How To: Proxmox Host with Sophos UTM Install

Why Do This

I've recently decided to upgrade my home IT infrastructure and one of the main goals was going from a normal consumer grade router to something with more power, features, and flexibility. A lot of people use PfSense for this but I wanted something that could do even more. This search led me to Sophos UTM. Once known as the Astaro Security Gateway, this amazingly capable product is a perfect fit and is totally free for home use (with under 50 IP addresses.) It includes a very configurable firewall, web filtering, anti-virus, advanced threat protection, IPS, a VPN server, and many other awesome features.

I didn't just want to run a dedicated piece of hardware for Sophos however, I figured I might as well pick up another hypervisor compatible server since I'm already quite heavily utilizing my ESXi box. For this, I chose a Lenovo TS140 which cost only $200 in base core i3 CPU configuration, and leaves me with plenty of CPU room for more lightweight VMs (note one tradeoff of this configuration though is that, unlike the the Xeon version, the core i3 does not support VT-D for device passthrough.) As a bonus, this server is also dead quiet and uses very little power, both ideal for my situation.

For the hypervisor I decided this time to use Proxmox instead of ESXi. Since I don't primarily use Windows, having to boot a VM to manage my ESXi host was getting really annoying. Proxmox uses a platform agnostic web-based admin page and additionally comes with lots of extra features ESXi doesn't let you have in their free license. Proxmox also lets your run OpenVZ container OS's, ideal for the lower-spec processor.

The "Proxmox host with home router VM" setup I wanted to achieve is a question that seems to be asked a lot, but I struggled to find a definitive answer when I Googled it. Once I understood how Proxmox worked though, it was very easy. Therefore, this article will be my documentation on exactly how to do it. Hopefully this saves someone the time I wasted trying to figure it out. In order to accomplish this, here is what you must do.

Technical Setup

First you must be familiar with the Proxmox networking model and know that each physical NIC on your host server will need to be attached to a virtual switch created in proxmox, these switches get named vmbrX where X is a number just like the eth0/eth1 interfaces. When you install Proxmox, it will force you to set up a static IP for your first virtual switch (vmbr0 using eth0), leaving you with eth0, eth1, and vmbr0 configured at the end of setup. The easiest thing to do here is go through setup and make the static IP you use during configuration the IP you want to manage proxmox at on your internal LAN. After setup is complete and you login to the Proxmox admin page successfully, the next step you will need to take is to create a second virtual switch, vmbr1. Since this is created 2nd, assign it to eth1, and these two (eth1/vmbr1) interfaces will become the WAN side for your network. Reboot Proxmox to complete the new interface setup. It should now show whatever your internal LAN settings are on the vmbr0 line only.

This next part is the crucial piece that threw me off for a while until I figured out the correct setup - since a consumer ISP is very likely to only offer you one IP via DHCP, you must ensure that only the virtual NIC used in Sophos as the WAN link gets this IP. This means you CANNOT assign an IP to vmbr1 in Proxmox. However, unless you go into /etc/network/interfaces and set vmbr1 to "manual" instead of static, Sophos will not boot since vmbr1 will show as inactive in Proxmox. In order to boot a VM, all switches the VM's virtual NICs are connected to must be "active" in Proxmox's network tab (see pic below), and the only way to do this is to set vmbr1 to manual mode in the interfaces file. In addition, it is important to realize that any virtual switch with an IP will allow Proxmox to be administered on that IP, therefore, this setup also ensures that strangers from the internet cannot connect to your Proxmox management webpage.

Go ahead and make a VM for Sophos with 2 virtual NICs now and install as normal paying attention to what interfaces are hooked up to what virtual switch. From here on out, you can follow the normal Sophos install processes like it is running on a normal dedicated PC. Be aware that once you are done installing Sophos, it defaults to serving the management page to all interfaces, you must manually turn this off so Sophos cannot be managed from the WAN side.

After Sophos install, your interfaces should logically be arranged something like this going from WAN to LAN:
Modem -> proxmox eth1 (no IP) -> vmbr1 (no IP) -> sophos eth1 (DHCP IP from your ISP) -> Sophos UTM -> Sophos eth0 (internal Sophos IP) -> vmbr0 (Proxmox Management page IP) -> eth1 (no IP)-> Internal LAN link to switch.

For reference, here is the /etc/network/interfaces file that makes this work and how my network tab looks in the Proxmox admin page once this is all done.

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.46.134
    netmask 255.255.255.0
    gateway 192.168.46.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0

At this point, hopefully you have a working Sophos install, and just to be extra careful, you should double check that neither your Sophos or Proxmox management page are available on the WAN side. Good luck!

Other random notes from using Sophos that you might find useful:
  • The web filtering functionality at default settings initially broke Netflix and HBO Go until I made rules for it or turned it off.
  • iMessages and FaceTime calls will also not work until you make a firewall rule for those ports since Sophos does not have built in rules for these ports. FaceTime / iMessage port reference