Jump to content
RESET Forums (homeservershow.com)
nguyendot

Home firewall options?

Recommended Posts

nguyendot

I just wanted to say hello to everyone. I've been lurking and reading the forums, you guys definitely have a breadth of experience on here. I like how people mix enterprise with "hey it's good enough for home" - pretty much my style.

 

I dabble a bit in networking and servers, but at home it's more of a "what's best for here?".

 

Anyways, we are going to be hosting a workstation at home in addition to the home stuff. 

 

My question is what do you guys do for really fast WAN firewall wise? I just got AT&T GigaPower installed with symmetrical 1gbps (it's more like 900ish, but whatever) and I also have Cox 150/10mbps cable. Up until now it's just been the cable service, but the upload is really limiting our hosting and Plex capabilities. The network equipment is as follows:

 

WAN: AT&T GigaPower 1gbps fiber + Cox 150/10mbps cable. 

Firewall: SonicWALL NSA 2400

Switch: Dell PowerConnect 5524

Wireless: Ruckus ZoneDirector 1125, ZoneFlex R500, 7363, H500. Also AeroHive AP130 and Aruba IAP103. All POE injected - switch is coming upgrade

VM Host: PowerEdge R710 16gb/2x300gb(15k)/4x3TB running web host

Plex: i5 750 16gb 4x3TB FreeNAS - 2x1gb LAG to switch.

There are 4 PCs and will be 1 monster workstation crunching numbers later. 

Lots of ipads/laptops/phones/ps4/etc

 

So - I've hit the IPS limit on speed with the NSA2400. It hits a hard limit at 200mbps up/down no matter if IPS is on or off, no matter if we use SPI or DPI. It maxes out the dual core CPU and then it stops at 200mbps on speed tests. 

I'm looking at Sophos Home but haven't decided on the hardware yet. Many forums say use a dual core i3 with very high mhz since Snort is notoriously single threaded.

My architects at work tell me to just use Sophos home on mediocre hardware and just deal with multiple streams (multiple people will be fine). 

I kind of want to see a speed test with 900+mbps just for my own ego, but also understand that IPS at that level can be very expensive.

I like to use hardware we work with at work to keep my skills honed. I've also read a lot about pfsense and untangle. Depending on the learning curve I'm willing to try them out too. I need decent NAT and firewall + IPS. I also like to utilize older hardware (hence the NSA 2400, was an old unit we decommissioned). 

 

I've been scouring eBay and saw several UTM525s and 320s that I think you can use the home license on as a software appliance. I can also piece together something if need be - there are so many options. I don't want it super loud, the R710 is about the limit of noise I want. 

 

I'm going to try out a Check Point 3200 NGTX but it can't be permanent (demo only), and have used a Palo Alto PA-3020 (too damn loud, also a demo). 

 

I appreciate any advice you have, and will continue to read the threads down the line!

 

Nguyendot

 

 

Share this post


Link to post
Share on other sites
LoneWolf

I use a Watchguard T30, which works very nicely, and is very quiet.  The T50 would also be an option, or if you wish to save money, you could look for a used XTM-33.

 

This is if you plan to use true subscription-based UTM though.  If you really want to save money, I'd get a small dual-NIC PC and run Sophos UTM on it which is free for home use.  Limitations are that it supports two processor cores (which is not a limitation for home) and a maximum amount of RAM if I recall correctly, but other than that, it's just like the business product.  I'd probably put together a "high-end" Penryn Core 2 Duo (like an E8400) with 8GB of DDR3 and two Intel NICs and go that route.

  • Like 1

Share this post


Link to post
Share on other sites
Drashna Jaelre

With the Sophos UTM options, keep in mind ... well this:

https://community.sophos.com/products/unified-threat-management/f/51/t/22870

 

 

As for hardware, Sophos UTM Home doesn't limit you on the number of cores, as far as I'm aware.  My quad core Celeron J1900 is just happy running the home license. In fact, Sophos recommends quad core with 2GBs of RAM 

 

The XG Firewall Home edition *does* limit the hardware though. 

Share this post


Link to post
Share on other sites
LoneWolf

With the Sophos UTM options, keep in mind ... well this:

https://community.sophos.com/products/unified-threat-management/f/51/t/22870

 

 

As for hardware, Sophos UTM Home doesn't limit you on the number of cores, as far as I'm aware.  My quad core Celeron J1900 is just happy running the home license. In fact, Sophos recommends quad core with 2GBs of RAM 

 

The XG Firewall Home edition *does* limit the hardware though. 

 

Was there a limit on RAM then?  I believed there was some form of hardware limitation.  Maybe I'm out of date.

Share this post


Link to post
Share on other sites
nguyendot

The limit for UTM is 50 IPs. The limit on cores and ram (6gb) is with the XG home line I believe. I mainly know this from reading here, lol. That and we are a Sophos partner. 

 

Will those solutions mentioned hit a full gig on a single stream with IPS turned on? I'm going with something free or really cheap - older SonicWALLs (no need for subscription to have DPI turned on), or Sophos home. The older Sophos hardware is super cheap and compatible with the home ISO. I wish they would unlock units that are EOL for using a home license so all the stuff like the LCD would work. 

 

I think the T30 and T50 aren't rated to hit 1gbps with IPS, or even rated that just for firewall. I'm going to have 1gbps + 150mbps in a load balanced scenario (forgot to mention the load balancing earlier). My NSA 2400 is rated at 775 throughput and 275mbps IPS, which would put it on par with the T30. 

 

I'm out of town right now but when I get home I have a Sophos UTM on the R710 I'm going to try, but am thinking of a pizza box to run dedicated on whatever I find or you guys recommend. A SonicWALL E7500 slipped through my hands for $129 the other day, that would have handled my speeds and probably the rest of the neighborhood too. 

 

Lots to think about :/

  • Like 1

Share this post


Link to post
Share on other sites
Drashna Jaelre

UTM has no hardware limits, XG Firewall does. 

 

Specifically: 

 

Share this post


Link to post
Share on other sites
nguyendot

Yeah I'm not a fan of XG in terms of configuration. Doing a loop back is so confusing now. Makes it a pain for internal active sync users.

Share this post


Link to post
Share on other sites
Drashna Jaelre

Yeah I'm not a fan of XG in terms of configuration. Doing a loop back is so confusing now. Makes it a pain for internal active sync users.

Not just, but even something as simple as setting up NAT is obscenely difficult.  There is no way to exclude sites (eg fix) in the web filter. Etc. 

 

It's literally a step back, IMO.  

 

But then again, when you buy out a competitor and use their software instead of yours.... it's a really bad move, IMO. 

(They bought out CyberROAM, and that LITERALLY is what XG Firewall is)

Share this post


Link to post
Share on other sites
nguyendot

I was wondering where they got the software from. Makes sense now. If they would port the technology over and keep the old interface I would be okay with that.

Share this post


Link to post
Share on other sites
Drashna Jaelre

Honestly, I kind of like the CyberROAM interface.  I just wish they'd hybridize it with the UTM stuff. Some nice combination of both, that worked MUCH better than CyberRoam. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • JROrtiz
      By JROrtiz
      I've been banging my head for a few days now trying to figure this out and I've run out of ideas. Hoping the very intelligent crew here can help me out.
       
      I have a Drobo 5N and a Synology RS816 on my network, both of which have been working without issue for quite some time now. I've always connected to both via Windows Explorer by simply going to the network address i.e., \\N5 and \\SYN (sample names). 
       
      I recently got a new desktop which is where the issues are coming up. When I try to go to \\N5, it results in a message saying it cannot find that location. However, \\SYN works just fine. What's strange is that I can see and manage the Drobo through the Drobo Dashboard software. What could be preventing Windows from seeing the Drobo on the network? 
       
      I've already enabled the SMB 1.x protocol, ensured the workgroup names are the same, rebooted both the machine and the Drobo, made sure network sharing is enabled, and even did a fresh install to ensure that some program I installed didn't cause the issue. Every other machine I have can access the Drobo without issue. It's just this new desktop, and everything is running Windows 10.
       
      Another strange phenomenon that I discovered is that if I go to "\\DROBO" (verbatim, not a sample name) it leads me to the Synology. Where is Windows getting the mapping from that it is directing that address to the Synology?
       
      This is driving me nuts so any advice would be greatly appreciated.
    • Jason
      By Jason
      Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.
       
      But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...
       
      Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.
       
      Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?
       
      What is best practice?
       
       
      Sent from my iPhone using Tapatalk
    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
       
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
       
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Printers
       
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
       
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
       
      Thanks for any resources and advice provided.
       


×
×
  • Create New...