Jump to content
RESET Forums (homeservershow.com)
itGeeks

Sophos UTM is getting a new version and guess what? No more 50 IP Limit.

Recommended Posts

itGeeks

Exactly why I chose to run an i3-4170 in my box.

So now what do I do, Your setup in bear-metal or what I am thinking of doing a Intel Xeon E3-1231V3 Haswell 3.4 GHz 8MB L3 Cache  Hyper-V?

Share this post


Link to post
Share on other sites
Taffeys

So now what do I do, Your setup in bear-metal or what I am thinking of doing a Intel Xeon E3-1231V3 Haswell 3.4 GHz 8MB L3 Cache  Hyper-V?

Sorry, I can't help you with that decision. I don't run any hardware virtualization setups so I have nothing to compare my bare-metal install to.

Share this post


Link to post
Share on other sites
mattb75

Hi

 

I've currently got Sophos 9.3 installed on a ESXi 6.0 Hypervisor running on a TS140 with a Xeon E3-1226v3 processor.  I've allocated 2 cores and 3GB of memory and it rarely goes above 50% RAM usage, CPU seldom goes over 10%.  

 

I've got IPS switched on, an external webserver filtered and 40 clients connecting (mainly IoT and iDevices - occasional use by desktop and laptop PC's). My internet connection is still ADSL (no fibre to the cabinet or cable providers available where I live currently), so download speed is less than 15mbps and upload around 1.5mbps so there's not much traffic traversing the WAN link via UTM.

 

I suspect if my internet connection was better (and therefore the household used more internet than 4G connections - advantage of an unlimited data connection!) then I'd see more pressure on the modest limits of my VM instance and need to increase it a bit.

Share this post


Link to post
Share on other sites
LoneWolf

So now what do I do, Your setup in bear-metal or what I am thinking of doing a Intel Xeon E3-1231V3 Haswell 3.4 GHz 8MB L3 Cache  Hyper-V?

 

I am someone who would much prefer to run a router/firewall on a separate box when possible.  There will be times when you want to reboot the whole HyperV box and sometimes, you don't want to drop your Internet at the same time.  This may be especially true if you sometimes VPN in to your network.

 

I'm sure it will work okay as a HyperV setup; it's just my network design philosophy, and I would rather also dedicate NICs to a firewall/router than share them with other VMs.  I'd build a low-power mITX box with a J1900 CPU, 4GB RAM and a small amount of flash memory to boot and run the OS/UTM.  Add a 2-port low-profile Intel PCIe NIC, maybe run it off a PicoPSU and go that route if I was doing Sophos (I have a Watchguard box).  Alternately, perhaps a barebones mITX if there's one out there that allows you the NIC options you need.

Edited by LoneWolf

Share this post


Link to post
Share on other sites
itGeeks

Here is an interesting box to use with Sophos and it has 2 Intel NICs on-board. Just wish it had the Intel Celeron J1900 but it still looks good, May have to get one and try it myself.

http://www.amazon.com/dp/B014S3EIIE/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I2RT5LVZM55E1P

 

Let me know what you all think about this box..

Share this post


Link to post
Share on other sites
itGeeks

I am someone who would much prefer to run a router/firewall on a separate box when possible.  There will be times when you want to reboot the whole HyperV box and sometimes, you don't want to drop your Internet at the same time.  This may be especially true if you sometimes VPN in to your network.

 

I'm sure it will work okay as a HyperV setup; it's just my network design philosophy, and I would rather also dedicate NICs to a firewall/router than share them with other VMs.  I'd build a low-power mITX box with a J1900 CPU, 4GB RAM and a small amount of flash memory to boot and run the OS/UTM.  Add a 2-port low-profile Intel PCIe NIC, maybe run it off a PicoPSU and go that route if I was doing Sophos (I have a Watchguard box).  Alternately, perhaps a barebones mITX if there's one out there that allows you the NIC options you need.

In most cases I have to agree with you, I thought long and hard if I realy wanted to run Sophos in a VM. After careful thought I said what the heck I have the brand new  hardware already doing nothing and I wanted to take my very first stab and running a VM and see what the possibilities would be and I must say I am blown away with how well this runs. I get my full 150/150 internet speed according to speed tests (I did not get this on the Atom D525) and that's with IPS enabled. I can now shut down two boxes in favor of running the VM saving a bit of electric and heat and that's always a good thing. I am looking for a very small stand alone box such as this one http://www.amazon.com/dp/B014S3EIIE/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I2RT5LVZM55E1P

To do a stand alone install of Sophos for my Daughters house so we will see how that goes.

Share this post


Link to post
Share on other sites
azcoyote

Here is an interesting box to use with Sophos and it has 2 Intel NICs on-board. Just wish it had the Intel Celeron J1900 but it still looks good, May have to get one and try it myself.

http://www.amazon.com/dp/B014S3EIIE/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I2RT5LVZM55E1P

 

Let me know what you all think about this box..

 

 

I just installed to a J1900 board with i210 Intel NICS.  It is a SuperMicro X10SBA with 4GB RAM and a 64GB mSata SSD.

 

Took me a bit to get basic routing the way I wanted last night but but I see about 33% usage of memory and the rest is at 10% or less.

 

That is with Web protection and IDS only.  Any suggestions on what you want tested and how?

 

Thanks,

W

Share this post


Link to post
Share on other sites
itGeeks

I just installed to a J1900 board with i210 Intel NICS.  It is a SuperMicro X10SBA with 4GB RAM and a 64GB mSata SSD.

 

Took me a bit to get basic routing the way I wanted last night but but I see about 33% usage of memory and the rest is at 10% or less.

 

That is with Web protection and IDS only.  Any suggestions on what you want tested and how?

 

Thanks,

W

Thanks for taking the time to post. That looks like a great board, What case are you using with it? What version of Sophos are you using? I also think you maybe better served by increasing the RAM to 8GB - 6GB usable if using the new Sophos "Copernicus" now in beta with a home license. What is you internet speed both up & down and are you getting the speeds when running speed test? By IDS did you mean IPS?

Edited by itGeeks

Share this post


Link to post
Share on other sites
azcoyote

It is installed in an Antec ISK110 which appears to work great.

 

I am using Sophos UTM 9.3  My RAM won't be upgraded at this point since 4 GB seems sufficient.

My network should come in well under the 50 IP range.  

 

There will be 5 PCs, my VOIP Phone for work, My VOIP Server for personal use, 10 mobile devices, and 5 media consumption devices.

 

IPS/IDS... Meh.  Detection/Prevention I guess is ALMOST the same.   :)    I have web filtering on and basically configured allow all outbound.

 

I have not had time to refine my rules yet for inbound.  Creating an appropriate DNAT for my Plex server is my first task.  Still a bit confused on that.

 

My Cisco phone uses STUN so with the allow all out rule, it appears to be happy as a clam.

 

I don't have the rules for my FreePBX in place yet but it is also on the list of things to do this weekend.

 

Any places you can point me to curb the learning curve?  I have used everything from the dreaded ISA to Cisco PIX to SonicWall and so on...

However, it is not my normal thing to do and I am pretty our of practice on network stuff...

 

My internet speed is 40Meg down and 5Meg up.  I am getting 43 down and 5 up when testing via Speedtest.net.

ShieldsUp shows as a dark hole so that is nice... 


Incidentally I have a J1900 equipped Gigabyte Brix for my FreePBX and it also works wonderfully.  

 

It will scale far beyond what I will ever need it to do but I expect it could run a small office phones with a simple IVR and basic VM.

Edited by azcoyote
  • Like 1

Share this post


Link to post
Share on other sites
azcoyote

I also turned on Web Filtering and Advanced Threat Protection.  Still just idling along.  No AES on these J1900 so VPN is said to require more CPU with them but as straight up UTM I am loving it so far.

 

Any chance you can tell me the correct way to make Plex available outside?  I have the Service defined.  Is it a DNAT from Outside ANY to Plex Service at HOST?

 

Then what is the rule on Firewall?  I am a NAT environment.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...