Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1174 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG inline after Ubiquiti USG Pro

George Kostopoulos

Hi Everyone, 

First time posting so hoping I can get some clear direction on what to do based on others experience, I know theres two possible ways to skin this cat.

We moved into a new office space, subleasing and along with that comes with a free internet connection (awesome!) however the main tenant has all their stuff set up with a UNIFI USG Pro. Essentially NTD > their USG Pro > their switch > Our Sophos XG > Our Switch. 

We need to have separated networks, we aren't hosting anything local on our end, its just for our protection/network segmentation/test environment stuff.

Obviously we have a double NAT here, so should I turn off NAT on the USG end or on the XG end? Id rather do it on the XG end as I don't want to touch their ubiquiti gear. 

Currently the XG gets a DHCP lease from the USG pro. 

If anyone can point me in the right direction or set up guide, that would be much appreciated!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi George, Thanks for reaching out to Sophos Community.

    If you’re planning to keep NAT  (MASQ) disabled on XG then you'll have to add reverse routes on USG to reach your internal (Locally) segmented networks. This will be required as the traffic from these different networks behind XG will be going un-NATed and USG won't be able to route the reply packets. Also in the future, if any other tenant joins with the same local network behind the USG then it'll create problems.

    More feasible would be to let XG NAT(MASQ) with the leased DHCP IP from USG just like it would if there was an ISP connected and no more routing hassle on USG.

    Hope this helps :)

  • 0 in reply to FormerMember

    Hello!

    I guess this will have to do, thank you for responding!

  • 0 in reply to FormerMember

    Hey Devesh and Team,

    I have a similar setup, but the USGP is mine.  So I have  Fiber -> USGP -> switches/aps currently.  I have setup my XG 106 as a bridge and plan to put it after the USGP to make my topology:  Fiber -> USGP -> XG -> switch -> UAP's, etc.  

    I have my XG currently just connected to a switch via the WAN and then connected a computer to one of the Bridged lan ports on XG.  I am able to access the XG from my network, but nothing when connected to it's bridged lan port. What I expect is that the XG would pass on an IP from the USGP and then this computer would be routing all traffic to the XG -> USGP and then internet.  But my computer is not getting an IP and thus no connectivity.

    This setup is just to get things working before I put the XG in it's place.  

    Any thoughts of what is needed?  I did a clean flash of the XG v18 using the wizard for bridging.  

    If the protocol is to create a new thread I will do so, just let me know.

    Thanks,

    Gary

  • 0 in reply to Gary21

    I have been doing some more digging around and figured out the issue.  For reference, the below page indicates the 2 DHCP rules that need to be added.

    support.sophos.com/.../KB-000035606