Sophos UTM infront of Unifi USG

I have been running a Full Unifi setup at home for some time. This comprised of a Unifi USG --> Unifi Switch --> Unifi WAPs. As much as I like the Unifi setup I felt like it was let down by its Intrusion Detection and Prevention capabilities. I trialled pfsense and Sophos UTM as a WAN facing Firewall both free options. I finally settling on the Sophos UTM. The final configuration looks like this WAN  Sophos UTM  Unifi USG  Unifi Switch  Unifi WAPs etc. Simple enough however with this setup my LAN is double NAT’d, something I didn’t want. The instructions below shows how I over came the issue that allowed my Unifi gear to continue to work as intended, Subnets, VLANs, firewall etc, however the disabling the NAT on the USG. The Sophos UTM can see all the devices on my LAN, I can fine tune firewall rules and also make the most of more powerful security features.

Unifi USG Lets Start with the Unifi USG. The Web controller doesn’t allow us to disable NAT, however it can be done through the SLI or by using a json file.

  1. The below needs to be added to the json file. The file needs to be called config.gateway.json and it needs to be saved to the Controllers folder Ubiquiti UniFi\data\sites*sitename*

    { "service": { "nat": { "rule": { "5999": { "exclude": "''", "outbound-interface": "eth2", "type": "masquerade", “source": { "address": "192.168.1.0/24" } }
    } } } }

  2. For my setup I decided to configure WAN2 on the USG to connect to the UTM. The reason for this is because if anything happens in the future I can re-enable WAN1 which would bypass the Sophos UTM. I needed to create another subnet between the USG and the UTM. For this I used 192.168.100.0/30 The USG WAN2 port has the IP 192.168.100.1 The Sophos UTM LAN port has the IP 192.168.100.2

WAN2 Firewall Rule. We need to create a firewall rule so that the WAN IN on the USG accepts the traffic from the USG.

For this I created a Rule ‘after predefined rules’ 
Type – WAN IN
Action – Accept
IPv4 Protocol – All
Source – IP address – 192.168.100.2  (The UTM LAN Port)
Destination – Address/Port Group – ALL Internal SUBNETs (Create a group with all your subnets in)

The Rest of the Configuration is done on the Sophos UTM.

Sophos UTM

I wont explain how to install the UTM in this guide. This presumes you have it installed and running already.

  1. Let's create the Interfaces.

Interfaces & Routing > Interfaces

Create a new Interface for our LAN port (connects to USG WAN)

Name - Interface-LAN
Type - Ethernet
Hardware - **what ever LAN card you are using**
IPv4 address - 192.168.100.2
IPv4 Netmask - 255.255.255.252 (/30)

Create a second Interface

Name - Interface-WAN
Type - PPPOE (this is for my type of internet connection)
Hardware - **what ever LAN card you are using**
IPv4 Default Gateway - YES

Next a Static Route needs to be create to point all the LAN Subnets back to the USG.

Interfaces & Routing > Static Routes

Create a new Static Route

Route Type - Gateway Route
Network - Create a new Group which includes all your LAN Subnets
Gateway - USG WAN Port (10.0.0.1)

We need to allow the LAN Subnets to use the UTM as a DNS resolver.

Network Services > DNS

Allowed Netowrk - Add the Group which contains all the LAN Subnets.

Next we need to create some basic firewall rules, these can be fine tuned at a later date. This rule will turn off all the rules only used for troubleshooting/testing.

Network Protection > Firewall

New Rule
Position - Top
Sources - Any
Services - Any
Destination - Any
Action - Allow
Comment - Firewall OFF

Next we need to create the NAT rules. Firstly create a Masquerading Rule

Network - Any ** or all LAN Subnets**
Interface - Interface-WAN

This should give a basic working setup. Plug all the cables in, Sophos UTM WAN to moden, Sophos UTM LAN to USG WAN2, USG LAN to Switches etc.

To get te USG config to work i needed to do a Force Provision. The first time I did this all LAN devices werent able to connect to the internet. A reboot of the USG fixed this.

Smartthings RGBW Controller

Smartthings Logo

Technology is progressing at a rapid rate. Home automation appeared out of nowhere but has created its own foothold in the industry. Smartthings by Samsung is a modular home automation system which produces its own products but also allows third party products to be used within its ecosystem.

RGBW lighting is big at the moment, and most RGBW controllers are fairly expensive and a little hit and miss with Smartthings.

In comes the cheap H801 wifi RGBW controller.

enter image description here

This little device doesn't work straight out of the box it needs re-flashing with custom firmware using a FTDI usb to TTL serial board.

FTDI USB TO TTL

This post will explain how to get this to work within Smartthings.

What you need.

  1. H801 controller
  2. FTDI USB to TTL Serial board
  3. Mini USB to USB 2.0 cable
  4. Jumper Wires (4x Female to Male and 1x Male to Male)
  5. ESPeasy Flashing Software
  6. Custom Firmware
  7. Smartthings custom device handles and smart app.

Some images taken from Smartthings Forums, also help and support available here - https://community.smartthings.com/t/release-smartlife-h801-rgbw-led-strip-wifi-controller-bulb/51182/360

Here is the hardware needed.

Hardware needed

Flashing the Controller

  1. Unscrew the 4 screws on the H801 Controller and remove the board from the casing.

  2. When flashing the board it's recommended to use the FTDI to power the H801, for this we need to change the jumper on the FTDI board from 5v to 3.3v

  3. Using the 4x female to make jumpers connect the FTDI to the H801

H801 Rx to FTDI pin2 Rx H801 Tx to FTDI pin3 Tx H801 3.3v to FTDI pin4 VCC **Have FTDI power H801 to minimize communication issues! H801 Grd to FTDI pin6 Grd

Also use the male to male jumper to enable flash mode on the H801 (blue cable in picture below)

wiring

  1. Connect the USB cable from the FTDI to a laptop/PC. The board lights might flash temporarily and go off, this is normal.

  2. Download and extract ESPeasy_R120. I extracted it to C:\ESPeasy_R120

  3. Download the custom firmware and place in the ESPeasy_R120 folder.

  4. Find the COM port that the FTDI is using, in my case COM5. TO find COM port, right click my computer > Device Manager > USB Devices. Its normally called USB to Serial adapter/interface.

  5. Open a command prompt. Click Start > Run > CMD

  6. Change directory to where you extracted ESPeasy_R120 to. In my case CD C:\ESPeasy_R120

  7. Enter to the following command changing the COM5 to your COM port.

esptool.exe -vv -cd nodemcu -cb 115200 -cp COM5 -ca 0x00000 -cf SmartLifeRGBWController.ino.generic.bin

If successful the command prompt window should populate with a load of text and then some loading starts ****. once finished your device should be flashed with the custom firmware.

Configuring H801.

The H801 should now be flashed with custom firmware, however still needs to be configured.

  1. The H801 should now be broadcasting its own Wifi. connect to it with the password 'configme'.

  2. You should now get a menu where you can configure the H801 to connect to your own Wifi. If this doesnt show automatically, open up a web browser and go to 192.168.4.1.

  3. Once it is connected to your Wifi we need to head over to Smartthings to add the custom device handler and smart app.

Adding the H801 to Smartthings

  1. Head to the Smartthings IDE - https://graph-eu01-euwest1.api.smartthings.com/

  2. Click on 'My Device Handlers' then Setttings and add a Repo.

Owner = erocm123 Git Repo = SmartthingsPublic Branch = Master

Look for the below in the right hand section

erocm123/SmartThingsPublic/blob/master/devicetypes/erocm123/smartlife-rgbw-controller.src/smartlife-rgbw-controller.groovy

erocm123/SmartThingsPublic/blob/master/devicetypes/erocm123/smartlife-rgbw-virtual-switch.src/smartlife-rgbw-virtual-switch.groovy

Tick them and then tick Publish before clicking Save

  1. Now Click on 'My Smart Apps'. This time click on 'Update from Repo'. In the drop down box, chose SmartthingsPublic (master).

Again on the right hand side look for

erocm123/SmartThingsPublic/blob/master/smartapps/erocm123/smartlife-rgbw-light-connect.src/smartlife-rgbw-light-connect.groovy

Tick the box and tick the publish box before saving.

SmartThings Mobile App

Now we need to head over to the Smartthings mobile app.

  1. Open the app and head to Automation tab then SmartApps

  2. Scroll to the bottom and + Add a SmartApp

  3. Scroll to the bottom and click 'My Apps'

  4. Chose SmartLife RGBW Light (Connect)

2 places below can help with installing and any support required.

help video - https://www.youtube.com/watch?time_continue=268&v=3Kg_-bmBErM

help forum - https://community.smartthings.com/t/release-smartlife-h801-rgbw-led-strip-wifi-controller-bulb/51182/360

Install Sophos UTM from USB

enter image description here

Sophos UTM

Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

Sound good? Head over to Sophos UTM Home

Click on Get Started, fill in your details and download the Software UTM iso.

Once you have the UTM.iso we will need a program to create a bootable usb. For this we use Rufus.

  • Download Rufus from Rufus.akeo.ie
  • For this I used a 4GB usb pen
  • Run Rufus,
  • Partition scheme - MBR for BIOS or UEFI
  • File System - FAT32
  • Cluster - 4096 bytes
  • New Volume label - anything
  • Quick Formet - yes
  • Create a bootable disk using iso - choose the UTM.iso
  • Click Start

enter image description here

Once the USB drive is ready we can attempt to start the build.

When installing the UTM software it runs in RAM, to get it to work we need to mount it. We need to use the console interface to do this.

Insert the USB into a port, and boot to USB. You should then see this

enter image description here

Once its booted and you see the screen below press ALT + F2, this will bring up the console screen.

enter image description here

We now need to mount the USB Drive by using the command

mount /dev/sdb1 /install

Press ALT + F1 to switch back to the installer windows and continue with the installation.

If you see the error below enter image description here It means the USB drive is located at a different device ID rather than sdb1.

Go back to console using ALT + F2 and type

fdisk -l

or

sfdisk -l

Its a small L

This will list the Device ID, then type

mount /dev/**Deivce ID** /install

When the install is finished you will be able to connect to the UTM software using a web browser by navigating to https://IP-ADDRESS:4444

The rest of the config is then configured through the web browser.

To be continued....