Jump to content
RESET Forums (homeservershow.com)
itGeeks

Sophos UTM is getting a new version and guess what? No more 50 IP Limit.

Recommended Posts

LoneWolf

In most cases I have to agree with you, I thought long and hard if I realy wanted to run Sophos in a VM. After careful thought I said what the heck I have the brand new  hardware already doing nothing and I wanted to take my very first stab and running a VM and see what the possibilities would be and I must say I am blown away with how well this runs. I get my full 150/150 internet speed according to speed tests (I did not get this on the Atom D525) and that's with IPS enabled. I can now shut down two boxes in favor of running the VM saving a bit of electric and heat and that's always a good thing. I am looking for a very small stand alone box such as this one http://www.amazon.com/dp/B014S3EIIE/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=1N6867G1O15RY&coliid=I2RT5LVZM55E1P

To do a stand alone install of Sophos for my Daughters house so we will see how that goes.

 

The Atom D525 is getting a long in the tooth.  Sure, it's dual-core with Hyperthreading, but it's in-order execution.  The current J1900 supports out-of-order execution and is an order or two of magnitude faster.  This one change makes a significant difference in performance.  That, and the J1900 is four real cores, as opposed to two cores, two threads.  Also, the D525 supports only single-channel memory, the J1900 supports dual-channel.  Finally, the J1900 has far better PCIe throughput, meaning you get to truly take advantage of that Intel PCIe dual-NIC card.

Share this post


Link to post
Share on other sites
itGeeks

It is installed in an Antec ISK110 which appears to work great.

 

I am using Sophos UTM 9.3  My RAM won't be upgraded at this point since 4 GB seems sufficient.

My network should come in well under the 50 IP range.  

 

There will be 5 PCs, my VOIP Phone for work, My VOIP Server for personal use, 10 mobile devices, and 5 media consumption devices.

 

IPS/IDS... Meh.  Detection/Prevention I guess is ALMOST the same.   :)    I have web filtering on and basically configured allow all outbound.

 

I have not had time to refine my rules yet for inbound.  Creating an appropriate DNAT for my Plex server is my first task.  Still a bit confused on that.

 

My Cisco phone uses STUN so with the allow all out rule, it appears to be happy as a clam.

 

I don't have the rules for my FreePBX in place yet but it is also on the list of things to do this weekend.

 

Any places you can point me to curb the learning curve?  I have used everything from the dreaded ISA to Cisco PIX to SonicWall and so on...

However, it is not my normal thing to do and I am pretty our of practice on network stuff...

 

My internet speed is 40Meg down and 5Meg up.  I am getting 43 down and 5 up when testing via Speedtest.net.

ShieldsUp shows as a dark hole so that is nice... 

Incidentally I have a J1900 equipped Gigabyte Brix for my FreePBX and it also works wonderfully.  

 

It will scale far beyond what I will ever need it to do but I expect it could run a small office phones with a simple IVR and basic VM.

Thanks for the info, The case looks great. Y did you do mSata SSD vs a regular SSD? What make and model did you get? As for great guides on Sophos see the link below-

https://web.archive.org/web/20150317070814/https://drashna.net/blog/category/networking/

Chris does an awesome job on his guides.

Share this post


Link to post
Share on other sites
itGeeks

The Atom D525 is getting a long in the tooth.  Sure, it's dual-core with Hyperthreading, but it's in-order execution.  The current J1900 supports out-of-order execution and is an order or two of magnitude faster.  This one change makes a significant difference in performance.  That, and the J1900 is four real cores, as opposed to two cores, two threads.  Also, the D525 supports only single-channel memory, the J1900 supports dual-channel.  Finally, the J1900 has far better PCIe throughput, meaning you get to truly take advantage of that Intel PCIe dual-NIC card.

Thanks for the great exsplanation on the two CPU's I really want to setup Sophos for my Daughters house using something like a J1900 as long as it performs good but I also need an elegant looking small case because this will be installed in her living room.

I also turned on Web Filtering and Advanced Threat Protection.  Still just idling along.  No AES on these J1900 so VPN is said to require more CPU with them but as straight up UTM I am loving it so far.

 

Any chance you can tell me the correct way to make Plex available outside?  I have the Service defined.  Is it a DNAT from Outside ANY to Plex Service at HOST?

 

Then what is the rule on Firewall?  I am a NAT environment.

Have a look at this guide for how to port forward https://web.archive.org/web/20150317070959/https://drashna.net/blog/2014/03/port-forwarding-with-sophos/

Share this post


Link to post
Share on other sites
azcoyote

Thank you for the links.  I opted for the mSata so I could use the onboard port and leave my standard Sata ports available if I chose to make this an Mahi box instead. 

Basically, there was no downside to using it.  Fast interface with SSD at a cheap price.  Both the 2.5 drive spaces in my case still available.  If I decide to reuse the box I have options.

 

Thank you for the links!!!

Share this post


Link to post
Share on other sites
GotNoTime

I opted for the mSata so I could use the onboard port and leave my standard Sata ports available if I chose to make this an Mahi box instead.

Your Supermicro board routes the 2nd SATA port on the Intel chipset to either the standard socket or the mSATA socket. It is also SATA II 3Gbps only.

Share this post


Link to post
Share on other sites
itGeeks

Your Supermicro board routes the 2nd SATA port on the Intel chipset to either the standard socket or the mSATA socket. It is also SATA II 3Gbps only.

Thanks for the info, I would not want SATA II for my OS-Drive when SATA III 6Gbps is avalible

Thank you for the links.  I opted for the mSata so I could use the onboard port and leave my standard Sata ports available if I chose to make this an Mahi box instead. 

Basically, there was no downside to using it.  Fast interface with SSD at a cheap price.  Both the 2.5 drive spaces in my case still available.  If I decide to reuse the box I have options.

 

Thank you for the links!!!

Thanks for the info & Your welcome.

Share this post


Link to post
Share on other sites
nrf

sata 2 -vs- 3 mostly matters for ssds unless you have a high rpm spinner such as a velociraptor.

Share this post


Link to post
Share on other sites
azcoyote

If this were an OS drive of gaming machine or a video editing station I would agree.

It is still plenty fast.  The latency improvements of SSD over mechanical are felt regardless.

 

That said, the remaining ports on the board at 6GB from Marvell are still available.

Here is how it shakes out...

  • 4x SATA3 (6Gbps) ports
  • 2x SATA2 (3Gbps) ports --mSata SSD

I wasn't certain I was gonna use it for a firewall or Amahi.  This gave me options when I was testing.

So, this a pretty academic discussion.  In execution, it works just fine.  To each their own I guess...

 

I am more concerned with wear leveling at this point than anything else.  Should that become as issue, I would switch out to platter drive anyway.

Share this post


Link to post
Share on other sites
itGeeks

If this were an OS drive of gaming machine or a video editing station I would agree.

It is still plenty fast.  The latency improvements of SSD over mechanical are felt regardless.

 

That said, the remaining ports on the board at 6GB from Marvell are still available.

Here is how it shakes out...

  • 4x SATA3 (6Gbps) ports
  • 2x SATA2 (3Gbps) ports --mSata SSD

I wasn't certain I was gonna use it for a firewall or Amahi.  This gave me options when I was testing.

So, this a pretty academic discussion.  In execution, it works just fine.  To each their own I guess...

 

I am more concerned with wear leveling at this point than anything else.  Should that become as issue, I would switch out to platter drive anyway

I am not sure about the wear leveling for the mSata but I can tell you I had been running my firewall/router on a Samsung 840 Pro SSD for about 2+ years with no signs of any trouble, For my new VM build I am running a new Samsung 850 Pro so I guess if the mSata does not hold up you could always use the drives I am using if you want to stay SSD.

Edited by itGeeks

Share this post


Link to post
Share on other sites
LoneWolf

I am not sure about the wear leveling for the mSata but I can tell you I had been running my firewall/router on a Samsung 840 Pro SSD for about 2+ years with no signs of any trouble, For my new VM build I am running a new Samsung 850 Pro so I guess if the mSata does not hold up you could always use the drives I am using if you want to stay SSD.

 

Wear-leveling is dependent on controller chip algorithms and such on the SSD, not the interface of the SSD.

 

And for reference, I've had the same mSATA SSD in my laptop for several years now.  Nothing fancy, regular MLC flash with a Phison controller chip, and it has been just fine.

 

Also note --once you set up an SSD on a firewall, you probably won't be doing a ton of writes to it.  They will mainly be to do updates (unless the OS has a swap file, and even that probably won't be a lot of writing).  Reads aren't going to be a big deal, so it should last a long time.

 

Finally, SATA2 vs. SATA3 isn't likely to matter much in this particular use case.  Having an SSD vs. having a platter-based drive --now that matters.  Go with an SSD that's inexpensive, but go with a brand that has a reasonable reliability rate.

Edited by LoneWolf

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...