@pirateghost Thanks. I'll keep that one in my back pocket.If you don't use the sophos box for dhcp, IP addresses aren't counted. FYI
The amount of IPs I have, or what they're assigned to, isn't relevant... I was asking a very simple question, specifically stating what I did and did not want to do. If I've stated twice I need two subnets, please take it at face value I need two subnets and not question the reasoning - mainly because the reasoning simply isn't relevant to the question being asked.Is there a reason you are creating two different subnets?
I was, more or less, going to say the same thing as HardChargin. I understand you have 40 statically assigned IP's, but do you have need for more than 50? Unless you have tons of VMs taking up all the IPs, what is it that has you needing more than 50?
Please don't post in a thread regarding Sophos UTM with a statement of not understanding why an individual would not wish to have their main DHCP server on Sophos UTM... if you are, it means you either don't use Sophos UTM or haven't researched it or if you do, you've missed the fact you can only have a max of 50 IPs assigned on the UTM appliance.... regardless, the reasoning has nothing to do with the original question I asked for help with.While I don't either see the reasoning behind this, if I understand your situation correctly, you need a new masquerading rule from lan1 to lan2.
Thanks =]If you need 2 subnets that's fine. You just need to figure out the proper routing between those 2 networks. From your explanation, is wasn't clear exactly how it was configured, but I took a stab at it from your description. If my diagram is correct, you will need to create routes on your OpenWRT. I think the devices on your 192.168.100.0/26 network should have a default route to 192.168.100.1 (the internal OpenWRT interface) and your OpenWRT default route should be 192.168.1.2 (the external interface). And Sophos needs a route for 192.168.100.0/26 which should point to 192.168.1.2/25.
View attachment 8921
"Reasoning" was referring to your need of having different subnets and not dhcp server on different machine. (While I was writing the reply, two other posts were made, the continuity was lost and I did not realize it because my reply was posted in a new page - so I understand your confusion.. )Please don't post in a thread regarding Sophos UTM with a statement of not understanding why an individual would not wish to have their main DHCP server on Sophos UTM... if you are, it means you either don't use Sophos UTM or haven't researched it or if you do, you've missed the fact you can only have a max of 50 IPs assigned on the UTM appliance.... regardless, the reasoning has nothing to do with the original question I asked for help with.
Does anyone have a dd-wrt WAP setup and working with Sophos? Mine works, but my 5GHz network is not showing up and I'm guessing I somehow messed up the config. I set it to AP mode and checked/unchecked a number of other settings. The 2.4GHz N network is working but the 5GHz ac is not showing up at all, I'm also not sure how to get access to the dd-wrt web interface after configuration as Sophos is handling the routing, DHCP, etc.
I am not using DDWRT, but once I converted my router to AP Mode, and plugged a LAN port from the wireless router into my Sophos UTM LAN, Sophos DHCP issued my wireless router an IP from which I could access web management from my Sophos LAN. Later I created a Network Definition in Sophos for my wireless router, added it's Mac address along with the IP I wanted assigned to it (Mac Reservation).Does anyone have a dd-wrt WAP setup and working with Sophos? Mine works, but my 5GHz network is not showing up and I'm guessing I somehow messed up the config. I set it to AP mode and checked/unchecked a number of other settings. The 2.4GHz N network is working but the 5GHz ac is not showing up at all, I'm also not sure how to get access to the dd-wrt web interface after configuration as Sophos is handling the routing, DHCP, etc.
How do you have you your router connected to Sophos, via WAN or a LAN port? If it was the LAN interface, and your WAN was configured for DHCP, unplug the router for 15 seconds, and prior to plugging it back in, switch the ethernet cable to WAN.Something is definitely weird. I don't think it's a hardware issue as the 5GHz band has worked fine, it only stopped working since I configured it differently to make room for the Sophos box. I had initially assigned it an IP, but when I went to change some things I realized it wasn't showing up and the IP I assigned was given to something else. After re-configuring I didn't assign it an IP at all hoping the DHCP would give it one. It appears that it did not, as it isn't showing up in Sophos IP table. Its pretty screwy and annoying that I keep having to reset to default config and connect via cable to get access.
I received my SSD drive and had to reinstall Sophos, and after some additional trial and error, I'm not all too sure what settings I changed that caused the issue I was experiencing. I do know eth2 being apart of the bridge was not the issue, as it's currently apart of the bridge and works fine.Thanks =]
Maybe I should have better articulated what I wrote in the orginal post, as that's exactly how I have it set up :)- with a gateway route under Interfaces & Routing - Static Routes routing 192.168.100.0/26 to 192.168.1.2. Yours is a far better description
The issue was caused by Sophos eth2 [WRT1900] being apart of the eth1 - 3 bridge, and once I unbound eth2 from the bridge, everything immediately worked. Prior to posting, in a bit of trial and error, I had configured eth1 - 3 as a bridge after an interface route didn't allow the two subnets to communicate with one another; however, after switching it from an interface route to a gateway route, I didn't realize eth2 then needed unbinding. It occurred to me late this afternoon I should try unbinding it to rule it out as an issue, which showed it to be the issue =]
There's a very clear warning within the terminal that states support won't be provided by Sophos if end users modify anything via cli unless instructed to do so by Sophos tech support... I assume this is for corporate customers purchasing Sophos HA/SA.
A VPN must be chosen based upon what it's going to be used for, as each type of VPN has it's own pros and cons (assuming each is on equal footing in regards to security). Generally, SSL VPNs have lower latency and higher throughput than IPsec and HTML5 VPNs (regarding the latter, it comes from threads that are two years old), especially when configured correctly within the server and client config files (i.e. tun-mtu 60000 [possibly 48000], setting sndbuf and rcvbuf, as well as utilizing the fragment and mssfix options, sha512 vs sha256, etc.). I use my SSL VPN for CIFS shares, while IPsec VPNs are usually favored in the business setting due to their ease of implementation on endpoints. I plan on also configuring an HTML5 VPN and was curious what your experience has been with latency and throughput on HTML5 vs SSL.Yes, more than likely, their support folks will be doing the driving, when working from the CLI.
While I have configured our UTM at work for SSL VPN (primarily for iPad), we also use the HTML5VPN. It's much easier to setup and for the desktop/laptop end-user to use.
The UTM also supports two-factor authentication.
I prefer utilizing self signed CAs, as the only reason to go with one signed by a third party paid service is to ensure users accessing a public server know with 100% certainty what they're accessing hasn't been tampered with... otherwise a self signed CA is not only far cheaper, it's just as secure. (This is from my point of view as a home user, and I suspect yourself, and others managing a business network, will prefer a third party signed CA/certs due to their advantages in a business environment)You could buy a compatible token or just use an authenticator app on a smartphone.
That's a good deal =] SSL certs aren't inherently expensive, especially if you shop around (namecheap is almost always the cheapest, as I bought a 3 or 5 year cert for ~$30). All of my devices are utilized in a home network which is why I use self-signed CAs and certs; however if I was running a public facing server, a third party signed CA, and/or cert, would be preferable.I use comodo positivessl certs for my sophos box as well as a few other projects I have. $9/year is hard to beat for a good SSL certificate
I wasn't aware of that =]SSL certificates are mainly "expensive" because of the externalities involved (identifying and validating) and the desire for profit. Issuing the certificates themselves is dirt cheap which is why places like StartSSL will issue free low-grade certificates, but will charge for validating you and your organization. Once validated, you can ask them to issue as many certificates as you like.
I wasn't aware of that =]
Do I have a correct understanding of the reasoning for self-signed vs third party issuer, in that unless you're running a public facing server, there's no point in buying a third party signed over self-signed?