Firewall

Gatekeeper and single point of entry

Firewall vm creation

Make sure to download the Sophos UTM installer iso version 9.6 or higher. Configure a proxmox vm with 4GB ram, 2 CPU cores and 30GB SSD. Configure Intel e1000 network adapter (eth0) connected to the external bridge - vmbr0. This is the connection to the outside world. After the hw wizard is complete, add a secondary network adapter (eth1) of the same type, connected to vmbr1. This is the LAN switch.

Note that the installation is roughly the same if you opt to use pFsense instead of Sophos UTM with one external interface and one internal.

The console tab on the proxmox vm will act as a display - it is a VNC based display of the vm.

Sophos UTM Installer

Select eth1 for WebAdmin interface.

Configure the LAN ip for the firewall:

Address: 10.0.5.1
Netmask: 255.255.255.0
Gateway: [blank]

Select 64 bit kernel and "install all capabilities", and start the partitioning process. When the installer is ready to reboot, unmount the ISO in proxmox and proceed.

After reboot, setup a temporary vm with default settings, and attach the network interface to vmbr1 (our LAN switch) Since the firewall is expecting a machine to connect form the LAN side to complete the configuration we will boot a temporary machine for that. Mount an ubuntu livecd (for example) and boot into the live environment. Configure the LAN to a manual IP in the same range as we set up on the Sophos installation.

Once the network configuration is complete it should be possible to open the WebAdmin interface on the firewall using the Firefox browser on https and port 4444:

https://10.0.5.1:4444

Setup the WAN interface of the firewall with your external IP address (NOT the same as the proxmox external IP.

Complete configuration and allow http/https traffic, terminal services, etc Enable the DHCP server with a range of 10.0.5.100 to 10.0.5.200 for example.

Skip license file upload for now - You have 30 days to register an account with Sophos for a free private use (max 50 IPs) license. This is one of those registrations that is actually worth the effort.

After the configuration is completed it can take a few minutes and/or a reboot for the ubuntu vm to be able to access the internet.

Sophos UTM LDAP Login

After the FreeIPA server has been setup it can be used for authentication on the firewall, including for incoming VPN connections.

Add a low privelege account to use as bind user. Just a an account named "binduser" with no group memberships should suffice. Set the login shell for the user to /usr/sbin/nologin to ensure it isn't used for login.

On the Sophos UTM interface go to Definitions & Users->Authentication Service->Servers->New Authentication Server

Select LDAP backend. Add the FreeIPA server (no ssl) and leave port 389. Set Bind DN to:

uid=binduser,cn=users,cn=accounts,dc=lan,dc=example,dc=com

Enter the password for the binduser.

Set User attribute to UID and base dn to:

cn=users,cn=accounts,dc=lan,dc=example,dc=com

To create a Sophos group based in FreeIPA group membership, go to Definitions & Users->Users & Groups->Groups->New Group

Group name: firewallusers
Group type: Backend membership
Backend: LDAP
Check an LDAP attribute (x)
Attribute: memberOf
Value: cn=firewallusers,cn=groups,cn=accounts,dc=lan,dc=example,dc=com

Test authentication of a know good user from FreeIPA.

VPN user for gaming (for example)

Remote Access->SSL->Settings

Change port from 443 to 1443

Remote Access->SSL->Profile->New Remote Access Profile

Name: Gaming
Users and Groups: firewallusers
Local Networks: Internal (network)
Automatic Firewall Rules: (x)

Definitions & Users->Users & Groups->Users

New users->Username: [ldap user in relevant group] Authentication: remote [Save]

Check the new remote user and press the "Action" dropdown above it and select "Download SSL VPN Packages". Select the other OS type. Extract the archive and save the .ovpn file.