-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Sophos
- Thread starter joeschmuck
- Start date
- Status
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
So I'm currently watching YouTube videos and learning how to install ESXi so that I can run Sophos and a Arch vm (to act as a host for an nZEDb installation) and I tell you what, it's like watching Inception - it's just layer upon layer upon virtual layer. And it's all being controlled virtually from a physical client. Agggh! Seriously, I don't know how any sysadmins could ever take any drugs, this is taking my full attention and brain power just to keep straight what's going on!
Which does bring up one question: How can the chicken come before the egg? How will I get Sophos set up so that it's now the dhcp manager for ESXi? Because, um, isn't ESXi acting as the host for Sophos? Seriously, my head is spinning.
Oh. And will I want Bridged mode or Gateway for Sophos if I want it as the first point of contact after my modem?
Which does bring up one question: How can the chicken come before the egg? How will I get Sophos set up so that it's now the dhcp manager for ESXi? Because, um, isn't ESXi acting as the host for Sophos? Seriously, my head is spinning.
Oh. And will I want Bridged mode or Gateway for Sophos if I want it as the first point of contact after my modem?
Last edited:
- Joined
- May 28, 2011
- Messages
- 10,994
When you setup ESXi your best bet is to set up a static IP address so you always know where to go. It's like Sophos, you will set a static IP for it as well. I would recommend starting your DHCP server at IP .20 and save everything below it for static IPs, or something similar.
Sophos can make every IP address a static IP but it all resides within Sophos. It sees the MAC and then assigns the IP. There is a screen where you can make it static. I do this for all my devices except visitors, those are DHCP. Having the devices listed like this also helps with the Sophos Reports, it will list the device name vice the IP/MAC address and that makes things so much easier to read. Think about it, "Daughters Laptop" is much better than "192.168.1.66" or a MAC address "0C:12:FE:00:00:BA".
So just install ESXi, put it on your LAN and start configuring it. Once it's up and running and you are ready to install Sophos. The only rub to having your firewall on your ESXi machine is updatign the ESXi software. You need to do it the hard way. It's not that terrible but the easy way is vastly easier. It's so easy that I actually reconnect my router and stop Sophos, then update ESXi over the internet. So easy and fast. I like painless.
Sophos can make every IP address a static IP but it all resides within Sophos. It sees the MAC and then assigns the IP. There is a screen where you can make it static. I do this for all my devices except visitors, those are DHCP. Having the devices listed like this also helps with the Sophos Reports, it will list the device name vice the IP/MAC address and that makes things so much easier to read. Think about it, "Daughters Laptop" is much better than "192.168.1.66" or a MAC address "0C:12:FE:00:00:BA".
So just install ESXi, put it on your LAN and start configuring it. Once it's up and running and you are ready to install Sophos. The only rub to having your firewall on your ESXi machine is updatign the ESXi software. You need to do it the hard way. It's not that terrible but the easy way is vastly easier. It's so easy that I actually reconnect my router and stop Sophos, then update ESXi over the internet. So easy and fast. I like painless.
Heh...
Drugs are the best resort sometimes...
Assuming you use ADSL, you want your modem in bridged mode
Setup two vswitches on esxi each one with its own real NIC
One will be the WAN side, one will be the LAN side.
In Sophos settings add one NIC from WAN, one from LAN
Connect an Ethernet cable from your modem to the WAN real NIC
While on Sophos initial configuration, if your modem is ADSL (like in my case), choose PPPOE for the WAN interface and fill necessary credentials
P.S.: As an alternative you could pass through the real NIC to Sophos
P.P.S: I personally prefer Sophos (my internet gateway in general) as a standalone machine. Messing with esxi won't cause internet interruptions
If your modem is a cable modem, I will let others comment about modem configuration, as I don't know
I hope I haven't confused you more..
Edit: @joeschmuck beat me (by far) to it (writing on mobile is not my best of skills)
Drugs are the best resort sometimes...
Assuming you use ADSL, you want your modem in bridged mode
Setup two vswitches on esxi each one with its own real NIC
One will be the WAN side, one will be the LAN side.
In Sophos settings add one NIC from WAN, one from LAN
Connect an Ethernet cable from your modem to the WAN real NIC
While on Sophos initial configuration, if your modem is ADSL (like in my case), choose PPPOE for the WAN interface and fill necessary credentials
P.S.: As an alternative you could pass through the real NIC to Sophos
P.P.S: I personally prefer Sophos (my internet gateway in general) as a standalone machine. Messing with esxi won't cause internet interruptions
If your modem is a cable modem, I will let others comment about modem configuration, as I don't know
I hope I haven't confused you more..
Edit: @joeschmuck beat me (by far) to it (writing on mobile is not my best of skills)
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
Okay, so it's not as complicated as I was making it to be. I just couldn't wrap my head around who is getting the IPs from whom - the vm host or the firewall running within a vm of the host!
- Joined
- May 28, 2011
- Messages
- 10,994
I completely agree with that statement. My Sophos machine would be on bare metal if Sophos would run on it, but it doesn't. But ESXi does and so this is a round about way to get this done.
I missed the question about Gateway or Bridged. The difference is: Gateway means your router will perform as a firewall, an added uneeded level of protection while running Sophos however it will all still work fine if you leave it this way. Bridge mode means you are passing the WAN IP directly through your router and into your ESXi machine. This is where things get tricky. My advice is to leave your system in Gateway mode for now, until you have Sophos up and running and all if good in the world.
How many LAN ports are on your machine? You need at least 2 ports. One for the WAN, one for the LAN. The WAN port will be on it's own vSwitch and Sophos will connect to it through the vSwitch, and that is only Sophos, nothing else. The LAN vSwitch will connect everything else together. While the router is in Gateway mode if you do connect something to the WAN vSwitch, it will work but once you switch over to Bridge mode, if your ISP only gives you one IP, that is all you will have. I have two IPs for my WAN which makes it nice for testing becasue I can pretend to call in from a remote location.
I'd better stop here or I will confuse you.
Just setup ESXi first and get use to it. I had years to play with VMWare Workstation which is almost identical to how ESXi work. Take your time. Leave your router in Gateway mode for now, it's easy to move a cable and have your internet back online this way.
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
I have the Arris SB6141 DOCSIS cable modem which is a straight-up modem. I'll have my ASUS and Linksys NATs set as APs.
That's what I've learned so far today from watching videos and how I was understanding it from what joeschmuck has passed along as well.
But from watching the YouTube videos on Sophos XG, it gets to a point in the setup process where it asks if you want to set up Sophos XG as a bridge or gateway. What would be the correct answer with it being immediately behind the modem and before my LAN managing all the DHCP, firewall and other things?
- Joined
- May 28, 2011
- Messages
- 10,994
Then you have a straight shot to the WAN IP, just plug the moden Ethernet cable into your computer motherboard WAN port. You need to establish with port will be your WAN.
Leave your main router that you use now alone, save it for when you get tired of goofing around with Sophos and it irritates you. it will.
Gateway mode
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
Cool. Thanks. That's what I was thinking, just wanted to make sure I was on the right track.
- Joined
- May 28, 2011
- Messages
- 10,994
Ah, I understand now, yup, Gateway.
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
I'm not sure how to ask Google this question so I'll ask you all. Why do you only see LAN addresses set as 192.268.x.x, 172.x.x.x, 10.x.x.x. Can't I make it what I want, maybe I like the number 15 and want an address range of 15.150.150.1? Are there restrictions to what you can and can't do for DHCP? Are there security issues with using good ole 192.168.1.1?
- Joined
- Feb 15, 2014
- Messages
- 20,194
You can only use address ranges reserved for private networks, otherwise, you'll have a bad day.
You could if you bought that address range. Which is going to be somewhere between "massively expensive" and "impossible". And your ISP will tell you to bugger off, so you'll need a more expensive ISP, too.
DHCP has nothing to do with this, it's an IPv4 problem.
The address range you use has just about zero impact on security.
zoomzoom
Guru
- Joined
- Sep 6, 2015
- Messages
- 677
- Those are internationally known private subnet ranges set forth by IANA [Internet Assigned Numbers Authority] via RFC1918. These 3 subnet blocks can only be used on private LAN subnets and can never be used on WAN subnets.
- Yes, but not in regards to your question
- As @Ericloewe said, no, however many choose not to use the aforementioned because it's the default subnet block on almost all consumer routers.
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
Thank you, you sent me in the right direction https://en.wikipedia.org/wiki/Private_network
zoomzoom
Guru
- Joined
- Sep 6, 2015
- Messages
- 677
It's not recommended to pass the real NIC directly to Sophos, else one can run into ESXi & WAN access and issues when the VM is rebooted (if using a Cable Modem), since ESXi will want to assign the physical NIC MAC to Sophos when the Sophos VM was created with a virtual MAC for WAN.
- Cable Modems expect the router's WAN MAC to be static, and in the above example, the modem will have the Virtual MAC set in memory, with the only way of clearing that memory being to unplug the modem for ~5min.
- This goes in the opposite direction as well, as Sophos expects the Cable Modem MAC to be static, tying that MAC to WAN IP and when the Cable Modem's memory is cleared from being unplugged for ~5min, it also requests a new WAN IP, thereby resulting with Sophos having to be rebooted.
The only way Sophos will irritate a home user is if they enable Web Filtering, as Web Filtering requires serious time to configure all the regex allowances (easily 10+ hrs of researching and reading through forums/HowTos), which is why if one doesn't require Web Filtering, it should remain disabled.
The only other way I could see Sophos irritating a home user is if they're not creating Network groups and using those groups in the Firewall.
The only other way I could see Sophos irritating a home user is if they're not creating Network groups and using those groups in the Firewall.
- All Ethernet and WiFi MACs for network devices on the network should be added as a network definition (both as a Host and as a DNS Host) with a static IP. Provided one does this, then adds applicable devices to applicable network groups, and finally uses those network groups in the firewall, a user should have no issues.
What I always suggest to all running Sophos is to alter the OpenVPN server config via SSH, otherwise you lose the ability to properly tune throughput and other options.
- /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf-default
Code:# ##::[[--- Sophos OpenVPN Config ---]]::## #################################################### ##----- VPN Server -----## #################################################### # Protocol # #--------------------------------------------------- dev tun topology subnet mark 4458 tun-ipv6 [<LISTEN>] # Routes # #--------------------------------------------------- server [<SERVER_POOL>] multihome [<SERVER6_POOL>] # Client Config # #--------------------------------------------------- client-config-dir /etc/openvpn/conf.d ifconfig-pool-persist /var/run/ipp.txt # Ecryption # #--------------------------------------------------- # Login: username-as-common-name # Diffie-Hellmann: dh /etc/openvpn/[<DH_FILE>] # Certificates: capath /etc/openvpn/ca.d cert /etc/openvpn/server.crt key /etc/openvpn/server.key tls-auth /etc/openvpn/tls-auth.key 0 # SSL: cipher [<CIPHER>] auth [<AUTH>] # TLS: tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!2SRP:!DSS:!RC4:!kRSA # Logging # #--------------------------------------------------- status /var/run/openvpn-status.log log /var/run/openvpn.log verb 4 down-pre daemon # Original: # verb [<DEBUG_LEVEL>] # Connection Options # #--------------------------------------------------- keepalive 10 120 comp-lzo [<DISABLE_COMP>] # Connection Reliability # #--------------------------------------------------- persist-key persist-tun reneg-sec [<RENEG_SEC>] # Connection Speed # #--------------------------------------------------- sndbuf 393216 rcvbuf 393216 fragment 0 mssfix 0 tun-mtu 48000 # Pushed Buffers # #--------------------------------------------------- push sndbuf 393216 push rcvbuf 393216 # Permissions # #--------------------------------------------------- management /var/run/openvpn_mgmt unix management-client-user root management-client-group root # Sophos UTM Specific # #--------------------------------------------------- plugin /usr/lib/openvpn/plugins/openvpn-plugin-utm.so [<OPTIONS>]
- /etc/openvpn/tls-auth.key must be manually added to the directory /var/sec/chroot-openvpn/etc/openvpn
- Generate with:
openvpn --genkey --secret /var/sec/chroot-openvpn/etc/openvpn/tls-auth.key- This PSK [Pre-Shared Key] must be shared with all clients, so either
scpthe file, orvim /var/sec/chroot-openvpn/etc/openvpn/tls-auth.key, select the text, copy it, then paste it into a text file named tls-auth.key. This can either be referenced in the client config, or it can be pasted inline in the client config file.
- This PSK [Pre-Shared Key] must be shared with all clients, so either
- Generate with:
- The two blank lines following [<OPTIONS>] should remain, followed by the EOF blank line, or three in total.
- ConfD will append an additional two options to the end of /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf when OpenVPN is enabled in WebAdmin.
- The single # at the beginning of the file is for
vim, else it won't apply syntax coloring in config files.
- /etc/openvpn/tls-auth.key must be manually added to the directory /var/sec/chroot-openvpn/etc/openvpn
Last edited:
- Joined
- May 28, 2011
- Messages
- 10,994
Agreed and disagree. I agree that Web Filtering is what causes the issues. I disagree that home users shouldn't use it. This is one of the major features of Sophos and assists in protecting your computers. I do place most devices where the web filtering is bypassed such as my DirecTv and Roku and Smart TV (you get the point) however any computer will go through Web Filtering. I ahve a father adn wife who love to keep me employed cleaning up computer messes and ever since I started using Sophos, I have basically stopped fixing problems that they created. Now that doesn't help for everything, my dad and wife can mess up a computer still but it has been so seriously reduced and I think they see the Sophos warning message more often warning them. This makes sense for a family that has people who are not mindful of what they are doing. If it were just me on the internet at my house I'd be running my built in firewall in my router and not use Sophos. I also use Norton Internet Security, I feel that is one of the best products out there. Is this overkill? Not to me. I hate trying to fix a corrupt computer and there are times I just have to load a backup and it is maybe 6 months old for my dad. He's not happy, makes me unhappy too.
zoomzoom
Guru
- Joined
- Sep 6, 2015
- Messages
- 677
@joeschmuck As I mentioned the other day, you're conflating IPS and Web Filtering... Web Filtering is a content filter, not a malware/antivirus/intrusion protection feature. It's sole purpose is to allow/disallow access to specific types of content on the internet.
You can see exactly what it's purpose is by going to Web Protection >> Filtering Options >> Categories. It's purpose is to restrict access to content - no more, no less. The only use case for a home user would be to employ content filtering on what children in the home can and cannot view/have access to.
You can see exactly what it's purpose is by going to Web Protection >> Filtering Options >> Categories. It's purpose is to restrict access to content - no more, no less. The only use case for a home user would be to employ content filtering on what children in the home can and cannot view/have access to.
- To also provide a bit of context as to the difficulty and time consuming nature of configuring Web Filter, I've attached three screenshots showing the required regex rules for Netflix, Trillian, Wii, & YouTube.
Attachments
Last edited:
diedrichg
Wizard
- Joined
- Dec 4, 2012
- Messages
- 1,319
Thanks for this! OpenVPN will be one of the first services I enable. I have it on my ASUS router and couldn't do without it with my job the way it is, I've GOT to have access to my home network when I'm traveling.
- Status
