Jump to content
RESET Forums (homeservershow.com)

Home firewall options?


nguyendot
 Share

Recommended Posts

I just wanted to say hello to everyone. I've been lurking and reading the forums, you guys definitely have a breadth of experience on here. I like how people mix enterprise with "hey it's good enough for home" - pretty much my style.

 

I dabble a bit in networking and servers, but at home it's more of a "what's best for here?".

 

Anyways, we are going to be hosting a workstation at home in addition to the home stuff. 

 

My question is what do you guys do for really fast WAN firewall wise? I just got AT&T GigaPower installed with symmetrical 1gbps (it's more like 900ish, but whatever) and I also have Cox 150/10mbps cable. Up until now it's just been the cable service, but the upload is really limiting our hosting and Plex capabilities. The network equipment is as follows:

 

WAN: AT&T GigaPower 1gbps fiber + Cox 150/10mbps cable. 

Firewall: SonicWALL NSA 2400

Switch: Dell PowerConnect 5524

Wireless: Ruckus ZoneDirector 1125, ZoneFlex R500, 7363, H500. Also AeroHive AP130 and Aruba IAP103. All POE injected - switch is coming upgrade

VM Host: PowerEdge R710 16gb/2x300gb(15k)/4x3TB running web host

Plex: i5 750 16gb 4x3TB FreeNAS - 2x1gb LAG to switch.

There are 4 PCs and will be 1 monster workstation crunching numbers later. 

Lots of ipads/laptops/phones/ps4/etc

 

So - I've hit the IPS limit on speed with the NSA2400. It hits a hard limit at 200mbps up/down no matter if IPS is on or off, no matter if we use SPI or DPI. It maxes out the dual core CPU and then it stops at 200mbps on speed tests. 

I'm looking at Sophos Home but haven't decided on the hardware yet. Many forums say use a dual core i3 with very high mhz since Snort is notoriously single threaded.

My architects at work tell me to just use Sophos home on mediocre hardware and just deal with multiple streams (multiple people will be fine). 

I kind of want to see a speed test with 900+mbps just for my own ego, but also understand that IPS at that level can be very expensive.

I like to use hardware we work with at work to keep my skills honed. I've also read a lot about pfsense and untangle. Depending on the learning curve I'm willing to try them out too. I need decent NAT and firewall + IPS. I also like to utilize older hardware (hence the NSA 2400, was an old unit we decommissioned). 

 

I've been scouring eBay and saw several UTM525s and 320s that I think you can use the home license on as a software appliance. I can also piece together something if need be - there are so many options. I don't want it super loud, the R710 is about the limit of noise I want. 

 

I'm going to try out a Check Point 3200 NGTX but it can't be permanent (demo only), and have used a Palo Alto PA-3020 (too damn loud, also a demo). 

 

I appreciate any advice you have, and will continue to read the threads down the line!

 

Nguyendot

 

 

Link to comment
Share on other sites

I use a Watchguard T30, which works very nicely, and is very quiet.  The T50 would also be an option, or if you wish to save money, you could look for a used XTM-33.

 

This is if you plan to use true subscription-based UTM though.  If you really want to save money, I'd get a small dual-NIC PC and run Sophos UTM on it which is free for home use.  Limitations are that it supports two processor cores (which is not a limitation for home) and a maximum amount of RAM if I recall correctly, but other than that, it's just like the business product.  I'd probably put together a "high-end" Penryn Core 2 Duo (like an E8400) with 8GB of DDR3 and two Intel NICs and go that route.

  • Like 1
Link to comment
Share on other sites

With the Sophos UTM options, keep in mind ... well this:

https://community.sophos.com/products/unified-threat-management/f/51/t/22870

 

 

As for hardware, Sophos UTM Home doesn't limit you on the number of cores, as far as I'm aware.  My quad core Celeron J1900 is just happy running the home license. In fact, Sophos recommends quad core with 2GBs of RAM 

 

The XG Firewall Home edition *does* limit the hardware though. 

Link to comment
Share on other sites

With the Sophos UTM options, keep in mind ... well this:

https://community.sophos.com/products/unified-threat-management/f/51/t/22870

 

 

As for hardware, Sophos UTM Home doesn't limit you on the number of cores, as far as I'm aware.  My quad core Celeron J1900 is just happy running the home license. In fact, Sophos recommends quad core with 2GBs of RAM 

 

The XG Firewall Home edition *does* limit the hardware though. 

 

Was there a limit on RAM then?  I believed there was some form of hardware limitation.  Maybe I'm out of date.

Link to comment
Share on other sites

The limit for UTM is 50 IPs. The limit on cores and ram (6gb) is with the XG home line I believe. I mainly know this from reading here, lol. That and we are a Sophos partner. 

 

Will those solutions mentioned hit a full gig on a single stream with IPS turned on? I'm going with something free or really cheap - older SonicWALLs (no need for subscription to have DPI turned on), or Sophos home. The older Sophos hardware is super cheap and compatible with the home ISO. I wish they would unlock units that are EOL for using a home license so all the stuff like the LCD would work. 

 

I think the T30 and T50 aren't rated to hit 1gbps with IPS, or even rated that just for firewall. I'm going to have 1gbps + 150mbps in a load balanced scenario (forgot to mention the load balancing earlier). My NSA 2400 is rated at 775 throughput and 275mbps IPS, which would put it on par with the T30. 

 

I'm out of town right now but when I get home I have a Sophos UTM on the R710 I'm going to try, but am thinking of a pizza box to run dedicated on whatever I find or you guys recommend. A SonicWALL E7500 slipped through my hands for $129 the other day, that would have handled my speeds and probably the rest of the neighborhood too. 

 

Lots to think about :/

  • Like 1
Link to comment
Share on other sites

UTM has no hardware limits, XG Firewall does. 

 

Specifically: 

 

Link to comment
Share on other sites

Yeah I'm not a fan of XG in terms of configuration. Doing a loop back is so confusing now. Makes it a pain for internal active sync users.

Link to comment
Share on other sites

Yeah I'm not a fan of XG in terms of configuration. Doing a loop back is so confusing now. Makes it a pain for internal active sync users.

Not just, but even something as simple as setting up NAT is obscenely difficult.  There is no way to exclude sites (eg fix) in the web filter. Etc. 

 

It's literally a step back, IMO.  

 

But then again, when you buy out a competitor and use their software instead of yours.... it's a really bad move, IMO. 

(They bought out CyberROAM, and that LITERALLY is what XG Firewall is)

Link to comment
Share on other sites

I was wondering where they got the software from. Makes sense now. If they would port the technology over and keep the old interface I would be okay with that.

Link to comment
Share on other sites

Honestly, I kind of like the CyberROAM interface.  I just wish they'd hybridize it with the UTM stuff. Some nice combination of both, that worked MUCH better than CyberRoam. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...