KISS, keep it simple stupid. An old saying I try to keep in mind when working on a solution. My home network hasn’t maintained this zen philosophy.
My most recent setup has been driven by a recent discovery that I can keep my Apple Airport’s built in Guest network, as long as I can connect the Airport’s to something that can pickup VLAN 1003, the VLAN Apple decided to isolate the users on the guest network so they wouldn’t be able to see file or print shares on the main network.
So I decided to build a firewall but the only hardware I had was a bit overkill and didn’t want to dedicate the whole thing to this one task. I started with a used Dell OptiPlex 745 micro tower. This little workhorse has a dual core Intel CPU chugging along at 1.8Ghz, it’s got the virtualization instructions and 64bit capable. The Dell came with a tiny hard drive and a few gig of ram, but I grabbed a spare SATA drive and purchased four sticks of 2GB RAM from an ebay seller. I also picked up an Intel gigabit NIC to compliment the onboard gigabit NIC.
The Dell runs VMware ESXi 5.5 with a free license. I’ve configured the VMware host with four networks.
- External network, connected to the vSwitch that uplinks to the Intel Gigabit NIC
- Internal network, connected to the vSwitch that uplinks to the onboard Gigabit NIC
- Guest network, connected to the same vSwitch that uplinks to the onboard Gigabit NIC, but is on VLAN 1003
- DMZ network, connected to a vSwitch that doesn’t connect to anything physical, I’ll use it for test/dev VMs I create on the host.
I signed up for a free account with Sophos, here so I could download their UTM software. They also provide a generous license for home users that will protect up to 50 IP addresses. It’s almost nearly fully functional and includes managed end point protection for up to ten Windows computers. If I really wanted to go nuts, I could buy some Astaro (now Sophos) wireless access points and have them fully managed from this server but I think the Airport Extremes will work just fine.
Sophos offers a prebuilt appliance you can download and just run out of the box, but I think they let their junior assistant’s intern build it. It has poor performing configuration choices… and really you’re just better off building it from scratch. The .ISO is pretty universal – it’ll handle installing on bare metal, virtual, or being installed on Astaro/Sophos hardware appliances.
So going on information from the forums and documentation:
- OS is based on SLES 11 64bit
- 1 CPU, 2 Core
- 4GB of RAM
- 60GB of Disk, using a SAS controller
- 4 x VMXNET3 vNICs – leave all but the internal vNIC disconnected (Intel E1000 vNICs work, too but will consume more resources than the VMXNET3 paravirtual vNICs)
- USB controller (for USB backups)
- Delete the floppy disk drive, serial, and parallel ports
Boot the VM from the .ISO, and go through a few basic questions. It’ll handle the disk partitioning, volume formatting, and even installs VMware Tools for you because it identifies itself as a VMware VM and goes that extra step. Once you do the install, you’ll have to browse to the server’s IP on port 4444. During this final setup you’ll be prompted to upload the license file Sophos sends you and answer a few questions about the preliminary firewall rules.
I would recommend checking all of the basic firewall rules – Email, DNS, Web, etc. This will make your start a little easier. Leave the rest of the monitoring, filtering, and all that disabled, it’s only going to get in the way.
Now comes the tricky part – matching the physical nics with the virtual networks and vNICs on the Sophos UTM virtual machine. Under Interfaces & Routing, click on Interfaces. You’ll see your Internal interface [UP]. Add a second interface, let’s start with the Guest network.
- Name: Guest
- Type: Ethernet Static
- Hardware: Pick one
- IPv4 Address: choose an IP for this interface and a net mask to set the size. This IP will be the gateway for everything on this network.
- No other settings need to be changed or enabled
Once you save the interface, you’ll see that it’s [down]. Edit your VM, and enable the vNIC connected to the Guest network. If the interface doesn’t go up, edit it and pick a different eth in the hardware menu. Once you hit it, follow through on the other networks until you have all four up and running.
Now, Sophos UTM comes out of the box ready to support an internal LAN and external WAN. Additional network will require some more configuration, read on.
DHCP and DNS needs to be configured for at least the Guest network. You can set it up for DMZ too, if you want. Navigate to Network Services, DNS. In the Global tab, click the folder icon and choose your Guest (Network) and DMZ (Network).
Then switch over to DHCP and click New DHCP Server, and add a new one for the Guest network. The gateway and DNS IP addresses will be the interface IPs you setup earlier, they end in .1.
While you’re here – switch to the NTP network service and allow Guest and DMZ to access the NTP server you’ll configure later.
The one setting that got me stuck was the NAT settings. Switch to Network Protection – NAT. You’ll notice a rule already set for Internal (Network) -> External.
Clone this rule and set it up for DMZ and Guest so they can also connect to the outside world.
Now that I had a functional firewall, I needed to get the Airport Extreme devices configured. I launched the Airport utility from my Mac (you can do the same from any iOS device) and configured the Airports for bridge mode and turned off the password on my Guest network – the UTM will handle authentication now. Everything else works fine – one of my AEs is a print server with two printers, and a Time Machine backup target with a 2TB USB disk attached… all work fine.
Pro tip: once the AE is in “bridged mode” ,
you lose the ability to use the WAN port for anything. Just use the LAN ports for connectivity back to the Sophos UTM or other Airport Extreme APs the WAN port becomes a LAN port in bridged mode (I had a different experience in previous firmwares, so something must have changed). If you use a switch – make sure it can forward VLAN tagged traffic, most SOHO switches will not. If you have multiple Airport Extreme APs, daisy chain the AE APs to ensure VLAN 1003 packets get delivered back to the Sophos UTM and hang the switch off of the other ports to provide more access ports to your internal devices.
Okay, this was the icing on the cake for this deployment. Now that I have my guest network isolated on a dedicated interface and VLAN, I can really do some neat stuff with Sophos UTM.
- In the Wireless Protection section visit Global Settings.
- Enable the Wireless Protection, then add the Guest interface to the allowed interfaces.
- Click Apply.
- Visit the Wireless Networks, Access Points, and clean out any auto-configured networks or access points.
- Then click on Hostspots. Enable the Hotspot feature.
- Switch to the Hotspots tab.
- Add a new one, call it Guest Portal or something easy to identify.
- Add the Guest interface to this hotspot and configure the rest of the options for your unique needs.
Tips: The Password of the Day will not be an easy password. It’ll be something like ogaleseh35 (that was yesterday’s password at my house). This password is good for the day.
You can opt for a Voucher system… which is really powerful. You can limit by time and or consumed bandwidth. I can see myself forcing my kids to use a guest network and only handing out vouchers when stuff is done around the house. You can delegate access to other people so they can log into a user portal on the Sophos UTM and print or PDF additional vouchers.
A few other features I turned on:
- Global IPS, I turned off the IPS for now on my internal network until I can isolate my dumb media devices (smart TVs, etc) and exclude them
- Endpoint Protection (free AV software) – sophos managed end point for Windows (OS X is free, but still not managed yet!)
- Uplink Monitoring – I won’t get emailed when it goes down (duh!) but I’ll get the down and up alert when the UTM can send email again.
- User Portal – for people to get VPN setup and vouchers for guest wifi
- NTP – accurate time isn’t an option any more.
Additional Firewall Rules
Sophos UTM is a true firewall. Nothing gets in or out with an explicit rule. This can be very challenging at home when you have a myriad of different devices. Most devices like Apple TV, Vizio TV apps, and the like catch a ride on port 80 or 443, so if you have web enabled, you’re good to go.
Additional rules are needed to allow stuff like MineCraft, Apple Push Notifications, AT&T Microcell, Mumble, Xbox Live, etc… be prepared to spend some time digging around knowledge bases or Googling to find the appropriate ports. Luckily, it’s real easy to build rules.
Tip: Use groups for rules that you may need to add different ports or services to a single rule. I made one called Games. Now when I run into another game (or service like Steam) that needs another port allowed out – I can create the Network Service, and just add it to the existing Games group.
I have a rule for Apple. Holy crap they have a lot going on. Most you don’t need to allow out or are handled by existing rules.
- iCloud DAV services, iChat, FaceTime, Game Center, yuck… Lots of UDP port ranges, but again these are only allowing these apps OUT – not random internet person reach into your network on these same ports. On the topic of Apple, when watching the firewall logs I forgot they have a Class A IP range… so it may be easiest just to create a Network rule and call it Apple’s Network… then you can use that in each rule for apple.
- Xbox Live has a list of UDP and TCP ports that need out, and a NAT rule to allow UDP/TCP 3074 back in
- AT&T’s Microcell needs to have https, ntp, and some IPSec traffic allowed out to femtocell.wireless.att.com and after watching it fail – another IP, 22.214.171.124, in AT&T’s IP range that wasn’t documented. Once that last IP was added to the rule, bam – solid 5 bars.
One last thing that can help your UTM perform better is to disable logging and reporting if you don’t need it. I turned off all the reports but after reviewing the rules – the logs can be retained for no less than 1 day. So I chose to disable logging. This caused a problem with troubleshooting the firewall – I couldn’t view the live log, it wasn’t being generated!
So I turn it on when I want to troubleshoot something, but I’ll leave it disabled. I’m not sure how the 5th amendment fits in to a firewall keeping logs of your internet traffic for a year… but if you don’t have to save all the data about your network activity – why flog your UTM’s storage when you don’t have to.
On the flip side, if somethings not working – almost every feature has a Live Log view so you can watch the blocked packets fly by. This is exceptionally helpful.