Sophos

[ChriZ]

While I don't either see the reasoning behind this, if I understand your situation correctly, you need a new masquerading rule from lan1 to lan2.

 

[HardChargin]

If you don't use the sophos box for dhcp, IP addresses aren't counted. FYI

@pirateghost Thanks. I'll keep that one in my back pocket.

 

[zoomzoom]

Is there a reason you are creating two different subnets?

I was, more or less, going to say the same thing as HardChargin. I understand you have 40 statically assigned IP's, but do you have need for more than 50? Unless you have tons of VMs taking up all the IPs, what is it that has you needing more than 50?

The amount of IPs I have, or what they're assigned to, isn't relevant... I was asking a very simple question, specifically stating what I did and did not want to do. If I've stated twice I need two subnets, please take it at face value I need two subnets and not question the reasoning - mainly because the reasoning simply isn't relevant to the question being asked.

While I appreciate we all have opinions and may have different ways of doing things, it doesn't help to reply to a simple question with a bunch of questions as to why the individual asked the question (especially when it was stated in each post why I was asking what I was asking).

I was able to solve the issue by unbinding eth2 (OpenWRT) from the Sophos eth1 - 3 bridge, which resulted in both subnets recognizing each other's IPs (as I had already previously configured the routing correctly).

 

[zoomzoom]

While I don't either see the reasoning behind this, if I understand your situation correctly, you need a new masquerading rule from lan1 to lan2.

Please don't post in a thread regarding Sophos UTM with a statement of not understanding why an individual would not wish to have their main DHCP server on Sophos UTM... if you are, it means you either don't use Sophos UTM or haven't researched it or if you do, you've missed the fact you can only have a max of 50 IPs assigned on the UTM appliance.... regardless, the reasoning has nothing to do with the original question I asked for help with.

 

[depasseg]

If you need 2 subnets that's fine. You just need to figure out the proper routing between those 2 networks. From your explanation, is wasn't clear exactly how it was configured, but I took a stab at it from your description. If my diagram is correct, you will need to create routes on your OpenWRT. I think the devices on your 192.168.100.0/26 network should have a default route to 192.168.100.1 (the internal OpenWRT interface) and your OpenWRT default route should be 192.168.1.2 (the external interface). And Sophos needs a route for 192.168.100.0/26 which should point to 192.168.1.2/25.

 

[zoomzoom]

If you need 2 subnets that's fine. You just need to figure out the proper routing between those 2 networks. From your explanation, is wasn't clear exactly how it was configured, but I took a stab at it from your description. If my diagram is correct, you will need to create routes on your OpenWRT. I think the devices on your 192.168.100.0/26 network should have a default route to 192.168.100.1 (the internal OpenWRT interface) and your OpenWRT default route should be 192.168.1.2 (the external interface). And Sophos needs a route for 192.168.100.0/26 which should point to 192.168.1.2/25.

View attachment 8921

Thanks =]

Maybe I should have better articulated what I wrote in the orginal post, as that's exactly how I have it set up :)- with a gateway route under Interfaces & Routing - Static Routes routing 192.168.100.0/26 to 192.168.1.2. Yours is a far better description

The issue was caused by Sophos eth2 [WRT1900] being apart of the eth1 - 3 bridge, and once I unbound eth2 from the bridge, everything immediately worked. Prior to posting, in a bit of trial and error, I had configured eth1 - 3 as a bridge after an interface route didn't allow the two subnets to communicate with one another; however, after switching it from an interface route to a gateway route, I didn't realize eth2 then needed unbinding. It occurred to me late this afternoon I should try unbinding it to rule it out as an issue, which showed it to be the issue =]

 

[ChriZ]

Please don't post in a thread regarding Sophos UTM with a statement of not understanding why an individual would not wish to have their main DHCP server on Sophos UTM... if you are, it means you either don't use Sophos UTM or haven't researched it or if you do, you've missed the fact you can only have a max of 50 IPs assigned on the UTM appliance.... regardless, the reasoning has nothing to do with the original question I asked for help with.

"Reasoning" was referring to your need of having different subnets and not dhcp server on different machine. (While I was writing the reply, two other posts were made, the continuity was lost and I did not realize it because my reply was posted in a new page - so I understand your confusion.. )

P.S.: I do use Sophos and I do know about the limitation.. And my answer regarding masquerading was a reply to your original question.(though, after looking at depassegs's diagram, It seems I had misunderstood your topology, so my answer was not going to solve your problem)

 

[TheDubiousDubber]

Does anyone have a dd-wrt WAP setup and working with Sophos? Mine works, but my 5GHz network is not showing up and I'm guessing I somehow messed up the config. I set it to AP mode and checked/unchecked a number of other settings. The 2.4GHz N network is working but the 5GHz ac is not showing up at all, I'm also not sure how to get access to the dd-wrt web interface after configuration as Sophos is handling the routing, DHCP, etc.

 

[pirateghost]

Does anyone have a dd-wrt WAP setup and working with Sophos? Mine works, but my 5GHz network is not showing up and I'm guessing I somehow messed up the config. I set it to AP mode and checked/unchecked a number of other settings. The 2.4GHz N network is working but the 5GHz ac is not showing up at all, I'm also not sure how to get access to the dd-wrt web interface after configuration as Sophos is handling the routing, DHCP, etc.

I use a Cisco AP and a Buffalo AP running openwrt.

For your AP, you assign it an IP address on your local subnet for administration purposes. This has nothing to do with dhcp or routing functions.

 

[HardChargin]

Does anyone have a dd-wrt WAP setup and working with Sophos? Mine works, but my 5GHz network is not showing up and I'm guessing I somehow messed up the config. I set it to AP mode and checked/unchecked a number of other settings. The 2.4GHz N network is working but the 5GHz ac is not showing up at all, I'm also not sure how to get access to the dd-wrt web interface after configuration as Sophos is handling the routing, DHCP, etc.

I am not using DDWRT, but once I converted my router to AP Mode, and plugged a LAN port from the wireless router into my Sophos UTM LAN, Sophos DHCP issued my wireless router an IP from which I could access web management from my Sophos LAN. Later I created a Network Definition in Sophos for my wireless router, added it's Mac address along with the IP I wanted assigned to it (Mac Reservation).

Regarding your 5Ghz network dropping, sounds like a DDWRT setting, software, or wireless router hardware failure as you stated. I'd take a look at all the obvious wireless settings once you gain web management access and take a look at the wireless radio settings as well. I've seen settings there cause WiFi to drop randomly.

 

[TheDubiousDubber]

Something is definitely weird. I don't think it's a hardware issue as the 5GHz band has worked fine, it only stopped working since I configured it differently to make room for the Sophos box. I had initially assigned it an IP, but when I went to change some things I realized it wasn't showing up and the IP I assigned was given to something else. After re-configuring I didn't assign it an IP at all hoping the DHCP would give it one. It appears that it did not, as it isn't showing up in Sophos IP table. Its pretty screwy and annoying that I keep having to reset to default config and connect via cable to get access.

 

[zoomzoom]

Something is definitely weird. I don't think it's a hardware issue as the 5GHz band has worked fine, it only stopped working since I configured it differently to make room for the Sophos box. I had initially assigned it an IP, but when I went to change some things I realized it wasn't showing up and the IP I assigned was given to something else. After re-configuring I didn't assign it an IP at all hoping the DHCP would give it one. It appears that it did not, as it isn't showing up in Sophos IP table. Its pretty screwy and annoying that I keep having to reset to default config and connect via cable to get access.

How do you have you your router connected to Sophos, via WAN or a LAN port? If it was the LAN interface, and your WAN was configured for DHCP, unplug the router for 15 seconds, and prior to plugging it back in, switch the ethernet cable to WAN.

What's occurred is you've assigned whatever interface you have connected to Sophos with a static IP, however either an IP/Subnet Mask was mistyped, or Sophos wasn't configured first for the static IP and therefore doesn't recognize the previously assigned static IP. If you're confident you didn't mistype the IP/Subnet Mask, you can try powering off whatever device has been assigned the same IP via DHCP and see if Sophos routes traffic to DD-WRT. If that doesn't allow access, you'll need to hook the router directly to your device via ethernet, log in to the web interface, and change WAN to DHCP. Once you've applied the changes, unplug the router for 15 seconds prior to plugging it back into Sophos.

• I'm still in the process of reading the manual, so I could have overlooked this, but my experience thus far with Sophos UTM has been devices connected directly via a LAN cable cannot be set with a static IP until you've selected the option under the current leases section and selected the button to add as a static IP. It didn't matter that I had already added my 3 devices as hosts with their static IP and MAC addresses saved under each host, Sophos would not honor the static IP I chose until after I selected the add the device as a static IP under the leases section. I could very well have been doing something wrong or overlooked something as I've read through the manual, so if I did, let me know =]

If you've already done all that, what router and version of DD-WRT are you running?

 

[zoomzoom]

Thanks =]

Maybe I should have better articulated what I wrote in the orginal post, as that's exactly how I have it set up :)- with a gateway route under Interfaces & Routing - Static Routes routing 192.168.100.0/26 to 192.168.1.2. Yours is a far better description

The issue was caused by Sophos eth2 [WRT1900] being apart of the eth1 - 3 bridge, and once I unbound eth2 from the bridge, everything immediately worked. Prior to posting, in a bit of trial and error, I had configured eth1 - 3 as a bridge after an interface route didn't allow the two subnets to communicate with one another; however, after switching it from an interface route to a gateway route, I didn't realize eth2 then needed unbinding. It occurred to me late this afternoon I should try unbinding it to rule it out as an issue, which showed it to be the issue =]

I received my SSD drive and had to reinstall Sophos, and after some additional trial and error, I'm not all too sure what settings I changed that caused the issue I was experiencing. I do know eth2 being apart of the bridge was not the issue, as it's currently apart of the bridge and works fine.

Recommendations​

Configuring Sophos for the First Time
To anyone setting up Sophos for the first time, I recommend going down the configuration categories in chronological order, ensuring everything you've configured up to that point works correctly, and then make a backup of the current configuration prior to moving on to the next category.

• This ensures if you run into issues, you'll never go back further than one category if you choose to restore the prior saved configuration.

I also recommend configuring the Management section first, then after backing up, connecting your other router prior to starting Definitions and Users. (This is where I went wrong, as I configured most of the sections prior to hooking up my router.) If Sophos is part of a home network, and you have no concerns about outbound traffic from the LAN to WAN, ditch the fine grained default services granular rules and allow all traffic from LAN to pass to WAN.

SSL VPN
Also, if you choose to deploy a SSL VPN, Sophos uses OpenVPN and you can choose to install Sophos's SSL VPN connect application or utilize OpenVPN's directly from them (OpenVPN offers an x64 version, whereas Sophos does not; the Sophos application is simply the rebranded OpenVPN x86 application).

Also, since I couldn't find it anywhere online, the path to the openvpn folder on Sophos is /var/sec/chroot-openvpn/etc/openvpn

• If you remove [not recommended] or add [recommended for better throughput] any configuration option from the openvpn.conf, you will need to modify the openvpn.conf-default file, as well as the default client conf as well.
• There's a very clear warning within the terminal that states support won't be provided by Sophos if end users modify anything via cli unless instructed to do so by Sophos tech support... I assume this is for corporate customers purchasing Sophos HA/SA. There's very little an end user can do to customize the OpenVPN config from the WebAdmin, with the only way to do so via cli, which is a bit baffling.
• You must utilize an actual CA on Sophos and cannot use an Intermediate CA (as I found out after an hour of trying to figure out why I couldn't connect to the SSL VPN ; doesn't apply if you're not importing a CA, self signed or otherwise).
  • Sophos utilizes a three factor authentication for the SSL VPN: SSL certs, user login, and TLS authentication via the common name of the SSL cert (each user is assigned certificates with their user name as the CN). The problem with an ICA generated VPN cert will be the cert will have the common name of the CA that signed the ICA and TLS authentication will fail.

Once you've verified the VPN functions properly on both the server and client, you must change the protocol from TCP to UDP. TCP is inefficient within an SSL VPN (google for an in depth explanation as to why) and should only be used for verifying everything is configured correctly and for troubleshooting if problems arise.

Xbox Live
If you have an Xbox, Xbox Live will not work unless 2 (if not 3) things are configured:

1. Firewall Rules for the Xbox(es) host(s) [If all LAN traffic is not given access to WAN]
2. DNAT rule for [assuming the Xbox is connected via a second managed router/AP behind Sophos]:
   • Any -> Xbox Live -> External WAN Network Destination: Xbox Hosts
     • Where Xbox Live is the group of Xbox Live ports needing port forwarding and Xbox Hosts being either a single Xbox host or a group consisting of multiple Xboxes (either physical units or interfaces - Xbox One's LAN and WiFi interfaces are two separate interfaces, meaning Xbox One's should have their own group consisting of two hosts, 1 for each interface)
3. Application Control rule for Xbox Live:
   • Applications: Xbox Live & Xbox for Xbox Hosts
     • Where Xbox Live & Xbox are applications selected from the Applications List

An application and Control rule must also be added to allow access to smtp email, such as gmail, and must mirror the smtp outgoing port # (587 for gmail).

 

[gpsguy]

Yes, more than likely, their support folks will be doing the driving, when working from the CLI.

There's a very clear warning within the terminal that states support won't be provided by Sophos if end users modify anything via cli unless instructed to do so by Sophos tech support... I assume this is for corporate customers purchasing Sophos HA/SA.

While I have configured our UTM at work for SSL VPN (primarily for iPad), we also use the HTML5VPN. It's much easier to setup and for the desktop/laptop end-user to use.

The UTM also supports two-factor authentication. You could buy a compatible token or just use an authenticator app on a smartphone.

 

[zoomzoom]

Yes, more than likely, their support folks will be doing the driving, when working from the CLI.

While I have configured our UTM at work for SSL VPN (primarily for iPad), we also use the HTML5VPN. It's much easier to setup and for the desktop/laptop end-user to use.

The UTM also supports two-factor authentication.

A VPN must be chosen based upon what it's going to be used for, as each type of VPN has it's own pros and cons (assuming each is on equal footing in regards to security). Generally, SSL VPNs have lower latency and higher throughput than IPsec and HTML5 VPNs (regarding the latter, it comes from threads that are two years old), especially when configured correctly within the server and client config files (i.e. tun-mtu 60000 [possibly 48000], setting sndbuf and rcvbuf, as well as utilizing the fragment and mssfix options, sha512 vs sha256, etc.). I use my SSL VPN for CIFS shares, while IPsec VPNs are usually favored in the business setting due to their ease of implementation on endpoints. I plan on also configuring an HTML5 VPN and was curious what your experience has been with latency and throughput on HTML5 vs SSL.

As far as authentication goes, I prefer three factor for my personal SSL VPNs, ensuring even if someone gains access to the certificates and TLS key, they can't connect unless also knowing the password for the .p12 cert (although I prefer the way Sophos has implemented three factor with OpenVPN). One thing I'm not thrilled about is Sophos doesn't seem to natively offer the ability to run more than one OpenVPN server from the WebAdmin GUI, and while I'm going to try and add a second server to the config file, I'm not holding my breath. Granted, I run two OpenVPN servers on OpenWRT for the sole purpose of restricting one of the VPNs to the FreeNAS server only, dropping all other traffic to/from that VPN's subnet; Sophos offers far greater granular control over user access rights from within the same VPN server, which I believe [haven't had a chance to thoroughly read up on it yet] accomplishes the former.

You could buy a compatible token or just use an authenticator app on a smartphone.

I prefer utilizing self signed CAs, as the only reason to go with one signed by a third party paid service is to ensure users accessing a public server know with 100% certainty what they're accessing hasn't been tampered with... otherwise a self signed CA is not only far cheaper, it's just as secure. (This is from my point of view as a home user, and I suspect yourself, and others managing a business network, will prefer a third party signed CA/certs due to their advantages in a business environment)

 

[pirateghost]

I use comodo positivessl certs for my sophos box as well as a few other projects I have. $9/year is hard to beat for a good SSL certificate

 

[zoomzoom]

I use comodo positivessl certs for my sophos box as well as a few other projects I have. $9/year is hard to beat for a good SSL certificate

That's a good deal =] SSL certs aren't inherently expensive, especially if you shop around (namecheap is almost always the cheapest, as I bought a 3 or 5 year cert for ~$30). All of my devices are utilized in a home network which is why I use self-signed CAs and certs; however if I was running a public facing server, a third party signed CA, and/or cert, would be preferable.

 

[jgreco]

SSL certificates are mainly "expensive" because of the externalities involved (identifying and validating) and the desire for profit. Issuing the certificates themselves is dirt cheap which is why places like StartSSL will issue free low-grade certificates, but will charge for validating you and your organization. Once validated, you can ask them to issue as many certificates as you like.

 

[zoomzoom]

SSL certificates are mainly "expensive" because of the externalities involved (identifying and validating) and the desire for profit. Issuing the certificates themselves is dirt cheap which is why places like StartSSL will issue free low-grade certificates, but will charge for validating you and your organization. Once validated, you can ask them to issue as many certificates as you like.

I wasn't aware of that =]

Do I have a correct understanding of the reasoning for self-signed vs third party issuer, in that unless you're running a public facing server, there's no point in buying a third party signed over self-signed?

 

[jgreco]

I wasn't aware of that =]

Do I have a correct understanding of the reasoning for self-signed vs third party issuer, in that unless you're running a public facing server, there's no point in buying a third party signed over self-signed?

That's somewhat correct.

You can create a self-signed certificate or even set up a local root CA, which is what we do here, and then issue certs from that.

If you do a self-signed cert, each new client who connects has to "learn" your certificate, and on top of that, there is no good way to know for sure that there isn't a man-in-the-middle spoofing your certificate and decrypting your traffic. However, if you set up a service (let's say OwnCloud) with a self-signed certificate, then have your laptop connect to that service while on your own local network, it "learns" it over a relatively secure channel. You can then take your laptop to somewhere hostile and as long as the client continues to see the service offering that certificate, all is good.

Third-party signed certificates basically bootstrap around that issue, because clients usually have some preconfigured trust relationships ("root CA's"). But often those certs are issued for a limited time, like one or two years, which means a certain amount of busywork constantly keeping certs up to date and tracking when they expire.

A local root CA allows you to install a new root CA on clients under your control; for example, in our company network, we have lots of gear that is remotely managed, and it is important for that to be secured with SSL. However, having to go out and get new certs for hundreds of bits of gear on a yearly basis could be a full time job. We issue our own certificates for a period of five or ten years, and have the local root CA cert installed on all the company computers, laptops, etc. The downside to this is that it is no better than self-signed certificates for external users who do not have our root CA installed.

Also, it is commonly suspected that certain TLA's have extracted wildcard-for-everything certificates from at least one root CA, which means that they can tap in to SSL connections where the client doesn't bother to cache the remote server's certificate.