Home Network Control

Churchill

Admiral
Jan 6, 2016
793
185
43
Thanks @markarr followup to question is how to have one server and only one server use the VPN connection and the rest of the systems go out the primary gateway.

I guess I could setup a different gatetway for all traffic on that one server. How does the routing work on Sophos compared to PFSense? Just as good?

I love the look of Sophos compared to PFsense. Yes PFSense is robust but when I get home I want to K.I.S.S and just do what I need to do without headache.
 

markarr

Active Member
Oct 31, 2013
410
110
43
When you create your vpn you can scope it to a single ip. Sophos will let you put a single host in, pfsense I believe you would just put the ip with a subnet of 32.

I like all the built in logs, the reverse proxy, and etc that are just there in Sophos. You give up some of the deep dive of pfsense for a better looking gui. One thing though by default Sophos is a deny all out and pfsense is not, in home environment that can cause some quirks.
 

Churchill

Admiral
Jan 6, 2016
793
185
43
Looking like I'm going to install Sophos on my old pfsense server and give it a whirl further. Already testing Sophos in a VM and it's been super easy to work with.
 

tby

Active Member
Aug 22, 2013
206
91
28
Snellville, GA
set-inform.com
In the past week I did a 10GbE fiber run between the house and detached garage / home office, replaced all of my ancient N300 APs with ASUS RT-AC56Rs, upgraded my cable modem to an SB6190, had Comcast bump me up to Extreme 250, and put the 1037U in place running Sophos XG.

The 1037U is definitely more than powerful enough to handle everything Sophos XG offers... but I'm not sure I'd recommend XG right now. Took me hours to figure out how to make an inbound port mapping work, I can't get SSL interception to use my own CA -- I seem to have it all configured right but it keeps using the self-generated CA, I see weirdness with the graphing where shorter time period graphs show higher max values than longer time periods, and the scheduled FTP backup has failed every single night. It all feels very v1.0.
 

wildchild

Active Member
Feb 4, 2014
394
57
28
Maybe a dumb idea, but has anyone considered a dns based solution like opendns here.
Use the firewall to block machine from using any other dns server, block the categories you wouldnt want the kids to see, and your done.
Stable, safe and made up by a ton of people exploring the dark parts of the web.
For those who would want to explore those dark places after the kids ( or wife ;) ) go to bed, make a simple rule exception.
Also works great for keeping malware/botnet domains out
 

Nnyan

Active Member
Mar 5, 2012
124
32
28
1. I am more familiar with UTM 8/9 and less so then XG but I wanted to learn pfSense.
2. I have this setup on the network side, that's what I meant.
3. B/C I like to play with Gadgets and you never know if something comes out that is better then what you are using.
4. I was a long time Lastpass user but overall I just liked the useability of Dashlane much better (not that it doesn't still have some pain points).
5. LOL. I think the latest versions are MUCH better (bloatwise) then the older versions. Like I said I'm testing the Sophos Home but my main issue is that I would need it for more then 10 devices. I've had paid subs for Bitdefender and Webroot and while fine software both have let me down, while the PC's that had Norton were protected (I typically run multiple subs since I need more then 20 devices protected, last year I just got 10 device subs from three different products).
6/7. Pretty much the same as #3, I like to constantly test new products (to me) and see how they stack up with what I'm currently using. I also don't mind some redundancy so I get layered protection. I like the reporting from Glasswire more then anything else I've seen.
 

Nnyan

Active Member
Mar 5, 2012
124
32
28
Maybe a dumb idea, but has anyone considered a dns based solution like opendns here.
Use the firewall to block machine from using any other dns server, block the categories you wouldnt want the kids to see, and your done.
Stable, safe and made up by a ton of people exploring the dark parts of the web.
For those who would want to explore those dark places after the kids ( or wife ;) ) go to bed, make a simple rule exception.
Also works great for keeping malware/botnet domains out
I use opendns for any guest and kids PC's. The DNS is also consistently very fast so that is another bonus.
 
  • Like
Reactions: wildchild

tby

Active Member
Aug 22, 2013
206
91
28
Snellville, GA
set-inform.com
?? Seriously?
Yeah, the only limitations with the free Sophos XG are that it won't use more than 4 cores and 6GB RAM. I'm running on 2 cores and 4GB so that hardly seems a limitation at all.

I stand by what I posted a few weeks ago about it feeling very v1.0, but... 18 days into this month I got the dreaded email from Comcast about exceeding my 300GB quota, and XG's reporting made it very easy to hunt down the offender and show them how much data they were consuming with various services.

Also had a PC fall victim to some drive-by malwarevertising. XG failed to block DNS Locker from getting downloaded, but it did block some other nasties and a connection attempt to a C&C server. And had the logging I need to quickly trace back WTF had happened.

All and all, I'm liking it, even if some things don't seem to work and many things are more confusing to implement than they ought to be.
 
  • Like
Reactions: xbliss

capn_pineapple

Active Member
Aug 28, 2013
356
80
28
Yeah, the only limitations with the free Sophos XG are that it won't use more than 4 cores and 6GB RAM. I'm running on 2 cores and 4GB so that hardly seems a limitation at all.
Our business Sophos is running on an i3 with 12GB RAM. HOWEVER! RAM utilisation has never gone above 25% including 15 VPN (SSL, no quickassist) users and another 45 internal staff maxing out a 100/100 fibre link.

The free XG limits might possibly be hit if you had perhaps 200 staff using it with 50 on VPN at any one point in time. Seriously, the Sophos stuff is just fantastic. That said, I am interested in how pfSense changes with the new version.

Oh and did I mention that XG has been re-written to be up to 250% more efficient in some tasks that SUM9? (though Sophos' testing methods may be suspect)
 
Last edited:

xbliss

Member
Sep 26, 2015
68
0
6
43
Yeah, the only limitations with the free Sophos XG are that it won't use more than 4 cores and 6GB RAM. I'm running on 2 cores and 4GB so that hardly seems a limitation at all.

I stand by what I posted a few weeks ago about it feeling very v1.0, but... 18 days into this month I got the dreaded email from Comcast about exceeding my 300GB quota, and XG's reporting made it very easy to hunt down the offender and show them how much data they were consuming with various services.

Also had a PC fall victim to some drive-by malwarevertising. XG failed to block DNS Locker from getting downloaded, but it did block some other nasties and a connection attempt to a C&C server. And had the logging I need to quickly trace back WTF had happened.

All and all, I'm liking it, even if some things don't seem to work and many things are more confusing to implement than they ought to be.
Interesting catch.
 

spyrule

Active Member
From everything I've read though, it seems as though XG Home is no where near as powerful, nor as easy to actually setup as UTM 9. I'm gonna play around with XG home in the next few weeks in a VM to see it personally, but a whole bunch of people have complained about XG being terrible (whole features don't work, the security concept is completely flawed, some whole other features are simply not there).

I'm interested to see what people who have used both say...

Now, I did however just come across Sophos Home, and if it ties into XG Home, then it might make it more interesting.

As for hardware, I bought a SuperMicro A1SRi-2558f mobo, 8GB of ram, and installed my OS on a spare 60GB SSD. The thing simply rocks. I use pretty much all features of Sophos UTM 9 (Home), and the thing doesn't blink an eye at it. On average, 9-12% cpu, 20% ram, and 1-3% hdd/cache/log space.
 

xbliss

Member
Sep 26, 2015
68
0
6
43
SuperMicro A1SRi-2558f mobo, 8GB of ram, and installed my OS on a spare 60GB SSD. The thing simply rocks. I use pretty much all features of Sophos UTM 9 (Home), and the thing doesn't blink an eye at it. On average, 9-12% cpu, 20% ram, and 1-3% hdd/cache/log space.
How old of an Atom is that? What gen/ year is it?
Supermicro | Products | Motherboards | Atom Boards | A1SRi-2558F
A1SRi-2558F



Rangeley, Low Power
Communication
Intel® QuickAssist Technology


Key Features
1. Intel® Atom processor C2558, SoC,
FCBGA 1283, 15W 4-Core

2. Up to 64GB DDR3 1600MHz ECC
SO-DIMM in 4 DIMM sockets

3. Quad GbE LAN ports

4. IPMI with dedicated LAN

5. 2x SATA3 and 4x SATA2 ports

6. 1x PCI-E 2.0 x8 slot

7. 4x USB 3.0 (2 rear, 1 via header,
1 Type A), 2x USB 2.0 ports (rear)

8. 12V DC or ATX Power input

9. Operating Temperature: 0°C - 60°C

10. 7-Year product life
 

mad1993max

New Member
Jan 27, 2016
17
0
1
30
I am currently on utm 9 but i had to didable webfiltering and virus scanning because the throughput was never over 1mbs how the proxy troughput with xg? The CPU usage is never higher than 30% with my utm has anybody a fix for that problem?
 

spyrule

Active Member
How old of an Atom is that? What gen/ year is it?
Supermicro | Products | Motherboards | Atom Boards | A1SRi-2558F
A1SRi-2558F



Rangeley, Low Power
Communication
Intel® QuickAssist Technology
I bought mine now ~ 2 years ago (give or take). I paid quite a bit for it (it was hard to find in stock at the time). The only pitfall I ran into, is that it ONLY works with ECC memory. It will not get past its post without ECC. Sadly, I had ordered ram twice (that was listed as ECC both times), when in fact they wern't. It delayed my project almost 4 weeks, but it was worth it in the end. This thing is fast, quiet, and rock stable. I'm actually looking at getting a second one for a friend.
 

capn_pineapple

Active Member
Aug 28, 2013
356
80
28
I have had a play with XG, I prefer UTM 9 over it though.

As for Sophos@home, It's a per device based AV/Firewall solution, not a network solution. Think of it as a thin-proxy of sorts. It's worked well for me at my parents place. standard router/modem device from the ISP then Sophos@home for their actual computers. Made my life so much easier and i can monitor/manage it from the net without any issues.