Sophos UTM infront of Unifi USG

I have been running a Full Unifi setup at home for some time. This comprised of a Unifi USG --> Unifi Switch --> Unifi WAPs. As much as I like the Unifi setup I felt like it was let down by its Intrusion Detection and Prevention capabilities. I trialled pfsense and Sophos UTM as a WAN facing Firewall both free options. I finally settling on the Sophos UTM. The final configuration looks like this WAN  Sophos UTM  Unifi USG  Unifi Switch  Unifi WAPs etc. Simple enough however with this setup my LAN is double NAT’d, something I didn’t want. The instructions below shows how I over came the issue that allowed my Unifi gear to continue to work as intended, Subnets, VLANs, firewall etc, however the disabling the NAT on the USG. The Sophos UTM can see all the devices on my LAN, I can fine tune firewall rules and also make the most of more powerful security features.

Unifi USG Lets Start with the Unifi USG. The Web controller doesn’t allow us to disable NAT, however it can be done through the SLI or by using a json file.

  1. The below needs to be added to the json file. The file needs to be called config.gateway.json and it needs to be saved to the Controllers folder Ubiquiti UniFi\data\sites*sitename*

    { "service": { "nat": { "rule": { "5999": { "exclude": "''", "outbound-interface": "eth2", "type": "masquerade", “source": { "address": "192.168.1.0/24" } }
    } } } }

  2. For my setup I decided to configure WAN2 on the USG to connect to the UTM. The reason for this is because if anything happens in the future I can re-enable WAN1 which would bypass the Sophos UTM. I needed to create another subnet between the USG and the UTM. For this I used 192.168.100.0/30 The USG WAN2 port has the IP 192.168.100.1 The Sophos UTM LAN port has the IP 192.168.100.2

WAN2 Firewall Rule. We need to create a firewall rule so that the WAN IN on the USG accepts the traffic from the USG.

For this I created a Rule ‘after predefined rules’ 
Type – WAN IN
Action – Accept
IPv4 Protocol – All
Source – IP address – 192.168.100.2  (The UTM LAN Port)
Destination – Address/Port Group – ALL Internal SUBNETs (Create a group with all your subnets in)

The Rest of the Configuration is done on the Sophos UTM.

Sophos UTM

I wont explain how to install the UTM in this guide. This presumes you have it installed and running already.

  1. Let's create the Interfaces.

Interfaces & Routing > Interfaces

Create a new Interface for our LAN port (connects to USG WAN)

Name - Interface-LAN
Type - Ethernet
Hardware - **what ever LAN card you are using**
IPv4 address - 192.168.100.2
IPv4 Netmask - 255.255.255.252 (/30)

Create a second Interface

Name - Interface-WAN
Type - PPPOE (this is for my type of internet connection)
Hardware - **what ever LAN card you are using**
IPv4 Default Gateway - YES

Next a Static Route needs to be create to point all the LAN Subnets back to the USG.

Interfaces & Routing > Static Routes

Create a new Static Route

Route Type - Gateway Route
Network - Create a new Group which includes all your LAN Subnets
Gateway - USG WAN Port (10.0.0.1)

We need to allow the LAN Subnets to use the UTM as a DNS resolver.

Network Services > DNS

Allowed Netowrk - Add the Group which contains all the LAN Subnets.

Next we need to create some basic firewall rules, these can be fine tuned at a later date. This rule will turn off all the rules only used for troubleshooting/testing.

Network Protection > Firewall

New Rule
Position - Top
Sources - Any
Services - Any
Destination - Any
Action - Allow
Comment - Firewall OFF

Next we need to create the NAT rules. Firstly create a Masquerading Rule

Network - Any ** or all LAN Subnets**
Interface - Interface-WAN

This should give a basic working setup. Plug all the cables in, Sophos UTM WAN to moden, Sophos UTM LAN to USG WAN2, USG LAN to Switches etc.

To get te USG config to work i needed to do a Force Provision. The first time I did this all LAN devices werent able to connect to the internet. A reboot of the USG fixed this.