This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Home license exceeded by > 200

Hello.

I'm running Sophos UTM9 Home Edition on a small dedicated virtual machine where as the host (VMware ESXi) is connected to two physical network cards, offering 4 virtual ones to Sophos (green, orange, dyn, red):

green:    eth0, 192.168.123.0/24 (no dhcp)
orange:  eth1: 192.168.124.0/24 (no dhcp)
red:       eth2: public IP (gateway to ISP)

The 'dyn' network is a static route which leads to a legacy pfSense gateway server running a DHCP for dynamic clients, ip range is 192.168.125.0/24.

Within the green network, I got 6 machines, IP addresses statically assigned. Within the dmz I currently got nothing and in the dyn network, there are currently 10 devices (phones, laptops), but since they use the pfSense as a gateway, I don't think Sophos can actually see them?

Here's my problem:

Today I received an email from the Sophos UTM that my license for Home use has been exceeded by over 200 machines. Along with the email, there was a list of IP addresses which have been blocked:

192.168.124.1
192.168.124.2
192.168.124.3
192.168.124.4
192.168.124.5
192.168.124.6
...

The thing is: There are no devices having those IP addresses, no devices in that network (dmz) anyway and definitely not more than 20 devices using Sophos as their gateway. Where do these IP devices come from? What exactly did Sophos detect here?

When I run an ip scan, I also get weird results:

(ip scan on range 192.168.123.1 - 192.168.125.255, from green to dyn)

192.168.123.1
192.168.123.2
192.168.123.5
192.168.123.10
192.168.123.11
192.168.123.35
192.168.124.1
192.168.124.2
192.168.124.3
192.168.124.4
192.168.124.5
...

I can clearly see only my available devices within the green network, but as soon as it hits the dmz, my ip scanner reports that every IP address in that range is online.

What the hell could cause this?

This thread was automatically locked due to age.

0 RiRueschel over 9 years ago

Alright, I've managed to reset the license count using cc, however if a mistake in the configuration or over at pfSense is causing this, it will probably be re-populated with fake entries soon. Does anybody know in what interval the scans occur?
Cancel
Vote Up 0 Vote Down

Cancel
0 zaphod over 9 years ago

as far as i know ip scans are bad for the utm with home license.
the cc command to clear license helps not long... every day there runs a script that counts ip-adresses from internal logging last 7 days...

the main problem with the ip addresses being seen and there are now devices with these adresses is not fixed...

i got the same problem at my home utm... dont know how to fix... (dont want to make backup / reinstall../ import backup..) i know that will fix it..

greets

zaphod
___________________________________________

Home: Zotac CI321 (8GB RAM / 120GB SSD) with latest Sophos UTM
Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...
Cancel
Vote Up 0 Vote Down

Cancel
0 StephaneGROBETY over 9 years ago

This is a known problem with the way UTM manages licenses: it will count as a "protected IP" any address it sees that has either the source or the destination set to a subnet it knows of (i.e. any packet that isn't routed to the default gateway).

This cause your licenses to get "used" even if there is no device at the target address in the following cases:
- A packet has source IP that is actually internal, even if the packet is spoofed (that includes martian packets coming from your external interface).
- A packet has a destination IP that is in any of the local subnets. For instance, if you scan one subnet from another local one.
- Any public IP that, for any reason, gets routed to a local subnet (through routing or NAT).

The above is valid for IPv4. I'm not sure how UTM handles IPv6 addresses and routing.
Cancel
Vote Up 0 Vote Down

Cancel