UTM

Setup

MTU

MTU is an issue for Metrocast, they assign a DHCP value of 576 while 1500 is actually needed. To fix that you need to do the folowing:

In /var/chroot-dhcpc/etc there is a file named: default.conf

default.conf

interface "[<INTERFACE>]" {
timeout 20;
retry 60;
script "/usr/sbin/dhcp_updown.plx";
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name,
domain-search, nis-domain, nis-servers,
ntp-servers, interface-mtu;
[<HOSTNAME>]
}

"interface-mtu" : If you remove that (not the following ;!!!), and take your interface down/up, your MTU is possible to edit by hand again in the GUI.

AND ... it will use the number you give it, not the dumb MTU value one of your ISP's let be in their equipment because they did not bother to change it.

Licensing

If you do not provide a home license at install, you will need to modify the system to add it later. Prior to 30 days you can do this via SSH, after 30 days you will need to boot an alternate OS so you can interact with the file system. Just remove /etc/asg

Auth

I was stupid, the install was easy and the auth server was straight forward. There is no need for SSO configuration.

Add the login group under WebAdmin Settings. If you need help: https://community.sophos.com/kb/en-us/120348

html5 remote access

Allow the user portal

  • Configure the User Portal.

From Management > User Portal > Global, click on the folder beside ‘Allowed networks’ then drag ‘Any’ into the box. You may want to restrict this more, but it’s likely you will have people both inside and outside your firewall who will want to access the User Portal.

  • https://community.sophos.com/kb/en-us/115305

The portal was easy to set up, you need to use NLA auth for RDP and set a login. I defined portals by user instead of group because of this.

  • https://community.sophos.com/kb/en-us/117470

  • https://community.sophos.com/kb/en-us/115157

html5 sites

Again, simple. Ports are under the advanced tab. Dont forget to run the cert finder, the last box in the addition menu.

SSL VPN

This is nifty as hell, it is just an implementation of OpenVPN.

  • https://www.sophos.com/en-us/medialibrary/PDFs/documentation/utm90_Remote_Access_Via_SSL_geng.pdf

The configs are generated and served on the remote access site

Passthrough

It is a bitch.

https://pve.proxmox.com/wiki/Pci_passthrough

https://forum.proxmox.com/threads/dell-poweredge-r710-ethernet-passthrough-issues.44097/

Bridge

I ended up bridging across a new NIC using the default eIntel card. I cloned the MAC of the TPLINK and rebooted the modem to get an IP, I am not sure if those are necesary.

I reinstalled the OS to properly go throug the internet set up dialogue. I set the admin network on .254 of the LAN NIC.

During setup I changed the IP to 10.1 and everything worked fine, on the LAN. Running through the TP link fucked shit up.

DNS

To allow UTM to resolve host names I needed to add Sora as a forwarder, and set internal network to use it. Those are the first and second tabs of DNS under Network Services.

use "DNS Request Route" to forward "domain.local" to AD DNS server.

https://community.sophos.com/products/xg-firewall/f/network-and-routing/74728/internal-dns-not-resolving-local-dns-names

DynDNS

https://community.sophos.com/kb/en-us/127039