Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


67 posts

Master Geek
+1 received by user: 5


Topic # 232233 5-Apr-2018 22:56
Send private message

Hey there, GZers!

 

 

 

I'm setting up a new home lab. As the title says, which would you choose? Sophos' UTM or pfSense's... well, pfSense


Create new topic
3558 posts

Uber Geek
+1 received by user: 1304

Subscriber

  Reply # 1989111 5-Apr-2018 23:01
One person supports this post
Send private message

Depends what you want to lab I suppose.

Personally for me, my work lab is for phones, pbx's, ATA's etc.
So a decent router is all that is required (mikrotik in my case... because... well they are just the best).

If you wanted to screw around with proxy'ing or complex dns servers or something, then pfSense for the pure 'hackability' of it.



67 posts

Master Geek
+1 received by user: 5


  Reply # 1989113 5-Apr-2018 23:07
Send private message

chevrolux: Depends what you want to lab I suppose.

Personally for me, my work lab is for phones, pbx's, ATA's etc.
So a decent router is all that is required (mikrotik in my case... because... well they are just the best).

If you wanted to screw around with proxy'ing or complex dns servers or something, then pfSense for the pure 'hackability' of it.

 

I should probably mention this will all be virtualised in ESXi (on an OVH box, so it's an out-of-home home lab), so no routerOS for me frown

 

In any case, it does need to support being virtualised, or I'd be using my USG all day long


219 posts

Master Geek
+1 received by user: 50


  Reply # 1989163 6-Apr-2018 06:21
Send private message

i use sophos at home and have just been toying with he ha setup on a couple of servers and it works great, i have also tried sophos in a virtual environment and it work, a friend of myne has virtualised both UTM9 and xg and has used them for a year or 2 now


1991 posts

Uber Geek
+1 received by user: 751

Trusted

  Reply # 1989165 6-Apr-2018 06:37
Send private message

Edit: Forum bit was wrong, removed it.

 

 

 

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

 

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

 

 

 

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

 

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

 

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

 

 

 

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)


3558 posts

Uber Geek
+1 received by user: 1304

Subscriber

  Reply # 1989172 6-Apr-2018 07:17
Send private message

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

 

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1989189 6-Apr-2018 08:07
Send private message

What is the goal of the firewall in this home lab?




67 posts

Master Geek
+1 received by user: 5


  Reply # 1989276 6-Apr-2018 10:19
Send private message

vulcannz:

 

What is the goal of the firewall in this home lab?

 

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

 

chevrolux:

 

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

 

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.

 

 

I prefer ESXi for the point and click nature of creating a dummy network interface for an internal network. If I could do that with KVM I'd drop ESXi completely and go back to RHEL7.

 

muppet:

 

Edit: Forum bit was wrong, removed it.

 

 

 

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

 

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

 

 

 

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

 

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

 

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

 

 

 

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)

 

 

I'm doing it to protect the VMs that will be exposed on the OVH hypervisor. So in that sense, I'd be using it as a UTM. I bit the bullet and installed Sophos UTM and woke up today with 30 emails from the firewall, so I might just go back to pf. I love pfSense, same as you. I've also had pf running on baremetal and it runs exceptionally well with Realtek cards. 


83 posts

Master Geek
+1 received by user: 8


  Reply # 1989277 6-Apr-2018 10:20
Send private message

TheoM:

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

 

 

Forefront TMG is end of life...

 

Ive used Sophos UTM9 and XG, currently using XG. You can change the AV engine to use Sophos or Avira.

 

 


1454 posts

Uber Geek
+1 received by user: 140

Subscriber

  Reply # 1989334 6-Apr-2018 11:02
Send private message

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1989337 6-Apr-2018 11:14
Send private message

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

 

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

 

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).




67 posts

Master Geek
+1 received by user: 5


  Reply # 1989366 6-Apr-2018 11:20
Send private message

timbosan:

 

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)

 

 

Better AV? How so?

 

vulcannz:

 

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

 

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

 

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).

 

 

It shouldn't matter too much. E7 CPUs ftw!


1454 posts

Uber Geek
+1 received by user: 140

Subscriber

  Reply # 1989399 6-Apr-2018 11:33
Send private message

TheoM:

 

Better AV? How so?

 



Sorry, I wasn't clear, I meant that the paid Untangle AV is better than than free Untangle AV.  Not better than others product.

Free = ClamAV. https://wiki.untangle.com/index.php/Virus_Blocker_Lite 
Paid = Untangle threat intelligence database + Bitdefender's signature database + heuristic scan + dynamic analysis. https://wiki.untangle.com/index.php/Virus_Blocker 

Untangle Support says Bitdefender is in the top 10 - https://support.untangle.com/hc/en-us/articles/201766697-How-does-Virus-Blocker-compare-to-brand-name-virus-blockers- 


309 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1989410 6-Apr-2018 11:56
Send private message

timbosan:

 

TheoM:

 

Better AV? How so?

 



Sorry, I wasn't clear, I meant that the paid Untangle AV is better than than free Untangle AV.  Not better than others product.

Free = ClamAV. https://wiki.untangle.com/index.php/Virus_Blocker_Lite 
Paid = Untangle threat intelligence database + Bitdefender's signature database + heuristic scan + dynamic analysis. https://wiki.untangle.com/index.php/Virus_Blocker 

Untangle Support says Bitdefender is in the top 10 - https://support.untangle.com/hc/en-us/articles/201766697-How-does-Virus-Blocker-compare-to-brand-name-virus-blockers- 

 

 

 

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

 

No SSL decrypt and no sandbox = your firewall AV is meh.


2095 posts

Uber Geek
+1 received by user: 509


  Reply # 1989411 6-Apr-2018 11:56
Send private message

UTM is great and a lot more user friendly for long term home lab usage.

 

 

 

I have been running a UTM VM as my gigabit UFB router for a year and a half now and it works great and very reliable.


1454 posts

Uber Geek
+1 received by user: 140

Subscriber

  Reply # 1989417 6-Apr-2018 12:02
Send private message

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

 

No SSL decrypt and no sandbox = your firewall AV is meh.

 



Interesting stuff!  I see XG is available free, and runs similar to Untangle (on a dedicated PC with dual NIC's), I will have to look into this more.


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.