Jump to content
RESET Forums (homeservershow.com)
nguyendot

Home firewall options?

Recommended Posts

itGeeks

Certainly do not want to open this thread up to the much debated topic of Untangle vs Sophos, however I must disagree with your comment.  I have 4 people in the house (two are in their early 20's) and have not had a single issue once I got it setup.  The only complaint I got was their inability to get to sites I wanted blocked.  Yes, it took some initial tweaking but most solutions do take a bit of tweaking, but it has been months with no issues and I have allot of filtering, IPS, and AV running.  Not disagreeing that Untangle is good solution for the home as well but I think we need to keep it in perspective.  Every maintenance release (now 3) has improved the product and it continues to get better.

Sorry I woke up the tiger and I think I created a monster with you :D All kidding a side. For those that don't know I was once a Sophos fanboy and I helped pcdoc get setup with Sophos XG to help him reduce the learning curve. I am going to try and keep this as short as possible. The reason I was once a fanboy of Sophos was because not only was it great 5 star protection but it was totally free for home use so I put up the the short falls and work around that needed to be done to fix all the trouble it caused me on my home network. Sophos UTM 9.x was easier to fix what did not work with the help of drashna great guide on Regx found below, Unfortunately none of drashna's hard work works with Sophos XG so your left with things like Netflix and other streaming services not working unless you bypass scanning on those none windows devices and that's only the beginning of the trouble you will have to overcome, Sophos XG broke my Epson printer automatic updates, Windows Insider builds would not install unless I bypassed the computer and the list goes on. Yes I settled on Sophos but that was only because Untangle charged a small fortune for any real protecting but now with the great home licensing model they have now of 50.00 a year and the fact it does not break anything on my network and offers great protection make it a no brainier for people with home networks.

 

I am not saying Sophos is bad I am only saying its not the perfect solution for home networks as there are other option that also give us support if needed, Sophos home license has no such support so how do we get something fixed from Sophos for things like Netflix if we cant put in a support ticket and that's only the begin. They are not going to fix things like Netflix unless several business users complain about it and lets face it I don't know any business that would complain about Netflix because people get paid to work not watch movies. Untangle does not break these things and if something did not work for us they would be more willing to fix it because unlike Sophos they are very interested in the home segment.

 

Let me be clear I am not saying Untangle is perfect because its not, One example is that IPS in Untangle by default does not block anything it only flags so its up to the admin to go threw the huge list and check off what you want blocked, Is this a good thing or bad thing I guess it depends hew you ask. But even at that I feel Untangle is the best thing for home networks now till something better comes along like the new Luma device that promises great enterprise protection for the home, Only time will tell and I can't wait to get my 4 Luma's that I pre-ordered.

 

Drashna's great guids on Sophos UTM https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/

Thats a pretty fair summary, but its worth pointing out that by design, Sophos blocks all outgoing and its up to the admin to open access.

Untangle (and XG i believe) is the reverse - everything is allowed out unless blocked.

 

This makes it easier for Untangle to setup for home etc at the cost of less secure.

 

I'm running UTM9 at the moment as I prefer the locked down approach, but when I get a moment, am planning on spinning up an Untangle VM again, but blocking everything from the outset and seeing what happens...

You are correct, Untangle & Sophos XG allows everything out by default.

Edited by itGeeks
  • Like 1

Share this post


Link to post
Share on other sites
Drashna Jaelre

I didn't see the $5/month or $50/year for untangle. That's not a bad deal, actually. 

 

And for somebody that just wants to "set and forget", that may be a better solution for a router.  And I'd readily recommend it. 

 

But for me... Sophos UTM all the way. 

 

And f**k XG Firewall. As PCDoc's mentioned, my hatred for XG Firewall is pretty obvious. 

And like itGeeks has mentioned, the ONLY solution to fix things is to disable the web filter for that device. Which LITERALLY defeats the purpose. I'm sad that they've gone this way, and I'd rather that they import the CyberROAM software into UTM, rather than the other way around... as UTM is a more more stable and well developed product. 

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

I didn't see the $5/month or $50/year for untangle. That's not a bad deal, actually. 

 

And for somebody that just wants to "set and forget", that may be a better solution for a router.  And I'd readily recommend it. 

 

But for me... Sophos UTM all the way. 

 

And f**k XG Firewall. As PCDoc's mentioned, my hatred for XG Firewall is pretty obvious. 

And like itGeeks has mentioned, the ONLY solution to fix things is to disable the web filter for that device. Which LITERALLY defeats the purpose. I'm sad that they've gone this way, and I'd rather that they import the CyberROAM software into UTM, rather than the other way around... as UTM is a more more stable and well developed product. 

Actually Chris one of there updates before I shut t off fixed web filtering with Netflix but you still had to disable http & https scanning. I personally don't think they meant to fix Netflix but what every change they made to fix what every else was going on happen to fix Netflix working with web filter on. I still feel strong about everything I said though. Yes 5.00 a month 50 a year for all you can eat is great and one reason I switched back to Untangle. The new v12 is awesome, It has a new dashboard similar to Sophos XG with real-time reporting, You should check it out when you have free time.

Edited by itGeeks

Share this post


Link to post
Share on other sites
Jason

Like Drashna I am happily running Sophos UTM 9. Still no reason to switch. Works perfectly and requires little modification at this point. Though I've been curious whether they still intend to release an upgrade path from UTM 9 to XG with a web config migration tool. That was their plan.

Share this post


Link to post
Share on other sites
nguyendot

Let me be clear on my original request. I basically want a decent firewall with the fastest single stream IPS solution.

I like free, but it doesn't have to be.

It needs to be decently secure. I'm ised to the totally locked down approach. I deploy Sophos UTMs regularly, as well as SonocWALLs. Not a single one of them on anything faster than 150mbps however.

I'm new to Untangle, Pfsense, and Checkpoint. The last one is a new partner so I'll probably deploy it on a separate wan IP to play with it.

 

I don't mind trying new things. As soon as I get home I'll fire up the Sophos Home, XG, Untangle....etc. I was just wondering what others in my similar situation have done. Up until now my NSA 2400 has worked admirably and yes I had to unblock tons of stuff to get ps network and Xbox live to work. The wife only gets on Facebook on her iPhone so that naturally works with 443 outbound.

Also a decent load balance would be nice, dual wan needs to be utilized otherwise it kind of just sits there.

Share this post


Link to post
Share on other sites
itGeeks

Let me be clear on my original request. I basically want a decent firewall with the fastest single stream IPS solution.

I like free, but it doesn't have to be.

It needs to be decently secure. I'm ised to the totally locked down approach. I deploy Sophos UTMs regularly, as well as SonocWALLs. Not a single one of them on anything faster than 150mbps however.

I'm new to Untangle, Pfsense, and Checkpoint. The last one is a new partner so I'll probably deploy it on a separate wan IP to play with it.

 

I don't mind trying new things. As soon as I get home I'll fire up the Sophos Home, XG, Untangle....etc. I was just wondering what others in my similar situation have done. Up until now my NSA 2400 has worked admirably and yes I had to unblock tons of stuff to get ps network and Xbox live to work. The wife only gets on Facebook on her iPhone so that naturally works with 443 outbound.

Also a decent load balance would be nice, dual wan needs to be utilized otherwise it kind of just sits there.

It seems Untangle will handle those speeds with a fast enough CPU and good (Intel) NIC's https://forums.untangle.com/hardware/35728-gigabit-internet-here.html

 

The moral of the story from the link I provided above is

"As for hardware to support gigabit, I agree. You need a dual core i3 or better CPU and 2gb of RAM to keep up with gigabit at a minimum. That means u150 or greater equivalent hardware."

 

I would personally do nothing less then 8GB of RAM. Can I ask y you feel or want WAN load balancing with a FAT 1GB pipe coming into your house? I only have a 150/150 connection and have never had any noticeable trouble. Just for the record I had a lot of devices on my network all accessing the internet at the same time as well as doing offsite backups to and from my house.

Share this post


Link to post
Share on other sites
nrf

I'd sure like to see some perfomance tables on the various router options, clearly it depends on the hardware but I think it could be very useful for someone looking for a solution. As to the dual wan, if you have two pipes it seems to me one would at least want failover. I would like to hear the answer as it could prove thought-provoking.

Share this post


Link to post
Share on other sites
itGeeks

I'd sure like to see some perfomance tables on the various router options, clearly it depends on the hardware but I think it could be very useful for someone looking for a solution. As to the dual wan, if you have two pipes it seems to me one would at least want failover. I would like to hear the answer as it could prove thought-provoking.

Using the 2nd less exspensive pipe for fail-over would make more sense to me. ;)

Share this post


Link to post
Share on other sites
pcdoc

It appears I did revive the debate but I am glad not everyone thinks the same.  That's what make this forum a great place. 

 

 

Thats a pretty fair summary, but its worth pointing out that by design, Sophos blocks all outgoing and its up to the admin to open access.

Untangle (and XG i believe) is the reverse - everything is allowed out unless blocked.

 

This makes it easier for Untangle to setup for home etc at the cost of less secure.

 

I'm running UTM9 at the moment as I prefer the locked down approach, but when I get a moment, am planning on spinning up an Untangle VM again, but blocking everything from the outset and seeing what happens...

 

XG does lock down by default as well.  Just a different approach is used on how to allow things to go through.

 

 

 

 

Sorry I woke up the tiger and I think I created a monster with you :D All kidding a side. For those that don't know I was once a Sophos fanboy and I helped pcdoc get setup with Sophos XG to help him reduce the learning curve. I am going to try and keep this as short as possible. The reason I was once a fanboy of Sophos was because not only was it great 5 star protection but it was totally free for home use so I put up the the short falls and work around that needed to be done to fix all the trouble it caused me on my home network. Sophos UTM 9.x was easier to fix what did not work with the help of drashna great guide on Regx found below, Unfortunately none of drashna's hard work works with Sophos XG so your left with things like Netflix and other streaming services not working unless you bypass scanning on those none windows devices and that's only the beginning of the trouble you will have to overcome, Sophos XG broke my Epson printer automatic updates, Windows Insider builds would not install unless I bypassed the computer and the list goes on. Yes I settled on Sophos but that was only because Untangle charged a small fortune for any real protecting but now with the great home licensing model they have now of 50.00 a year and the fact it does not break anything on my network and offers great protection make it a no brainier for people with home networks.

 

I am not saying Sophos is bad I am only saying its not the perfect solution for home networks as there are other option that also give us support if needed, Sophos home license has no such support so how do we get something fixed from Sophos for things like Netflix if we cant put in a support ticket and that's only the begin. They are not going to fix things like Netflix unless several business users complain about it and lets face it I don't know any business that would complain about Netflix because people get paid to work not watch movies. Untangle does not break these things and if something did not work for us they would be more willing to fix it because unlike Sophos they are very interested in the home segment.

 

Let me be clear I am not saying Untangle is perfect because its not, One example is that IPS in Untangle by default does not block anything it only flags so its up to the admin to go threw the huge list and check off what you want blocked, Is this a good thing or bad thing I guess it depends hew you ask. But even at that I feel Untangle is the best thing for home networks now till something better comes along like the new Luma device that promises great enterprise protection for the home, Only time will tell and I can't wait to get my 4 Luma's that I pre-ordered.

 

Drashna's great guids on Sophos UTM https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/


You are correct, Untangle & Sophos XG allows everything out by default.

 

You are correct and for that I thank you.  You inspired me to use XG after being on Untangle for years and I appreciate your help when I was converting.  When I switched, Untangle was hosing me more than $60/month for basic protection (AV and filtering) and I still found it harder to start with an open system and lock it down.  In my opinion, lock down first is easier and safer though a bit more stressful in the first few days tuning things up.  Remember I came from getting breached to wanting something that offered the family protection without the heavy cost.  I guess now I have taken the place of the forum's XG fanboy and even went as far as to have it deployed in two of my facilities along with the end point protection all because of my experience with it at home.  So in reality, Sophos owes you a commission.

 

 

 

I didn't see the $5/month or $50/year for untangle. That's not a bad deal, actually. 

 

And for somebody that just wants to "set and forget", that may be a better solution for a router.  And I'd readily recommend it. 

 

But for me... Sophos UTM all the way. 

 

And f**k XG Firewall. As PCDoc's mentioned, my hatred for XG Firewall is pretty obvious. 

And like itGeeks has mentioned, the ONLY solution to fix things is to disable the web filter for that device. Which LITERALLY defeats the purpose. I'm sad that they've gone this way, and I'd rather that they import the CyberROAM software into UTM, rather than the other way around... as UTM is a more more stable and well developed product. 

 

I respect your consistency (though i was shocked to hear you did not like it :) ), as you have tried to like it from day one but it never offered the granularity and control you are looking for.  Along with itGeeks, your articles helped me get started.  Maybe the new V16 will win you over with its new "ease of use" features and its improved rules...

Share this post


Link to post
Share on other sites
nguyendot

Yes failover is one duty of the second wan. The other usage is that I have it in spillover mode. If ingress is more than 90% of the primary wan capability it will send the next requests to the secondary wan. Failover is inherent in that setup.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • JROrtiz
      By JROrtiz
      I've been banging my head for a few days now trying to figure this out and I've run out of ideas. Hoping the very intelligent crew here can help me out.
       
      I have a Drobo 5N and a Synology RS816 on my network, both of which have been working without issue for quite some time now. I've always connected to both via Windows Explorer by simply going to the network address i.e., \\N5 and \\SYN (sample names). 
       
      I recently got a new desktop which is where the issues are coming up. When I try to go to \\N5, it results in a message saying it cannot find that location. However, \\SYN works just fine. What's strange is that I can see and manage the Drobo through the Drobo Dashboard software. What could be preventing Windows from seeing the Drobo on the network? 
       
      I've already enabled the SMB 1.x protocol, ensured the workgroup names are the same, rebooted both the machine and the Drobo, made sure network sharing is enabled, and even did a fresh install to ensure that some program I installed didn't cause the issue. Every other machine I have can access the Drobo without issue. It's just this new desktop, and everything is running Windows 10.
       
      Another strange phenomenon that I discovered is that if I go to "\\DROBO" (verbatim, not a sample name) it leads me to the Synology. Where is Windows getting the mapping from that it is directing that address to the Synology?
       
      This is driving me nuts so any advice would be greatly appreciated.
    • Jason
      By Jason
      Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.
       
      But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...
       
      Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.
       
      Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?
       
      What is best practice?
       
       
      Sent from my iPhone using Tapatalk
    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
       
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
       
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Printers
       
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
       
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
       
      Thanks for any resources and advice provided.
       


×
×
  • Create New...