pfSense/Sophos vs ASUSWRT/RMerlin - Is there any reason to change?

[dunkin]

Look at the sophos forums and read about all the users who have migrated from utm to XG. A lot of complaints of either missing functionality or wierd gui based issues. I'd advise to stay away from it for now tbh.

Sent from my D6603 using Tapatalk

If you are a new Sophos user, I don't think it is a good decision to pick up the old UTM 9 as it will eventually be replaced by the new version. Then you will have to migrate from UTM to XG and face the new "wired" GUI again.

 

[dunkin]

What or Why should one choose XG over UTM? I don't care about the GUI - I am ONLY interested in the network security part so to speak....?

For IPS, both versions use snort and a same set of policies defined by Sophos. I realized that XG 15 used snort_inline which had worse performance than the version used in UTM. However the issue has been solved in XG 16 that snort is used to replace snort_inline.

 

[zoomee]

I'll take stability over 'looks' any day bud. I believe Sophos are still developing the UTM to XG migration tool and havn't yet released it- its all still too new to jump into. They also state clearly that they will continue to develop and update the UTM version - I'd much rather have a stable well tested product.

FAQ's: https://blogs.sophos.com/2015/11/09/xg-firewall-faq/

https://community.sophos.com/produc...ll-and-xg-utm-and-how-does-it-compare-to-utm9

and lastly a good ol reddit thread for impartiality:
https://www.reddit.com/r/homelab/comments/41vcpd/sophos_utm_vs_sophos_xg/

and a blog from March 2016 highlighting the exact differences:
http://www.internalit.ca/blog/post/sf-os

 

[Bamsefar]

Anyone have any good h/w recommendation for sophos? I seem to need 4-5 ethernet ports...

 

[zoomee]

Something like one of these bud: https://www.amazon.com/dp/B01MEGSMRZ/?tag=snbforums-20

J1900 cpu should be more than capable and 4 x intel nic's are great. Low power useage and tiny to boot

 

[Nullity]

Got proof against any current build? Or is is this just locker room chat?

pfSense, like any firewall, might have vulns,... but every platform does...

Unless ports are forwarded/open, I bet ANY firewall, consumer or otherwise, is more than secure enough. Has there ever been a remotely exploitable vuln in iptables or pf?

Once services are added and ports are open, the administrator now has most of the responsibility for securing the network, though, the OS needs to have safe, sane defaults...

https://xkcd.com/293/

 

[Bamsefar]

I'm a bit of a nerd so I thought I might test the 8 core Intel C2758 series Rangeley based board. Any comments on this one:
http://www.supermicro.com/products/motherboard/atom/x10/a1sri-2758f.cfm
http://www.supermicro.com/products/motherboard/atom/x10/a1sri-2758f.cfm
Yea it is most likly way to many cores and all that, but will it do?

 

[zoomee]

Just be warey of them nic's on that board bud - ensure linux drivers are available. Intel ones are usually the ones to go for, with realtek next in line I'd say (but even them can be dodgy I read somewhere!)

 

[Bamsefar]

Hmmm just noted that Sophos seems to miss OpenVPN - not shure I like that....

...so anyone who could correct me, and tell me I need not to worry?

 

[Henk59]

Interesting topic!
I received yesterday my Braswell mini PC.
That was 2-3 weeks sooner as espected.

So I wonder what to install pfsense/sophos but every time it looks that pfsense have a little bit more.
But I would configurate as OpenVPN and disable it in Merlin,
But I don't know if I ran in trouble to do so, because the 'routing' is,
LAN - switches - Merlin - pfsense - Modem - ISP (and not the other way back).

 

[RMerlin]

Hmmm just noted that Sophos seems to miss OpenVPN - not shure I like that....

...so anyone who could correct me, and tell me I need not to worry?

They call it "SSL VPN" AFAIK.

 

[slidermike]

They call it "SSL VPN" AFAIK.

Hmmm just noted that Sophos seems to miss OpenVPN - not shure I like that....

...so anyone who could correct me, and tell me I need not to worry?

I ran an old pc with Sophos UTM 9.x on it for over a year as my home FW.
Awesome product with nearly all features enabled. Some of the more business oriented such as managing Sophos anti-virus clients are disabled on the free ver & its important to know the free home version is limited to 50 active clients. That means 50 separate MAC addressed devices using the WAN.
I never ran into that limit but keep in mind, roku's, smart TV's, any internet connected device counts.
That's an active limit for the free UTM. Not the first 50 MACs it learns. Just 50 active clients simultaneously.

The ONLY reason I turned my router back on as the primary device is because Sophos UTM does not support OpenVPN right through the gui. There is some command line or other work around but in the end after 1 year I just wanted a simple vpn client to connected to Nord which Merlins fork does excellently.

Last two items I want to mention about Sophos UTM.
Its IPS is excellent. It actually alerted me twice in that year to an internal pc that was attempting to reach out and perform suspicious activity on the web. As in contact a command and control server (think botnet). That was very impressive to have it alert & stop that traffic. I was then able to clean the infected device after the fact. No home router has that ability I am aware of.
The learning curve of a true FW like Sophos is not nearly as simple as say a home router or pfSense.

Good luck with whatever you choose.

 

[sfx2000]

Just be warey of them nic's on that board bud - ensure linux drivers are available. Intel ones are usually the ones to go for, with realtek next in line I'd say (but even them can be dodgy I read somewhere!)

The Intel NIC's are very well supported on the board for pfSense...

 

[seanr22a]

I'm running a Netgate SG-2440 pfSense box only addition is snort. Replaced a RT-AC88U because Asus dual-wan don't work .. period. Now I'm running with three WANs with load balancing and failover. Running flawlessly for a couple of months now. This is in Thailand there uptime is bad among the ISPs so that is why 3 WAN.
My home in Sweden have a RT-AC88U with a single WAN and also works flawlessly for my needs. ISP uptime is no issue there.

 

[zoomee]

My 'braswell' mini-pc has been working great with Sophos so far. Must say its far more impressive than what I initially thought allowing FULL control over my network and devices connecting to it.
Once it was all configured I've had no need to return back to it other than to disable content filtering every so often when the kids 'roblox' games need to update on their PC's.

Hasn't skipped a beat for the past couple of months - weekly summary reports are emailed to me and the best bit is that the 'web protection' reverse proxy has well and truely secured my NAS - havn't had a single attack since moving over to Sophos lol!

 

[pilotboy72]

I'm a bit of a nerd so I thought I might test the 8 core Intel C2758 series Rangeley based board. Any comments on this one:
http://www.supermicro.com/products/motherboard/atom/x10/a1sri-2758f.cfm
Yea it is most likly way to many cores and all that, but will it do?

I'm running pfSense on this motherboard. Runs very well. IPMI does not work with Mac though.

 

[pilotboy72]

I read on the Sophos web site that it will only protect up to 50 IP addresses. What does this mean -- are those externally-facing IP addresses, or can you only have 50 IP addresses on your internal network?

 

[Veldkornet]

I read on the Sophos web site that it will only protect up to 50 IP addresses. What does this mean -- are those externally-facing IP addresses, or can you only have 50 IP addresses on your internal network?

Internal. Annoying if you use IPv6 as well internally.

But that limit has been removed with the upgrade to Sophos XG. With XG, the limit is only on the resourcing (CPU, memory etc.).

Sent from my iPhone using Tapatalk

 

[pilotboy72]

My 'braswell' mini-pc has been working great with Sophos so far. Must say its far more impressive than what I initially thought allowing FULL control over my network and devices connecting to it.
Once it was all configured I've had no need to return back to it other than to disable content filtering every so often when the kids 'roblox' games need to update on their PC's.

Hasn't skipped a beat for the past couple of months - weekly summary reports are emailed to me and the best bit is that the 'web protection' reverse proxy has well and truely secured my NAS - havn't had a single attack since moving over to Sophos lol!

What kind of connection do you have? I'm curious to know if it can keep up on a 1GB down connection. My current pfSense firewall is fine with my hardware but this seems to add a lot of additional controls so I'm not sure if I will see any impact at those speeds.

 

[Veldkornet]

The ONLY reason I turned my router back on as the primary device is because Sophos UTM does not support OpenVPN right through the gui. There is some command line or other work around but in the end after 1 year I just wanted a simple vpn client to connected to Nord which Merlins fork does excellently.

Yes it does. It's called SSL VPN. Once configured, you just login with your user account to the user portal from your phone or what ever and download the .ovpn file.

Couldn't be easier.



Sent from my iPhone using Tapatalk