Don W

To pfSense, or not to pfSense, that is the question...but in this thread the answer is Sophos!

417 posts in this topic

Yeah, they do but it's rubbish.

 

And I am fed up of overpriced off the shelf routers which was why I switched to a separate modem and a purpose built firewall on a VM.

 

People have been asking Untangle to support IGMP/Multicast since before 2014 - they show no inclination to do so.

 

Anyway, I hopefully have it sorted now. Just can't figure out how to get Symantec Protection Engine installed on OPNsense!

Ok then what I am saying hang there router off Untangle in a DMZ on its own network to serve the STB's and keep Untangle in place. No need to switch products.

Share this post


Link to post
Share on other sites

To be honest, I've just been grappling with OPNsense for the last few hours and trying to get my head around it.

 

I've made some headway now - in particular, my Plex port forward (I never use upnp) worked externally but I couldn't access it via a web interface internally.

 

Transpires it was a NAT reflection issue - this is the stuff that keeps the grey cells young!

 

If I can get AV working and IPS then I have no need of Untangle and save a fiver a month.

 

I'm not wedded to any particular product and the beauty of VMs is that I can switch between them at will :-)

Share this post


Link to post
Share on other sites

Ok then what I am saying hang there router off Untangle in a DMZ on its own network to serve the STB's and keep Untangle in place. No need to switch products.

 

Ok, this may sound daft but I can't picture in my head how I do this - or what the configuration gives me?

 

I can't get OPNsense to work with IGMP either, but I am not sure if it is because I am running it on ESXi.

Share this post


Link to post
Share on other sites

Well I got the IGMP working - however there appears to be an issue with the way VMware deals with IGMP traffic on standard switches, and when I watch an IPTV channel, it floods my network and no other network activity is possible!

 

VMware distributed vswitches support IGMP snooping but they are Enterprise Plus only.

 

So.. I've decided to move away from VMware for my firewall, and bought a MikroTik RouterBoard RB2011UiAS-IN.

 

I'm probably opening myself up to a whole new world of hurt...

Share this post


Link to post
Share on other sites

Ok, this may sound daft but I can't picture in my head how I do this - or what the configuration gives me?

 

I can't get OPNsense to work with IGMP either, but I am not sure if it is because I am running it on ESXi.

Have a look at this post on setting up DMZ, It is a bit old but should give you the idea https://forums.untangle.com/networking/27625-simple-dmz-configuration-but-not-able-get-right.html

 

Also have a look at this https://wiki.untangle.com/index.php/Network_Configuration#DMZ_Bridge

Edited by itGeeks
1 person likes this

Share this post


Link to post
Share on other sites

Last night my Sophos UTM box got hit with a portscan from research.nmap.org. Source IP 71.6.152.72.

 

Tried to research this and appears to be a known tool. But what would prompt this? Resulted in 100 individual emails as ports were scanned.

Share this post


Link to post
Share on other sites

so I'm still on opnsense, basic reliability has been exactly as I had hoped - I prefer no drama related to the router. And I am very pleased with how well openvpn is working from my andoid phone.

 

on the down side, suricata (intrusion detection) frequently dies and the latest update did not fix that.

Edited by nrf

Share this post


Link to post
Share on other sites

how are folks doing with the  sophos 'xg' product? I see they have a document showing how to load utm onto an xg instance, but not the reverse....

are they making enough progress that some of us should revisit / try it again?

Share this post


Link to post
Share on other sites

how are folks doing with the  sophos 'xg' product? I see they have a document showing how to load utm onto an xg instance, but not the reverse....

are they making enough progress that some of us should revisit / try it again?

It's not. The push is from UTM to XG Firewall, and not the other way around. 

 

Sophos acquired CyberRoam and wants everyone on that. Some of the features "work better" out of box (arguable), and it's slicker. 

 

It's a huge step back, and I think it's shitting on their userbase.

Share this post


Link to post
Share on other sites

wow. guess I won't be exploring that option anytime soon. no wonder people might want to load utm over it!

thanks.

Share this post


Link to post
Share on other sites

A good post. 

https://community.sophos.com/products/xg-firewall/f/46/t/74160

 

 

But basically, XG Firewall isn't ready.  Won't be for probably more than a year (IMO).  They bought CyberRoam and are porting their features into it. 

 

 

 

Honestly, I'd rather seem them build a multithreaded snort/squid support, and other improvements to UTM.  But I'm glad that they plan on support UTM for a long while. 

Share this post


Link to post
Share on other sites

cool, I fail to see why they headed down this other path - if cyberoam had something great why not put it into utm instead of putting so many utm abilities into cyberoam

Edited by nrf

Share this post


Link to post
Share on other sites

cool, I fail to see why they headed down this other path - if cyberoam had something great why not put it into utm instead of putting so many utm abilities into cyberoam

As I understand it cyberoam has a better foundation for building so that's y they have decided to port the better parts over from UTM, If they did it the other way around it would be a complete re-write from the ground up.

Share this post


Link to post
Share on other sites

As I understand it cyberoam has a better foundation for building so that's y they have decided to port the better parts over from UTM, If they did it the other way around it would be a complete re-write from the ground up.

That would be my guess, as well.

 

The problem is that the base is too undeveloped, and has a long while to catch up.  For instance, web filtering, my disaster with something as simple as port forwarding, etc. 

 

I think that when they get there (in 2-3 years), it will be a fantastic product.  But that it will take 2-3 years to be a viable product. 

Share this post


Link to post
Share on other sites

I've played around with Sophos and don't have too many issues with it but at the end of the day my home network is going through pfSense.  So far it's just been reliable (running on an ESXi VM) and I don't need to touch it at all.  I am going to spin up an opnsense VM to check it out since this thread has made me interested in seeing it on my network.

1 person likes this

Share this post


Link to post
Share on other sites

Just to update things I've tried out XG again and it looks NICE but in the limited amount of time I had I could not get it running but more than likely that was due to me rushing it and I plan to revisit it again.  I have moved from pfSense to OPNSense which overall I like better.  As a relative noob to firewalls it seems a bit less cluttered and the forums are more responsive.  Anyway I ended up splitting off OPNSense from my main ESXi server (just too many complaints whenever the box had to be rebooted and brought down the network) unto it's own dedicated hardware.  Just a Dell Optiplex 7010 which I was able to install ESXi 6.5.0a onto without any issues.  So for now it's running on that PC as a server.

 

Currently playing around with Nethserver and ClearOS and some more bare solutions like FireHOL and Alpinewall.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now