Sophos UTM infront of Unifi USG

I have been running a Full Unifi setup at home for some time. This comprised of a Unifi USG --> Unifi Switch --> Unifi WAPs. As much as I like the Unifi setup I felt like it was let down by its Intrusion Detection and Prevention capabilities. I trialled pfsense and Sophos UTM as a WAN facing Firewall both free options. I finally settling on the Sophos UTM. The final configuration looks like this WAN  Sophos UTM  Unifi USG  Unifi Switch  Unifi WAPs etc. Simple enough however with this setup my LAN is double NAT’d, something I didn’t want. The instructions below shows how I over came the issue that allowed my Unifi gear to continue to work as intended, Subnets, VLANs, firewall etc, however the disabling the NAT on the USG. The Sophos UTM can see all the devices on my LAN, I can fine tune firewall rules and also make the most of more powerful security features.

Unifi USG Lets Start with the Unifi USG. The Web controller doesn’t allow us to disable NAT, however it can be done through the SLI or by using a json file.

  1. The below needs to be added to the json file. The file needs to be called config.gateway.json and it needs to be saved to the Controllers folder Ubiquiti UniFi\data\sites*sitename*

    { "service": { "nat": { "rule": { "5999": { "exclude": "''", "outbound-interface": "eth2", "type": "masquerade", “source": { "address": "" } }
    } } } }

  2. For my setup I decided to configure WAN2 on the USG to connect to the UTM. The reason for this is because if anything happens in the future I can re-enable WAN1 which would bypass the Sophos UTM. I needed to create another subnet between the USG and the UTM. For this I used The USG WAN2 port has the IP The Sophos UTM LAN port has the IP

WAN2 Firewall Rule. We need to create a firewall rule so that the WAN IN on the USG accepts the traffic from the USG.

For this I created a Rule ‘after predefined rules’ 
Type – WAN IN
Action – Accept
IPv4 Protocol – All
Source – IP address –  (The UTM LAN Port)
Destination – Address/Port Group – ALL Internal SUBNETs (Create a group with all your subnets in)

The Rest of the Configuration is done on the Sophos UTM.

Sophos UTM

I wont explain how to install the UTM in this guide. This presumes you have it installed and running already.

  1. Let's create the Interfaces.

Interfaces & Routing > Interfaces

Create a new Interface for our LAN port (connects to USG WAN)

Name - Interface-LAN
Type - Ethernet
Hardware - **what ever LAN card you are using**
IPv4 address -
IPv4 Netmask - (/30)

Create a second Interface

Name - Interface-WAN
Type - PPPOE (this is for my type of internet connection)
Hardware - **what ever LAN card you are using**
IPv4 Default Gateway - YES

Next a Static Route needs to be create to point all the LAN Subnets back to the USG.

Interfaces & Routing > Static Routes

Create a new Static Route

Route Type - Gateway Route
Network - Create a new Group which includes all your LAN Subnets
Gateway - USG WAN Port (

We need to allow the LAN Subnets to use the UTM as a DNS resolver.

Network Services > DNS

Allowed Netowrk - Add the Group which contains all the LAN Subnets.

Next we need to create some basic firewall rules, these can be fine tuned at a later date. This rule will turn off all the rules only used for troubleshooting/testing.

Network Protection > Firewall

New Rule
Position - Top
Sources - Any
Services - Any
Destination - Any
Action - Allow
Comment - Firewall OFF

Next we need to create the NAT rules. Firstly create a Masquerading Rule

Network - Any ** or all LAN Subnets**
Interface - Interface-WAN

This should give a basic working setup. Plug all the cables in, Sophos UTM WAN to moden, Sophos UTM LAN to USG WAN2, USG LAN to Switches etc.

To get te USG config to work i needed to do a Force Provision. The first time I did this all LAN devices werent able to connect to the internet. A reboot of the USG fixed this.

Sonos & Windows 10 Firewall

enter image description here

Recently I had been having issues with my Sonos controller talking to my Local music library. Both of them installed on the same machine which is in VLAN 1, where as my speakers are on VLAN 2. I was receiving errors such as Error 1002, unable to connect to...., Cant find media etc.

I narrowed the issue down to Windows firewall blocking something even though I had already created "Allow" rules.

Turning off Windows Firewall fixed the issue and my Sonos Speakers could stream my local media library. However I'm not happy turning off a firewall, so started digging deeper.

I checked each individual Firewall which had automatically been created when installing and running the Sonos controller on the PC.

Bingo - I found under the Scope option that the Sonos Library and Sonos Controller firewall rule had an exemption that would only allow connections from devices on a local subnet and blocking anything from a remote IP /Subnet. Allowing all remote IP's or remote subnets fixed the issue but rather than leaving it open like this, I defined my 'remote subnet' of VLAN 2 in the list. This fixed my issue but also kept my firewall rule relevant.

enter image description here

To add further security I changed the "remote IP / Subnet address" from my VLAN 2 subnet to just the IP addresses of my Sonos Speakers on VLAN 2. Now the only devices able to access my Sonos local library are the Sonos Speakers.

Sonos, Unifi, VLAN and Firewalls.

enter image description here

Carrying on from a previous post - Unifi & Sonos VLANs. If you are like me and you have your Sonos Devices segregated on an IoT VLAN and the Sonos Controllers (iPhone etc) on a different VLAN then you will probably need to do some firewalling.

A little Background

VLANs are used for many reasons, segregating networks, preventing multicast packets traversing networks, security amongst other reasons. In this case I wanted all my IoT devices on its own network (VLAN) as there are many security risks with IoT devices and the a separate VLAN for my main LAN. With this I wanted to block all communication from IoT_VLAN to Main_VLAN, however I wanted my Main_VLAN to still be able to communicate with some devices on the IoT_VLAN i.e. Sonos Speakers.

So following on from the previous post where we setup the VLANs and IGMP-Proxying, we will now look at the Unifi Firewalls.

Firewalls work on rules and the rules work in descending order, i.e. if data hits the firewall it will check the rules from the top downwards until it finds a matching rule.


In Unifi there are various Rule headings, WAN, LAN and Guest and each has a IN, OUT and LOCAL. For this guide we will be working with LAN IN - the data is coming from the LAN INTO the USG.

Lets create some rules, these will be in order Top to Bottom.

The first rule is created because when the Controller on Main_VLAN creates a connection with the Speaker on IoT_VLAN we want the speaker to be able to talk back to the controller, hence we create a rule to allow established connections but do not allow it to open new connections.

Name - Allow Established
Enabled - On
Rule Applied - Before pre-defined rules
Action - Accept
IPv4 Protocol - All
States - Established and Related
Source - Address group - Any
Destination - Address group - Any

Next Rule is to allow Sonos Speakers to contact Main_VLAN

Name - SONOS_To_Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Accept
IPv4 Protocol - All
Address Group - Create a group with all the Sonos Speaker IP addresses
Destination - Network - Main_VLAN

Final rule is to block all other data from IoT_VLAN to Main_VLAN

Name - Block IoT_VLAN to Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Drop
IPv4 protocol - All
Source - Network - IoT_VLAN
Destination - Network - Main_VLAN

And that's it. With these rules devices on IoT_VLAN shouldnt be able to contact devices on Main_VLAN, however Main_VLAN can still contact the Sonos Speakers.

This is what the Rule Page looks like

firewall rule

Unifi Firewall Logging with syslog

enter image description here

How to Enable syslogging of Unifi Firewall.

It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.

Unifi config.json.

The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.

First we need to find a syslog server. For this example I will use kiwi syslog which is free.

enter image description here

Download here

Install to an easy to find location and run the console, we will come back to configure it later.

Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.

enter image description here

Now go to Routing and Firewall and select firewall.

We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN

New Rule

Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default

enter image description here

So we should have something like this

enter image description here

enter image description here

Next we need to change the pre-defined firewall rules on the USG.

SSH onto your USG and login

set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable

Next we need to configure Kiwi to capture the logs.

More to come soon

The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.

Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].

enter image description here

Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.

Install Sophos UTM from USB

enter image description here

Sophos UTM

Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

Sound good? Head over to Sophos UTM Home

Click on Get Started, fill in your details and download the Software UTM iso.

Once you have the UTM.iso we will need a program to create a bootable usb. For this we use Rufus.

  • Download Rufus from
  • For this I used a 4GB usb pen
  • Run Rufus,
  • Partition scheme - MBR for BIOS or UEFI
  • File System - FAT32
  • Cluster - 4096 bytes
  • New Volume label - anything
  • Quick Formet - yes
  • Create a bootable disk using iso - choose the UTM.iso
  • Click Start

enter image description here

Once the USB drive is ready we can attempt to start the build.

When installing the UTM software it runs in RAM, to get it to work we need to mount it. We need to use the console interface to do this.

Insert the USB into a port, and boot to USB. You should then see this

enter image description here

Once its booted and you see the screen below press ALT + F2, this will bring up the console screen.

enter image description here

We now need to mount the USB Drive by using the command

mount /dev/sdb1 /install

Press ALT + F1 to switch back to the installer windows and continue with the installation.

If you see the error below enter image description here It means the USB drive is located at a different device ID rather than sdb1.

Go back to console using ALT + F2 and type

fdisk -l


sfdisk -l

Its a small L

This will list the Device ID, then type

mount /dev/**Deivce ID** /install

When the install is finished you will be able to connect to the UTM software using a web browser by navigating to https://IP-ADDRESS:4444

The rest of the config is then configured through the web browser.

To be continued....