Sophos UTM

Yes! I have been looking forward to this one. In the following weeks I intend to publish a series of informative guides on Sophos UTM. My experience with XG is limited, but I have over five years of everyday configuration of the UTM.

My latest buy for the lab is a Sophos SG 330 which I plan to get working with a Home License. Lets see how it goes.

To be continued…

I have attached the brochures for anyone to see here, great read. 

Sophos SG Rev. 1

Sophos SG Rev. 2

Sophos SG Rev. 3

Sophos XG Rev. 3

Using the UniFi line as wlan controller part two

As I started to use the new setup, I realized more and more that I needed access to my lab (outside of plain rdp), especially with my laptop and phone. I tried several ways to solve this. Without any knowledge about the USG I had to try and error for some time before I found a reasonable solution.

The best option would be to make site-to-to IPsec to make use of all my old rules, but I could not get that working what ever I did. The USG still routed the traffic to the lab through wan and not through the tunnel. Anyway, next up was straight up static routes. Which is some what successful.

But, and this is a big one. Since the UniFi Controller does not expose any NAT rules in the UI there is no way (yes there is) to disable masquerading whenever an packet is leaving the wan interface. I have read by now that there are ways to manually add rules, but I feel that is for next time.

I read up on this article about how the firewall in the USG works (IN/OUT/LOCAL) and made all the necessary rules and finished with a deny rule for the rest. At the lab end there is simply an allow rule from the USG’s address. I found posts from Ubnt officials from back i 2017 saying NAT will be exposed in the Controller any time. We’ll see. For now this is OK.

Please feel free if there is anything I should do differently about this setup (or anything else).

Install Nginx Proxy Manager (npm)

As my self struggled to solve this, I shall help others.

Nginx Proxy Manager is a genius and powerful GUI to manage Nginx. It helps you create Proxy servers, redirects and certificates and control these options very smoothly.

I started with a plain install of Ubuntu Server 18.04 LTS and selected Docker under the install. The following code will help you get all the software up to speed and clean up afterwords.

sudo -s
apt update
apt upgrade
reboot
sudo -s
apt autoremove

Then it is time for NPM.

sudo -s
mkdir npm
cd npm

At this point I know you can to do clone/pull from Git, but I was eager to run this tool with the knowledge I had in the fastest possible way. With that, I used the example files and got going.

touch config.json
touch docker-compose.yml

Your npm-folder should look like this.

root@docker:~/npm# ls
config.json docker-compose.yml

Edit these settings to you liking (or don’t) and paste them in accordingly.

config.json

{
  "database": {
    "engine": "mysql",
    "host": "db",
    "name": "npm",
    "user": "npm",
    "password": "npm",
    "port": 3306
  }
}

docker-compose.yml

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    restart: always
    ports:
      - 80:80
      - 81:81
      - 443:443
    volumes:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    depends_on:
      - db
    environment:
    # if you want pretty colors in your docker logs:
    - FORCE_COLOR=1
  db:
    image: mariadb:latest
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: "npm"
      MYSQL_DATABASE: "npm"
      MYSQL_USER: "npm"
      MYSQL_PASSWORD: "npm"
    volumes:
      - ./data/mysql:/var/lib/mysql

While still in the directory run docker-compose to download and build the container.

docker-compose up -d

After a minute or two you should have a fully working manager for Nginx. Find your login at http://ip.or.name:81.

Default admin is
un: admin@example.com
pw: changeme

Please go read more at the developers site – https://github.com/jc21/nginx-proxy-manager – all credit goes to him.

Using the UniFi line as wlan controller

Ever since IoT started to be a thing it has eaten up my IPs from the free 50 of the Sophos UTM Home license. Since I am currently some what invested in its features going away from the UTM is not an option at this time.

After some back and forth I decided to use an old trick – NAT. Simply put a new firewall behind a dedicated NIC on the UTM. Very few or non of my devices actually needs to talk to my lab, so all the traffic is then routed to WAN.

What I bought?

  • USG-PRO-4
  • UAP-NANOHD

The UniFi controller is deployed on an Ubuntu 16.04 VM with this install script. The reason for 16.04 LTS is because that is the last version SCVMM 2012 R2 will recognize. I have successfully deployed 18.04 too, but it is not known to the VMM.

To be continued.

Landscape 18.03 on Ubuntu 16.04 LTS

Install on-prem and add clients

install landscape-server

Before installing anything. Be sure to check /etc/hosts and correct your FQDN to what ever you want it to answer to. User only lower cases, or Lanscape may give errors.

sudo add-apt-repository ppa:landscape/18.03
sudo apt-get update
sudo apt-get install landscape-server-quickstart

install landscape-clients

sudo apt-get update
sudo apt-get install landscape-client

install cert

To install on other computers, it needs to trust the serve. Add the certificate to allow this.

sudo scp user@landscape:/etc/ssl/certs/landscape_server_ca.crt /etc/landscape/server.pem

sudo nano /etc/landscape/client.conf
ssl_public_key = /etc/landscape/server.pem

register client

The last line will guide you through the registration.

sudo landscape-config --computer-title "webserver" --account-name standalone --url https://landscape.agurk.net/message-system --ping-url http://landscape.agurk.net/ping

The last step is to accept the registrations in https://landscape

https://help.landscape.canonical.com/
https://help.landscape.canonical.com/LDS/QuickstartDeployment18.03

Altibox – Bruke egen router

Som mange andre med Altibox var jeg nysgjerrig på om det er mulig å gå utenom hjemmesentralen. Jeg fikk utlevert Zyxel P2812ac hjemmesentral og HET-3012 media converter. For å unngå feilkilder ønsket jeg å ta bort hjemmesentralen som sto i bromodus uansett.

Avhengig av hvor du har media converteren (Fiber til Ethernet) din trenger du minst én switch med VLAN-støtte. Tanken er altså å lage en trunkport som skal ta imot VLANene til Altibox og fordele de riktig innomhus. Selv bruker jeg Netgear GS724T i boden og GS716T i stuen og oppsettet fungerer meget bra.

Altibox bruker følgende VLAN;

  • IPTV – 101
  • Internett – 102

Det er høyst sannsynlig et management VLAN også for å kunne styre hjemmesentralene, men jeg har ikke klart å finne ut hva det er.

Som brannmur og router bruker jeg Sophos UTM. Det kan sammenlignes med pfSense og andre brannmurdistribusjoner. Grunnen til at jeg gikk for Sophos UTM for noen år tilbake var fordi den forholder seg til objekter på samme måte som for eksempel Cisco ASA, noe jeg synes er en meget ryddig og oversiktlig måte å fremstille aksessregler på. Og ikke minst får du en fullblods enterprise-løsning gratis for opp til 50 IP-adresser. Noe som er ganske høyt, selv for et omfattende hjemmenett.

På brannmuren opprettet jeg et nytt Interface som mottar tagged VLAN 102. Måtte også sette virtuell MAC-adresse til det samme som står på hjemmesentralen min. Deretter gikk det av seg selv, brannmur fikk riktig fast IP fra DHCP og pakkene begynte å strømme.

altibox vlan 102

Når det gjelder TV var det bare å sende tagged 101 videre til stuen og deretter sette VLAN 101 untagged på den porten TV-boksen er tilkoblet.

Oppsettet blir dermed som følger;
GS724T

  • Port 13 – T 101 og T 102 – fra media converter.
  • Port 15 – T 102 – til brannmur.
  • Port 24 – T 101 – til stuen.

GS716T

  • Port 16 – T 101 – fra boden.
  • Port 15 – U 101 – til TV.

Hvordan du ønsker å sette opp LAN har du kanskje funnet ut allerede.

Two-factor Authentication with Duo Security

Duo Security two-factor authentication is a breeze to set up. And deserves a look at by everyone who wants to make their appliances or other logins more secure. Whether it is for but not limited to Microsoft RDP or WordPress. As an example you can see how the two-factor authentication works for RDP in the image below.

two-factor-rdp-network-diagram

My search for a way to use two-factor authentication began when I decided to open for any IP to my remote desktop sessions. As always, I used google to come up with several options. But Duo seems to be the best and most flexible out there. It got tons of options, great documentation, and even a free plan for personal use. What I will miss most when the trial runs out is the option for white listing IP addresses. So that when I am at home or at any of my Site-to-Site locations I can log straight in.

The account creation may be a bit more than you are used to from other sites. You are asked to set up the application on your phone and verify a few things before you are let in. After creating your account, the rest is mostly self-explanatory. I followed two guides. One to set up RDP and one for WordPress just to get me started.

When signing in to those places now, you will get a notification on your phone asking for access. If this is you, simply hit the green button and you are logged in. The process is painless and is literally over in a matter of seconds. If you are outside the cover of cellular data, you also have the option to use codes which is pre-added in the application on your phone.

 

Configure VLAN on Netgear switches

As I had to google this one for my self, I thought there could be one more article about configuring VLANs on Netgear switches. Multiple Virtual LANs will resolve how to move two or more separated networks to another room in your house with just one Ethernet cable. This could be LAN and WLAN, or in my case the two mentioned and TV over IP. The procedure is mostly the same on any switch with graphical user interface, but as I only own switches from Netgear the pictures will be from them.

First, define your VLAN identifiers. For my own documentation, I will use the one I use. You can basically use any number between 1 and 4093. For your consideration, I would use either 10, 11, 12 or 100, 101, 102 next time. To make things easy and not risk loosing connectivity, keep VLAN 1 and configure LAN on this ID.

  • VLAN 1 – LAN
  • VLAN 4 – WLAN
  • VLAN 5 – TV

The identifiers are also called tags. We have to tag the ports, or untag the ports. If we tag one port with more than one VLAN, it is called a trunk port. That is what we want between the storeroom and the living room.

Keep in mind. An untagged port can only be a member of one VLAN. Generally speaking, untagged ports is used to connect computers and tagged ports is used to connect switches and devices which also uses tagged VLAN.

Log in to your first switch and select Switching, VLAN. Insert new VLAN ID and new VLAN Name and hit Add. If there is a choice, select Static as VLAN Type.

Netgear vlan

When this is repeated for all the wanted VLANs on both switches, we are ready to move on to the tagging.

In the same menu, click on Advanced and VLAN Membership.

Netgear vlanmember

For reference, my VLAN 1 looks like this. As you can see, port 10 and 24 is used as trunk ports. Where port 10 is uplink to the firewall and port 24 is going to the other switch in the living room. All the untagged ports behave just as a normal port.

The other rules I have set is;

  • VLAN 4 – Port 10 T, Port 24 T
  • VLAN 5 – Port 23 U, Port 24 T

Which means that my subnet for WLAN is coming in tagged parallel with LAN from the firewall and is routed straight to the living room where my access point is. The TV signals are coming in untagged and is tagged on the way to the living room with the other networks.

If you are using a router without VLAN support, just plug that in to any untagged port and use only tagged ports between the two switches.

On a side note. It is not necessary in all cases, but you can assign and prioritize untagged ports in Port PVID Configuration. I had to set PVID Configured on Port 23 to 5 to get the TV to work.

When the first switch is done. Log in to your other switch and open the same menu.

Netgear vlanlivingmember

Tag the port from the other switch and untag all the others you want as LAN. As for the ports that has no T or U, they are assigned to WLAN and port 15 to TV, which are all untagged for the purpose. Here too I had to use the PVID Configuration to prioritize VLAN 4 and 5 on some ports.

You should now have a working set of VLANs.

Please give me feedback if something is unclear.