is wrong there... or simply what I want can't be done...

 

[pirateghost]

I didn't have to do anything in order to access my cable modem page. It's a completely different subnet than any of the rest of my network and all I have to do is punch in the IP

 

[ChriZ]

I suspect that cable modems are not setup as PPPOE, right?
Well I guess I will have to look into my ADSL router again, because when I initially set it up as bridge, I never dealt with it again.
Thanks a lot for the reply, @pirateghost !

 

[joeschmuck]

My cable modem IP address is 192.168.100.1 and is a Surfboard model which works great. I never had to setup Sophos to specifically access the cable modem.

 

[ChriZ]

Oh, well... I guess I will to have find some time this weekend to dig that router out of the entertainment center, plug it directly to my laptop and see what the heck have I done with its network settings when I initially set up my sophos box.
Pro tip: Don't install your whole firewall/router mechanism while having your kids jumping all over you...

 

[jgreco]

My cable modem IP address is 192.168.100.1

That's actually not quite right. Your cable modem doesn't actually have an address that is accessible to you in the usual sense, they're usually set up as bridges. But the firmware still monitors for that magic IP address and pulls it out of the stream and forwards it over to a virtual interface. That's why you can reach 192.168.100.1 even though the network and netmask on your internal network does not cover 192.168.100.1.

I didn't have to do anything in order to access my cable modem page. It's a completely different subnet than any of the rest of my network and all I have to do is punch in the IP

Right. Same thing as above, most likely.

 

[zoomzoom]

Has anyone had any luck setting up an ssh multi-hop through Sophos UTM with PuTTY? I can't figure out why the de facto way of configuring a multihop in PuTTY does not work on Sophos.

• Normally, all one needs to do is set up a remote ssh profile for the WAN facing router, make a copy of the local ssh profile for a device behind the router, and add the appropriate plink command under Connection - Proxy [local] - Telnet Command:
  • plink -v -load SSH.Sophos.Remote -nc %host:%port

When opening the multihop local profile, the event log shows PuTTY hasn't gotten past what version it claims:

2016-04-16 19:43:36 Looking up host "192.168.1.6"
2016-04-16 19:43:36 Starting local proxy command: plink -v -load SSH.Sophos.Remote -nc 192.168.1.6:22
2016-04-16 19:43:36 We claim version: SSH-2.0-PuTTY_Release_0.67​

• Even more baffling, I can issue the plink command above in a powershell terminal and have it connect successfully to Sophos; however, wonkiness occurs when attempting to create a second tunnel to 192.168.1.6

Code:

PS C:\windows\system32> plink -v -l root -i D:\Path\To\SSHkeys\Sophos.ppk -P 22 my.ddns..com -nc 192.168.1.6:22
Looking up host "my.ddns..com"
Connecting to xxx.xxx.xxx.xxx port 22
We claim version: SSH-2.0-PuTTY_Release_0.67
Server version: SSH-2.0-OpenSSH_6.2
We believe remote version has SSH-2 channel request bug
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 xx:xx:xx:xx...
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading private key file "D:\Path\To\SSHkeys\Sophos.ppk"
Using username "root".
Offered public key
Offer of public key accepted
Authenticating with public key "Sophos UTM"
Passphrase for key "Sophos UTM":
Sent public key signature
Access granted
Opening connection to 192.168.1.6:22 for main channel
Opened main channel
SSH-2.0-dropbear_2015.71
  Oƒx║╬╒(╕┤├≤ë╜*    mcurve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.au   ssh-rsa   aes128-ctr,aes256-ctr   aes128-ctr,aes256-ctr   hmac-sha1,hmac-md5   hmac-sha1,hmac-md5   none   none             ┐Äê║TP

• Additionally, I can use JuiceSSH on my Nexus 6 to multi-hop through Sophos

PuTTY Manual 3.8.3.14

 

[mattyams]

First post! Sophos (SG 125 UTM9) and Meraki user checking in! Glad to see others use Sophos as well. Haven't much about Meraki though.

 

[pirateghost]

First post! Sophos (SG 125 UTM9) and Meraki user checking in! Glad to see others use Sophos as well. Haven't much about Meraki though.

I just got my free Meraki switch today. Pretty cool.

 

[joeschmuck]

I just got my free Meraki switch today. Pretty cool.

Free, where can I get a free Meraki switch? ;)

 

[pirateghost]

Free, where can I get a free Meraki switch? ;)

https://meraki.cisco.com/webinars/s...he-next-generation-of-ethernet-switching/5146

I had to talk to an account rep for about 5 minutes, join the webinar for about 30, and then confirm with the rep that I attended. Couple weeks later I have a brand new 8 port Poe gbe switch sitting on my desk with 3 year licensing

 

[joeschmuck]

Damn, and i was just kidding but maybe I'll check this out. It's always nice to get new toys and to learn something new.

 

[jgreco]

8 port Poe gbe switch sitting on my desk with 3 year licensing

Yes, because what we really need is a device that becomes worthless after 3 years if you don't renew the licensing. :-(

 

[depasseg]

Yes, because what we really need is a device that becomes worthless after 3 years if you don't renew the licensing. :-(

That's exactly why I've moved away from Meraki and really started liking Ubiquiti.

 

[pirateghost]

Yes, because what we really need is a device that becomes worthless after 3 years if you don't renew the licensing. :-(

I agree, but there has been movement by the *wrt teams on getting wrt loaded on meraki devices. I am hopeful. But the switch will still function after licensing is up, it just becomes a dumb switch. At least that's what they told us in the meraki webinar.

 

[joeschmuck]

I have used DD-WRT for a long time, I still have a pair of DD-WRT's and one, up until my ESXi setup, was hosting my second WAN IP address. The other one is configured as an emergency backup for my main LAN setup just in case my Sophos takes a crap while I'm on travel. DD-WRT is pretty good in my book. I have never tried Open-WRT.

 

[zoomzoom]

I have used DD-WRT for a long time, I still have a pair of DD-WRT's and one, up until my ESXi setup, was hosting my second WAN IP address. The other one is configured as an emergency backup for my main LAN setup just in case my Sophos takes a crap while I'm on travel. DD-WRT is pretty good in my book. I have never tried Open-WRT.

DD-WRT isn't bad, but OpenWRT is much better if OpenWRT is available for your router. While DD-WRT is customizable to a point, it will never be to the extent that OpenWRT is, as OpenWRT provides hundreds and hundreds of packages that can be searched for and installed, either via cli or the Web Management GUI. Once one tries OpenWRT, they'll almost immediately see the major differences and benefits it has over DD-WRT.

I use OpenWRT on my WRT1900ac and WRT1200ac, with DD-WRT running on my R6300 v1 (unfortunately, while the R6300 v2 has OpenWRT support, the v1 does not). I prefer to build my own OpenWRT images, as you can build all the packages you want into the image (as well as ensuring all your /etc/config files are customized to your environment, as well as any other files, scripts, configs, or certs you want in the image), versus having to manually install them if you utilize the stable or trunk images (trunk is currently on kernel 4.4.7 or 4.4.8 [one can also utilize kernel 4.1.x], with CC stable utilizing 3.2 something if IIRC) . If you do choose to try OpenWRT, ensure you have a USB-TTL cable in case you brick and need to perform a TFTP flash.