Beginner help on bridge mode setup and guest authentication

Hey Dean,

Here are my answer :

- For the 192.168.0.x subnet, is the ISP modem at 192.168.0.1 the correct gateway and DNS? Does the SOPHOS XG look "transparent" in bridge mode if no firewall rules are set to block?

Yes, 192.168.0.1 has to be the gateway for the ASUS router and the DNS if you want to use it as a DNS.

- If I simply set up the SOPHOS XG with a firewall rule to allow all traffic then will it pass all traffic without any users having to be identified? ie. Does it just allow unfiltered internet connections out of the box?

You will have to create firewall rules LAN to WAN and WAN to LAN to allow traffic, by default if there are no firewall rules, the traffic will be drop.

- Under this arrangement, should I be able to simply remove the SOPHOS XG by disconnecting it and plugging in a new cable straight from my ASUS WAN port to ISP modem LAN port? No further configuration changes required?

Yes, you will be able to do that.

- For configuration and maintenance, can I access the SOPHOS XG from its WAN port if I unplug the LAN port and go straight from ASUS to ISP Modem/Router with another cable? This way I can fix stuff and play with settings while the Internet is working, then just plug the SOPHOS XG back in the line.

Actually, when you set an IP to a bridged interface, the IP is accessible from both LAN and WAN side, if you have enable the access on the "Device Access" settings.

- I have a third network port on the SOPHOS XG. Can I configure this to a 192.168.1.x address and plug it into an ASUS LAN port to always have access to the SOPHOS XG for configuration?

It has to be confirmed, but I think you will be able to access the XG from the 192.168.1.x anyway with the IP 192.168.0.3. But you can do what you ask, in that case you need to configure the bridge not using the wizard, but from the Network interfaces menu or you will not be able to use a third interface.

- Can DHCP be retained in the ASUS router? If I do fixed IP allocation to certain MAC addresses in the ASUS router then will this allow me to do IP based rules in the SOPHOS XG?

You have to use the DHCP server from the ASUS since it will act as a gateway router. If you want to use IP based rules, you will have to disable NAT on the ASUS and you will have to add a static route on the XG to the 192.168.1.X network.

- Once all setup, what is the simplest way to provide guest access to mobile phones (iPhone, Android mostly)? Most guests will be teenagers and I want to give them each maybe 2 hours of quota per day.

I think that the simplest way to do this is to activate the guest access by default on the LAN interface, you will find this option in Wireless -> Hotspots menu. You can manage vouchers for your guests. Since the "hotspot" will be activated by default on the LAN, by default, any machine will have to authenticate thru the user portal, so if you want some machines to not have to authenticate, you will  have to add firewall rules on top to allow their IP without authentication. This will work only if you have disable the source NAT on the ASUS router.

Yes, 192.168.0.1 has to be the gateway for the ASUS router and the DNS if you want to use it as a DNS.

Thanks - worked OK

- Under this arrangement, should I be able to simply remove the SOPHOS XG by disconnecting it and plugging in a new cable straight from my ASUS WAN port to ISP modem LAN port? No further configuration changes required?

Yes, you will be able to do that.

Tested this and works fine.

Actually, when you set an IP to a bridged interface, the IP is accessible from both LAN and WAN side, if you have enable the access on the "Device Access" settings.

Works once Device Access settings are adjusted but gives a warning about being an insecure setup, which I can understand.

It has to be confirmed, but I think you will be able to access the XG from the 192.168.1.x anyway with the IP 192.168.0.3. But you can do what you ask, in that case you need to configure the bridge not using the wizard, but from the Network interfaces menu or you will not be able to use a third interface.

Still to be tested.

You have to use the DHCP server from the ASUS since it will act as a gateway router. If you want to use IP based rules, you will have to disable NAT on the ASUS and you will have to add a static route on the XG to the 192.168.1.X network.

This one I might have to play with a bit more. I really want to be able to pull out the SOPHOS XG with a simple cable swap (which I can do now, no configuration changes) but that relies on the ASUS being in charge of DHCP, etc. So if I understand correctly, because the SOPHOS XG is in bridge mode, I would need to set static routes to 192.168.1.x on both the SOPHOS XG and the modem router connected to the Internet? 

Also, for DHCP, could I make my Internet modem a DHCP server which would work with the SOPHOS XG removed from the network? Then, with the SOPHOS XG in place and a firewall rule to block DHCP traffic to the WAN, the SOPHOS XG (once connected) could become the DHCP server and the modem would never get DHCP requests. DHCP would be turned off in the ASUS router but everything would work with the SOPHOS XG removed (with maybe some hiccups at changeover).

I think that the simplest way to do this is to activate the guest access by default on the LAN interface, you will find this option in Wireless -> Hotspots menu. You can manage vouchers for your guests. Since the "hotspot" will be activated by default on the LAN, by default, any machine will have to authenticate thru the user portal, so if you want some machines to not have to authenticate, you will have to add firewall rules on top to allow their IP without authentication. This will work only if you have disabled the source NAT on the ASUS router.

This will definitely be stage 2 for me, I need to walk before I can run.

Yes, 192.168.0.1 has to be the gateway for the ASUS router and the DNS if you want to use it as a DNS.

Thanks - worked OK

- Under this arrangement, should I be able to simply remove the SOPHOS XG by disconnecting it and plugging in a new cable straight from my ASUS WAN port to ISP modem LAN port? No further configuration changes required?

Yes, you will be able to do that.

Tested this and works fine.

Actually, when you set an IP to a bridged interface, the IP is accessible from both LAN and WAN side, if you have enable the access on the "Device Access" settings.

Works once Device Access settings are adjusted but gives a warning about being an insecure setup, which I can understand.

It has to be confirmed, but I think you will be able to access the XG from the 192.168.1.x anyway with the IP 192.168.0.3. But you can do what you ask, in that case you need to configure the bridge not using the wizard, but from the Network interfaces menu or you will not be able to use a third interface.

Still to be tested.

You have to use the DHCP server from the ASUS since it will act as a gateway router. If you want to use IP based rules, you will have to disable NAT on the ASUS and you will have to add a static route on the XG to the 192.168.1.X network.

This one I might have to play with a bit more. I really want to be able to pull out the SOPHOS XG with a simple cable swap (which I can do now, no configuration changes) but that relies on the ASUS being in charge of DHCP, etc. So if I understand correctly, because the SOPHOS XG is in bridge mode, I would need to set static routes to 192.168.1.x on both the SOPHOS XG and the modem router connected to the Internet? 

Also, for DHCP, could I make my Internet modem a DHCP server which would work with the SOPHOS XG removed from the network? Then, with the SOPHOS XG in place and a firewall rule to block DHCP traffic to the WAN, the SOPHOS XG (once connected) could become the DHCP server and the modem would never get DHCP requests. DHCP would be turned off in the ASUS router but everything would work with the SOPHOS XG removed (with maybe some hiccups at changeover).

I think that the simplest way to do this is to activate the guest access by default on the LAN interface, you will find this option in Wireless -> Hotspots menu. You can manage vouchers for your guests. Since the "hotspot" will be activated by default on the LAN, by default, any machine will have to authenticate thru the user portal, so if you want some machines to not have to authenticate, you will have to add firewall rules on top to allow their IP without authentication. This will work only if you have disabled the source NAT on the ASUS router.

This will definitely be stage 2 for me, I need to walk before I can run.

This one I might have to play with a bit more. I really want to be able to pull out the SOPHOS XG with a simple cable swap (which I can do now, no configuration changes) but that relies on the ASUS being in charge of DHCP, etc. So if I understand correctly, because the SOPHOS XG is in bridge mode, I would need to set static routes to 192.168.1.x on both the SOPHOS XG and the modem router connected to the Internet? 

You need to disable source natting on the ASUS router. By default, your router will translate the source IP of a packet by it's own IP. Example : You have a PC with IP 192.168.1.5, it sends a ping to 8.8.8.8. So packet will be like this [SRC IP 192.168.1.5, DST IP 8.8.8.8, ICMP], this is sent to the gateway of the PC, e.g the ASUS router, then the ASUS router will send it to its own gateway, e.g the ISP modem in 192.168.0.1, but it will replace the source IP by it's own IP so the ISP modem will be able to answer back, packet will be like this when reaching the ISP modem [SRC IP 192.168.0.3, DST IP 8.8.8.8, ICMP]. As you can see, this is a problem for the XG Firewall, because it will not see the source IP of the PC, but the source IP of the ASUS router.

If you disable the source natting on the ASUS router, when reaching the ISP modem (and the XG in bridge) the packet will look like this [SRC IP 192.168.1.5, DST IP 8.8.8.8, ICMP]. In that case, the ISP modem will have to know the route to the 192.168.1.X network to be able to answer back, this is why you have to create a static route on it.

Also, for DHCP, could I make my Internet modem a DHCP server which would work with the SOPHOS XG removed from the network? Then, with the SOPHOS XG in place and a firewall rule to block DHCP traffic to the WAN, the SOPHOS XG (once connected) could become the DHCP server and the modem would never get DHCP requests. DHCP would be turned off in the ASUS router but everything would work with the SOPHOS XG removed (with maybe some hiccups at changeover).

On the 192.168.1.X, it has to be the ASUS router which does the DHCP. The DHCP server must be on the same physical network than your PCs, this is the way it works. But this is not a problem at all.

If you want :

• Wifi on you ASUS router
• IP based firewall rule on the XG
• be able to remove the XG anytime

I really think that the best solution is just to disable SNAT on the ASUS router and create static route on the ISP modem to the 192.168.1.X.

I am thinking of doing this another way:

- Set the XG in bridge mode to be firewall and DHCP server.

- Configure ASUS router as access point only (WAN bypass or whatever term they use).

- Configure ISP modem/router to be DHCP but will only ever get DHCP requests if the XG is removed.

- Now all IP addresses are issued by XG, ISP modem/router is only NAT device so no double NAT.

- XG does all firewall and other functions.

One question, can XG have NAT disabled? If so then I think this would work.