Jump to content
RESET Forums (homeservershow.com)
nguyendot

Home firewall options?

Recommended Posts

nguyendot

I need to go get certified in Sophos UTM and Sophos XG, maybe then I won't think XG is so weird.

Share this post


Link to post
Share on other sites
itGeeks

Was there a limit on RAM then?  I believed there was some form of hardware limitation.  Maybe I'm out of date.

The limit for Sophos XG is 4 cores/6 GB of RAM

Share this post


Link to post
Share on other sites
pcdoc

I just wanted to say hello to everyone. I've been lurking and reading the forums, you guys definitely have a breadth of experience on here. I like how people mix enterprise with "hey it's good enough for home" - pretty much my style.

 

I dabble a bit in networking and servers, but at home it's more of a "what's best for here?".

 

Anyways, we are going to be hosting a workstation at home in addition to the home stuff. 

 

My question is what do you guys do for really fast WAN firewall wise? I just got AT&T GigaPower installed with symmetrical 1gbps (it's more like 900ish, but whatever) and I also have Cox 150/10mbps cable. Up until now it's just been the cable service, but the upload is really limiting our hosting and Plex capabilities. The network equipment is as follows:

 

WAN: AT&T GigaPower 1gbps fiber + Cox 150/10mbps cable. 

Firewall: SonicWALL NSA 2400

Switch: Dell PowerConnect 5524

Wireless: Ruckus ZoneDirector 1125, ZoneFlex R500, 7363, H500. Also AeroHive AP130 and Aruba IAP103. All POE injected - switch is coming upgrade

VM Host: PowerEdge R710 16gb/2x300gb(15k)/4x3TB running web host

Plex: i5 750 16gb 4x3TB FreeNAS - 2x1gb LAG to switch.

There are 4 PCs and will be 1 monster workstation crunching numbers later. 

Lots of ipads/laptops/phones/ps4/etc

 

So - I've hit the IPS limit on speed with the NSA2400. It hits a hard limit at 200mbps up/down no matter if IPS is on or off, no matter if we use SPI or DPI. It maxes out the dual core CPU and then it stops at 200mbps on speed tests. 

I'm looking at Sophos Home but haven't decided on the hardware yet. Many forums say use a dual core i3 with very high mhz since Snort is notoriously single threaded.

My architects at work tell me to just use Sophos home on mediocre hardware and just deal with multiple streams (multiple people will be fine). 

I kind of want to see a speed test with 900+mbps just for my own ego, but also understand that IPS at that level can be very expensive.

I like to use hardware we work with at work to keep my skills honed. I've also read a lot about pfsense and untangle. Depending on the learning curve I'm willing to try them out too. I need decent NAT and firewall + IPS. I also like to utilize older hardware (hence the NSA 2400, was an old unit we decommissioned). 

 

I've been scouring eBay and saw several UTM525s and 320s that I think you can use the home license on as a software appliance. I can also piece together something if need be - there are so many options. I don't want it super loud, the R710 is about the limit of noise I want. 

 

I'm going to try out a Check Point 3200 NGTX but it can't be permanent (demo only), and have used a Palo Alto PA-3020 (too damn loud, also a demo). 

 

I appreciate any advice you have, and will continue to read the threads down the line!

 

Nguyendot

 

 

I have been running XG on a I5-4570S low power version with max RAM (8 physical, but only uses 6), 54 IP addresses, and routinely max out my 300 meg connection (I am envious of your fiber) and my CPU rarely gets about 2%, and memory runs 20-25% with heavy web filtering, application filtering, and AV.  I am sure that I could run lower end hardware and not have a problem.  The only thing I saw make a small difference in performance was trying to log everything under the sun.

Share this post


Link to post
Share on other sites
itGeeks

I just wanted to say hello to everyone. I've been lurking and reading the forums, you guys definitely have a breadth of experience on here. I like how people mix enterprise with "hey it's good enough for home" - pretty much my style.

 

I dabble a bit in networking and servers, but at home it's more of a "what's best for here?".

 

Anyways, we are going to be hosting a workstation at home in addition to the home stuff. 

 

My question is what do you guys do for really fast WAN firewall wise? I just got AT&T GigaPower installed with symmetrical 1gbps (it's more like 900ish, but whatever) and I also have Cox 150/10mbps cable. Up until now it's just been the cable service, but the upload is really limiting our hosting and Plex capabilities. The network equipment is as follows:

 

WAN: AT&T GigaPower 1gbps fiber + Cox 150/10mbps cable. 

Firewall: SonicWALL NSA 2400

Switch: Dell PowerConnect 5524

Wireless: Ruckus ZoneDirector 1125, ZoneFlex R500, 7363, H500. Also AeroHive AP130 and Aruba IAP103. All POE injected - switch is coming upgrade

VM Host: PowerEdge R710 16gb/2x300gb(15k)/4x3TB running web host

Plex: i5 750 16gb 4x3TB FreeNAS - 2x1gb LAG to switch.

There are 4 PCs and will be 1 monster workstation crunching numbers later. 

Lots of ipads/laptops/phones/ps4/etc

 

So - I've hit the IPS limit on speed with the NSA2400. It hits a hard limit at 200mbps up/down no matter if IPS is on or off, no matter if we use SPI or DPI. It maxes out the dual core CPU and then it stops at 200mbps on speed tests. 

I'm looking at Sophos Home but haven't decided on the hardware yet. Many forums say use a dual core i3 with very high mhz since Snort is notoriously single threaded.

My architects at work tell me to just use Sophos home on mediocre hardware and just deal with multiple streams (multiple people will be fine). 

I kind of want to see a speed test with 900+mbps just for my own ego, but also understand that IPS at that level can be very expensive.

I like to use hardware we work with at work to keep my skills honed. I've also read a lot about pfsense and untangle. Depending on the learning curve I'm willing to try them out too. I need decent NAT and firewall + IPS. I also like to utilize older hardware (hence the NSA 2400, was an old unit we decommissioned). 

 

I've been scouring eBay and saw several UTM525s and 320s that I think you can use the home license on as a software appliance. I can also piece together something if need be - there are so many options. I don't want it super loud, the R710 is about the limit of noise I want. 

 

I'm going to try out a Check Point 3200 NGTX but it can't be permanent (demo only), and have used a Palo Alto PA-3020 (too damn loud, also a demo). 

 

I appreciate any advice you have, and will continue to read the threads down the line!

 

Nguyendot

1st let me welcome you to the forums!

You have a 1GB pipe into your home? Boy I am jealous, I have a 150/150 FiOs line and I thought I had bragging rites :) It does seem like you have done your homework because you are spot on with most of your findings such as Snort only being a single threaded application as of now and that's a big problem, It is 2016 and as demanding and popular as Snort is I don't for the life of me understand Y Snort is still only a single threaded application though from what I understand that will change soon thank god.

 

I respect LoneWolf & Drashna very much as we have all been a member of the HSS forums for a long time but I am going to take a different approach with Q&A and recommendations for you.

 

1st let me ask you have you been able to get your 1GB speeds by plugging a computer directly into AT&T equipment? That would be the first test as there are many things that could affect your internet speed.

2nd I have used all of the routers you are considering and I will give you my findings and thoughts below-

 

pfSense=a train wreck for administration

Sophos both UTM9 and XG=Will wreck havoc on a home network blocking streaming services to mobile devices as well as stopping some updates to devices such as printers and builds for anyone on the Windows Insider program as well as gaming consoles and many other things such as digital picture framed nest thermostats ect., Sophos UTM9 will allow you to create Regx rules that will allow you to fix most of this stuff but those same Regx rules will not work with Sophos XG. Plan and simple Sophos is not home network friendly and Sophos is proud of it. Yes there offer a home license but they have clearly stated that they are not a home product so be warned. Unless your willing to deal with the heavy footsteps cumming down the hall screaming this won't work and that won't work and your willing to bypass several devices from the powerful protection that Sophos offers then stay clear of it.

 

The new Untangle v12 is your friend for home networks, It now provides a very nice dashboard that is Customizable with real-time reports & great gateway protection & it wont break your network & Unlike Sophos Untangle is very interested in the home user and unlike Sophos they will provide you support via phone with there new home licensing offer of 50.00 a year for all you can eat. I am very happy with the performance and protection I am getting with Untangle on my home network. I must tell you I am very anal aka (OCD) about how my home network performance and protection so I would not recommend Untangle if it did not deliver in all arias.

 

As for hardware to run any of these 3 packages many folks are running these on hardware with a J1900 CPU and they claim they run great for a home network, One such device that has the J1900 CPU that I was going to purchase and install Untangle on if I had not decided to put Untangle on a VM was this https://www.amazon.com/dp/B019Z8T9J0/ref=wl_it_dp_o_pd_nS_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I15QGDT41IE5EU Max this out with 8GB of RAM and put a Samsung SSD Pro on it and call it a day. It has four Intel NIC's, That's the best for these routers, Broadcom would be 2nd and Realtek=Crap

 

Untangle also has a brand new u25 router for home/small busness but the RAM is only 2GB so if your wanting to use IPS I would stay away from it, If your not going to use IPS its a great device if you want plug & play though I think its still over priced. https://www.untangle.com/shop/u25-appliance/

Edited by itGeeks

Share this post


Link to post
Share on other sites
nguyendot

Is that with IPS on? I've found that to be one of the biggest CPU hogs

Share this post


Link to post
Share on other sites
Drashna Jaelre

Yeah, the "Decrypt and Scan" option of Sophos UTM can break streaming. 

 

Though, I've been having weird buffering issues with Youtube, with and without web filtering enabled.... So ... yay... 

 

 

As for hardware to run any of these 3 packages many folks are running these on hardware with a J1900 CPU and they claim they run great for a home network, One such device that has the J1900 CPU that I was going to purchase and install Untangle on if I had not decided to put Untangle on a VM was this https://www.amazon.com/dp/B019Z8T9J0/ref=wl_it_dp_o_pd_nS_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I15QGDT41IE5EU Max this out with 8GB of RAM and put a Samsung SSD Pro on it and call it a day. It has four Intel NIC's, That's the best for these routers, Broadcom would be 2nd and Realtek=Crap

 

As for that box, nice and neat, but it sure isn't rack mountable. :P

Share this post


Link to post
Share on other sites
nguyendot

Whoops sorry, I was responding to pcdoc initially, but you got your post in first!

 

Anyways, yes I get about 900mbps +/- 10% so far. It's load balanced with my 150/10mbps cox line. I tested direct connected.

 

 

I'm pretty familiar with Sophos in almost every area except gig throughput. Even now with the NSA SonicWALL it blocks quite a few things. The Palo Alto is far worse than Sw and Sophos.

 

I'm going to try the Check Point 3200 and see too. It's newish to me and I've got an extended trial period with it. Did you have any experience with that? I'm still open to trying untangle too. I'll get a pizza box of and when it comes time to try it.

Edited by nguyendot

Share this post


Link to post
Share on other sites
itGeeks

Is that with IPS on? I've found that to be one of the biggest CPU hogs

IPS with any of these three packages with use a lot of CPU because they all use Snort and as we all know or should know Snort is still a single threaded application though from what I understand this will be changing in the near future.

Yeah, the "Decrypt and Scan" option of Sophos UTM can break streaming. 

 

Though, I've been having weird buffering issues with Youtube, with and without web filtering enabled.... So ... yay... 

 

 

 

As for that box, nice and neat, but it sure isn't rack mountable. :P

That is what the make drills and dremels for :D

Share this post


Link to post
Share on other sites
itGeeks

Whoops sorry, I was responding to pcdoc initially, but you got your post in first!

 

Anyways, yes I get about 900mbps +/- 10% so far. It's load balanced with my 150/10mbps cox line. I tested direct connected.

 

 

I'm pretty familiar with Sophos in almost every area except gig throughput. Even now with the NSA SonicWALL it blocks quite a few things. The Palo Alto is far worse than Sw and Sophos.

 

I'm going to try the Check Point 3200 and see too. It's newish to me and I've got an extended trial period with it. Did you have any experience with that? I'm still open to trying untangle too. I'll get a pizza box of and when it comes time to try it.

Try Untangle on my recommended hardware or install it on a VM and see what you think. I am very happy with Untangle as a router and protecting my network without breaking everything under the sun. You got many options from us, Please let us know how you make out and what you ended up using. OMG that Check Point 3200 is thousands of dollars, You don't need that for a home network no matter what your running. Just install Untangle and call it a day, You will have a great performing router with great protection at a cost of 50.00 a year and feel good about it.

Edited by itGeeks

Share this post


Link to post
Share on other sites
nguyendot

I'll give it a try and see if it will hit gigabit. That's one of my goals. Check Point just partnered with the company I work for and they gave me some gear to try out. The 3200 is just a trial, but they will give a huge discount or maybe a hookup if I like it enough. Sophos is like a 60 or 70% discount. Their older UTMs can be had super cheap, like the 525 which will run just about anything.

 

 

I do have the r710 with esxi 6.x I will try untangle on too.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • JROrtiz
      By JROrtiz
      I've been banging my head for a few days now trying to figure this out and I've run out of ideas. Hoping the very intelligent crew here can help me out.
       
      I have a Drobo 5N and a Synology RS816 on my network, both of which have been working without issue for quite some time now. I've always connected to both via Windows Explorer by simply going to the network address i.e., \\N5 and \\SYN (sample names). 
       
      I recently got a new desktop which is where the issues are coming up. When I try to go to \\N5, it results in a message saying it cannot find that location. However, \\SYN works just fine. What's strange is that I can see and manage the Drobo through the Drobo Dashboard software. What could be preventing Windows from seeing the Drobo on the network? 
       
      I've already enabled the SMB 1.x protocol, ensured the workgroup names are the same, rebooted both the machine and the Drobo, made sure network sharing is enabled, and even did a fresh install to ensure that some program I installed didn't cause the issue. Every other machine I have can access the Drobo without issue. It's just this new desktop, and everything is running Windows 10.
       
      Another strange phenomenon that I discovered is that if I go to "\\DROBO" (verbatim, not a sample name) it leads me to the Synology. Where is Windows getting the mapping from that it is directing that address to the Synology?
       
      This is driving me nuts so any advice would be greatly appreciated.
    • Jason
      By Jason
      Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.
       
      But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...
       
      Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.
       
      Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?
       
      What is best practice?
       
       
      Sent from my iPhone using Tapatalk
    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
       
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
       
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Printers
       
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
       
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
       
      Thanks for any resources and advice provided.
       


×
×
  • Create New...