chevrolux: Depends what you want to lab I suppose.

Personally for me, my work lab is for phones, pbx's, ATA's etc.
So a decent router is all that is required (mikrotik in my case... because... well they are just the best).

If you wanted to screw around with proxy'ing or complex dns servers or something, then pfSense for the pure 'hackability' of it.

I should probably mention this will all be virtualised in ESXi (on an OVH box, so it's an out-of-home home lab), so no routerOS for me 

In any case, it does need to support being virtualised, or I'd be using my USG all day long

i use sophos at home and have just been toying with he ha setup on a couple of servers and it works great, i have also tried sophos in a virtual environment and it work, a friend of myne has virtualised both UTM9 and xg and has used them for a year or 2 now

Edit: Forum bit was wrong, removed it.

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.

What is the goal of the firewall in this home lab?

vulcannz:

 

What is the goal of the firewall in this home lab?

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

chevrolux:

 

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

 

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.

 

I prefer ESXi for the point and click nature of creating a dummy network interface for an internal network. If I could do that with KVM I'd drop ESXi completely and go back to RHEL7.

muppet:

 

Edit: Forum bit was wrong, removed it.

 

 

 

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

 

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

 

 

 

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

 

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

 

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

 

 

 

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)

 

I'm doing it to protect the VMs that will be exposed on the OVH hypervisor. So in that sense, I'd be using it as a UTM. I bit the bullet and installed Sophos UTM and woke up today with 30 emails from the firewall, so I might just go back to pf. I love pfSense, same as you. I've also had pf running on baremetal and it runs exceptionally well with Realtek cards. 

TheoM:

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

 

Forefront TMG is end of life...

Ive used Sophos UTM9 and XG, currently using XG. You can change the AV engine to use Sophos or Avira.

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).

timbosan:

 

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)

 

Better AV? How so?

vulcannz:

 

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

 

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

 

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).

 

It shouldn't matter too much. E7 CPUs ftw!

TheoM:

 

Better AV? How so?

 

timbosan:

 

TheoM:

 

Better AV? How so?

 

Sorry, I wasn't clear, I meant that the paid Untangle AV is better than than free Untangle AV.  Not better than others product.

Free = ClamAV. https://wiki.untangle.com/index.php/Virus_Blocker_Lite 
Paid = Untangle threat intelligence database + Bitdefender's signature database + heuristic scan + dynamic analysis. https://wiki.untangle.com/index.php/Virus_Blocker 

Untangle Support says Bitdefender is in the top 10 - https://support.untangle.com/hc/en-us/articles/201766697-How-does-Virus-Blocker-compare-to-brand-name-virus-blockers- 

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

No SSL decrypt and no sandbox = your firewall AV is meh.

UTM is great and a lot more user friendly for long term home lab usage.

I have been running a UTM VM as my gigabit UFB router for a year and a half now and it works great and very reliable.

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

 

No SSL decrypt and no sandbox = your firewall AV is meh.