Need some advice

[Cxpher]

Hi all,

I need some advice on a setup i intend to do.

I currently have a R7000 (Nighthawk).

My Internet line is (1 Gbps Fiber).

The current connection is

Fiber Termination Point ---> ISP ONT ---> R7000 ---> (LAN to PC - Wired)

What i intend to do is

Fiber Termination Point ---> ISP ONT ---> Sophos UTM Home Edition running on a PC ---> (PC connected directly on one NIC port) ---> R7000 on another NIC port (in AP mode for wireless only)

Note that my ISP ONT gives me a static IP address via DHCP.

I intend to get the following hardware for the Sophos UTM Home Edition that i'll be going for.

OS : Sophos UTM Home Edition
Case : SilverStone RAVEN Series RVZ01B
CPU : http://ark.intel.com/products/78927/Intel-Core-i5-4460T-Processor-6M-Cache-up-to-2_70-GHz
Motherboard : Not decided yet - Mini-ITX form factor
NIC : Intel Quad Port Server NIC Model E1G44ET2BLK

My concerns are whether the hardware is adequate (I'm concerned about the WAN throughput performance (with IDS/FW turned on only and nothing else) as well as WAN to LAN throughput performance (will i be able to minimize loss here with this setup?)

Also, does anyone know if the throughput of the Sophos UTM Home Edition is good enough to deliver near good speeds?

The fastest i've gotten on the R7000 is about 900+ Mbps but this slows down considerably over time (for some reason, the R7000 firmware ages and the only way to fix this is a factory reset, reboots don't help PS : QoS is off along with pretty much everything else. Router just does DHCP and Wifi)

Need your expert advice.

 

[AcostaJA]

About the R7000, try latest KONG DD-WRT, her personal Branch is vastly Improved, STD version comez with zabbix, BT version instead with Transmission.

http://www.desipro.de/ddwrt/K3-AC-Arm/

I dont know which specific feature on Sohps firewall you need, but consider fpsense IMHO much better option, you can deploy it with an mini-itx board with dual LAN is enough (also some nano itx at aliexpress seems designed for fpsense) about memory 1gb is enough for heavy load.

 

[azazel1024]

I can't speak to Spohos, but to the processor, that is likely massive overkill. You could probably get away with a good Haswell celeron processor. What is more important is a good NIC with good offload features. I'd look at the latest Intel NICs if you can.

 

[Cxpher]

One of my concerns is hardware acceleration (or what Broadcom calls CTF). From my understanding, KONG DD-WRT does not have a working implementation of this.

This is because i need strong WAN to LAN throughput or i lose a lot of bandwidth which i have (my WAN speed is 1 Gbps)

The reason why i'm considering a stronger processor is because i've got this impression that IDS/IPS is quite CPU intensive.

You guys have any further thoughts on my points mentioned?

 

[AcostaJA]

One of my concerns is hardware acceleration (or what Broadcom calls CTF). From my understanding, KONG DD-WRT does not have a working implementation of this.

This is because i need strong WAN to LAN throughput or i lose a lot of bandwidth which i have (my WAN speed is 1 Gbps)

The reason why i'm considering a stronger processor is because i've got this impression that IDS/IPS is quite CPU intensive.

You guys have any further thoughts on my points mentioned?

Already Kong is testing CTF (renamed as DD-WRT Turbo Boost) on R7000 having impressive result, maybe available very soon. Ddwrt has a bright future.

 

[Cxpher]

Already Kong is testing CTF (renamed as DD-WRT Turbo Boost) on R7000 having impressive result, maybe available very soon. Ddwrt has a bright future.

If CTF works well on Kong, i'm going straight to that.