Sophos UTM infront of Unifi USG

I have been running a Full Unifi setup at home for some time. This comprised of a Unifi USG --> Unifi Switch --> Unifi WAPs. As much as I like the Unifi setup I felt like it was let down by its Intrusion Detection and Prevention capabilities. I trialled pfsense and Sophos UTM as a WAN facing Firewall both free options. I finally settling on the Sophos UTM. The final configuration looks like this WAN  Sophos UTM  Unifi USG  Unifi Switch  Unifi WAPs etc. Simple enough however with this setup my LAN is double NAT’d, something I didn’t want. The instructions below shows how I over came the issue that allowed my Unifi gear to continue to work as intended, Subnets, VLANs, firewall etc, however the disabling the NAT on the USG. The Sophos UTM can see all the devices on my LAN, I can fine tune firewall rules and also make the most of more powerful security features.

Unifi USG Lets Start with the Unifi USG. The Web controller doesn’t allow us to disable NAT, however it can be done through the SLI or by using a json file.

  1. The below needs to be added to the json file. The file needs to be called config.gateway.json and it needs to be saved to the Controllers folder Ubiquiti UniFi\data\sites*sitename*

    { "service": { "nat": { "rule": { "5999": { "exclude": "''", "outbound-interface": "eth2", "type": "masquerade", “source": { "address": "192.168.1.0/24" } }
    } } } }

  2. For my setup I decided to configure WAN2 on the USG to connect to the UTM. The reason for this is because if anything happens in the future I can re-enable WAN1 which would bypass the Sophos UTM. I needed to create another subnet between the USG and the UTM. For this I used 192.168.100.0/30 The USG WAN2 port has the IP 192.168.100.1 The Sophos UTM LAN port has the IP 192.168.100.2

WAN2 Firewall Rule. We need to create a firewall rule so that the WAN IN on the USG accepts the traffic from the USG.

For this I created a Rule ‘after predefined rules’ 
Type – WAN IN
Action – Accept
IPv4 Protocol – All
Source – IP address – 192.168.100.2  (The UTM LAN Port)
Destination – Address/Port Group – ALL Internal SUBNETs (Create a group with all your subnets in)

The Rest of the Configuration is done on the Sophos UTM.

Sophos UTM

I wont explain how to install the UTM in this guide. This presumes you have it installed and running already.

  1. Let's create the Interfaces.

Interfaces & Routing > Interfaces

Create a new Interface for our LAN port (connects to USG WAN)

Name - Interface-LAN
Type - Ethernet
Hardware - **what ever LAN card you are using**
IPv4 address - 192.168.100.2
IPv4 Netmask - 255.255.255.252 (/30)

Create a second Interface

Name - Interface-WAN
Type - PPPOE (this is for my type of internet connection)
Hardware - **what ever LAN card you are using**
IPv4 Default Gateway - YES

Next a Static Route needs to be create to point all the LAN Subnets back to the USG.

Interfaces & Routing > Static Routes

Create a new Static Route

Route Type - Gateway Route
Network - Create a new Group which includes all your LAN Subnets
Gateway - USG WAN Port (10.0.0.1)

We need to allow the LAN Subnets to use the UTM as a DNS resolver.

Network Services > DNS

Allowed Netowrk - Add the Group which contains all the LAN Subnets.

Next we need to create some basic firewall rules, these can be fine tuned at a later date. This rule will turn off all the rules only used for troubleshooting/testing.

Network Protection > Firewall

New Rule
Position - Top
Sources - Any
Services - Any
Destination - Any
Action - Allow
Comment - Firewall OFF

Next we need to create the NAT rules. Firstly create a Masquerading Rule

Network - Any ** or all LAN Subnets**
Interface - Interface-WAN

This should give a basic working setup. Plug all the cables in, Sophos UTM WAN to moden, Sophos UTM LAN to USG WAN2, USG LAN to Switches etc.

To get te USG config to work i needed to do a Force Provision. The first time I did this all LAN devices werent able to connect to the internet. A reboot of the USG fixed this.

Razer Blade 15 Mic Issues

enter image description here

Razer Blade 15 microphone isn't working or doesn't pick up any sound. Don't worry its a simple fix, follow the steps below. The Razer Blade 15 comes with a Realtek Microphone installed near the camera in the bezel. The issue arises from the Realtek software that comes pre-installed on the Razer Blade 15.

Head to Realtek Audio Console and open the microphone section enter image description here

Turning off Microphone Effects 'All Off' fixed the issue. The microphone started working correctly again.

Razer Blade Auto Brightness Issue

enter image description here

The Razer Blade 15 along with some other performance laptops suffer this strange issue that when going from a dark image to a light image the laptop decides to dim or brighten the screen.

The fix for this is to change "Enable adaptive brightness" to off. - change it for both battery and when plugged in.

The setting is found in Control Panel > Power Option > Change advanced power settings > Display

enter image description here

Turn both options to off

If that doesn't work another option is to turn off "Display power saving technology".

This setting can be found in the Intel UHD Graphics Control Panel > Power

enter image description here

Change it for both "On Battery" and "Plugged In"

Sonos & Windows 10 Firewall

enter image description here

Recently I had been having issues with my Sonos controller talking to my Local music library. Both of them installed on the same machine which is in VLAN 1, where as my speakers are on VLAN 2. I was receiving errors such as Error 1002, unable to connect to...., Cant find media etc.

I narrowed the issue down to Windows firewall blocking something even though I had already created "Allow" rules.

Turning off Windows Firewall fixed the issue and my Sonos Speakers could stream my local media library. However I'm not happy turning off a firewall, so started digging deeper.

I checked each individual Firewall which had automatically been created when installing and running the Sonos controller on the PC.

Bingo - I found under the Scope option that the Sonos Library and Sonos Controller firewall rule had an exemption that would only allow connections from devices on a local subnet and blocking anything from a remote IP /Subnet. Allowing all remote IP's or remote subnets fixed the issue but rather than leaving it open like this, I defined my 'remote subnet' of VLAN 2 in the list. This fixed my issue but also kept my firewall rule relevant.

enter image description here

To add further security I changed the "remote IP / Subnet address" from my VLAN 2 subnet to just the IP addresses of my Sonos Speakers on VLAN 2. Now the only devices able to access my Sonos local library are the Sonos Speakers.

Lets Encrypt and Wildcard Certs

Le-logo

Lets Encrypt now supports the use of a wildcard certificate.

What this mean is that rather than having to list all your sub domains in the SSL cert, you can now add *.mydomain.com. It also mean that if you add an additional sub domain you wont have to re-apply for new certificate.

So how does it work?

For this guide I will use LE64.exe - it's a Microsoft Windows command line app which fetches the cert for us. We just need to plug in some commands to get what we need.

This setup presumes you have access to your domain registrar and that you know how to add domain records, in this case a TXT record.

1. Download LE64 from - https://github.com/do-know/Crypt-LE/releases

2. Extract the zip to a working directory i.e. C:\LE64 and you should see a LE64.exe.

3. Create a bat file in the same folder, call it le64.bat

4. In the bat file we need to add the custom attributes or commands. Edit the bold italics below with your details.

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword --domains "*.***mymedia.cf***" --generate-missing --handle-as dns --api 2 --unlink

This command will create the CSRs, CRT, Key and a PFX cert with a password.

Save the BAT file.

5. Run the le64.bat (its currently in test mode). A command window will open and after a few lines of text it will stop and ask you to add a DNS record with your Domain Registrar to verify you own the domain name.

enter image description here

6. Head over to your domain registrar. For this guide I will be using Cloudflare. Log in and head to DNS or DNS records.

enter image description here

  1. Add the TXT record with the text string from the command line window, should look something like the below when entered.

enter image description here

  1. You now have to wait a few minutes for the Records to propagate the internet. Can be up to 30mins or more in some cases.

To test the propagation, open a CMD prompt and enter the following

nslookup -q=txt _acme-challenge.mymedia.cf

Press enter and if the propagation was successfull it should return the txt value you entered. If it fails to find it, wait a little longer and try again. If the TXT doesnt match, re-enter it again with your Domain Registrar.

9. If the text records matched, hit enter on the le64.bat window to continue with fetching the certificates. You should now have FAKE Lets Encrypt certs. Reason they are fake is that this was it test mode. If all worked ok you now have to repeat from No.4 above but adding --live to the end of the BAT file. Like below-

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword  --domains "*.mymedia.cf" --generate-missing --handle-as dns --api 2 --unlink --live

You will need to change the DNS TXT record as it will be different this time. Also once the above has completed and you have the certs, you can delete the TXT record with your domain registrar.

N.B.

Previously with DNS verification that the above uses, come renewal time you will have to re-verify your DNS. However I have tested it with le64, aslong as the CSR and CSR.key are kept in the same folder and that you renew your certificate with at least 30 days still left on the cert then you wont have to do the DNS verification again.