Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




57 posts

Master Geek
+1 received by user: 3


Topic # 232233 5-Apr-2018 22:56
Send private message quote this post

Hey there, GZers!

 

 

 

I'm setting up a new home lab. As the title says, which would you choose? Sophos' UTM or pfSense's... well, pfSense


Create new topic
3341 posts

Uber Geek
+1 received by user: 1107

Subscriber

  Reply # 1989111 5-Apr-2018 23:01
One person supports this post
Send private message quote this post

Depends what you want to lab I suppose.

Personally for me, my work lab is for phones, pbx's, ATA's etc.
So a decent router is all that is required (mikrotik in my case... because... well they are just the best).

If you wanted to screw around with proxy'ing or complex dns servers or something, then pfSense for the pure 'hackability' of it.



57 posts

Master Geek
+1 received by user: 3


  Reply # 1989113 5-Apr-2018 23:07
Send private message quote this post

chevrolux: Depends what you want to lab I suppose.

Personally for me, my work lab is for phones, pbx's, ATA's etc.
So a decent router is all that is required (mikrotik in my case... because... well they are just the best).

If you wanted to screw around with proxy'ing or complex dns servers or something, then pfSense for the pure 'hackability' of it.

 

I should probably mention this will all be virtualised in ESXi (on an OVH box, so it's an out-of-home home lab), so no routerOS for me frown

 

In any case, it does need to support being virtualised, or I'd be using my USG all day long


 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
153 posts

Master Geek
+1 received by user: 31


  Reply # 1989163 6-Apr-2018 06:21
Send private message quote this post

i use sophos at home and have just been toying with he ha setup on a couple of servers and it works great, i have also tried sophos in a virtual environment and it work, a friend of myne has virtualised both UTM9 and xg and has used them for a year or 2 now


1931 posts

Uber Geek
+1 received by user: 688

Trusted

  Reply # 1989165 6-Apr-2018 06:37
Send private message quote this post

Edit: Forum bit was wrong, removed it.

 

 

 

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

 

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

 

 

 

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

 

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

 

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

 

 

 

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)


3341 posts

Uber Geek
+1 received by user: 1107

Subscriber

  Reply # 1989172 6-Apr-2018 07:17
Send private message quote this post

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

 

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.


217 posts

Master Geek
+1 received by user: 37


  Reply # 1989189 6-Apr-2018 08:07
Send private message quote this post

What is the goal of the firewall in this home lab?




57 posts

Master Geek
+1 received by user: 3


  Reply # 1989276 6-Apr-2018 10:19
Send private message quote this post

vulcannz:

 

What is the goal of the firewall in this home lab?

 

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

 

chevrolux:

 

Sounds like pfSense is what you want.

For what's it's worth, routeros has an x86 build which works really well virtualised - it is paid though.

 

Edit: Also, why ESXi? Is that all the VPS service lets you use?
VMware is really cool when you have vSphere and all the fancy (expensive) stuff set up, but for basic virtualisation it's a bit meh. Have a look at Proxmox - debian based, qemu virtualisation, virtio driver support, nice pretty web GUI etc.

 

 

I prefer ESXi for the point and click nature of creating a dummy network interface for an internal network. If I could do that with KVM I'd drop ESXi completely and go back to RHEL7.

 

muppet:

 

Edit: Forum bit was wrong, removed it.

 

 

 

Are you doing this to have a home router you have to configure each feature yourself an understand/learn what you're doing to make it work?

 

Or do you want something that's just set-and-forget and just works never-have-to-touch-it?

 

 

 

If you want something to really tinker with, pfSense.  It has addon packages and all sorts of interesting nooks and crannies to go poking in. 

 

Sophos, not so much.  Most of the hard decisions is abstracted behind a nice click GUI.

 

It's a bit like do you want a Linux system or a nice Mac System that "just works"?

 

If you really want to get your hands dirty, look at Vyos.  It's a CLI router

 

 

 

Note: I use pfSense and have not ever tried Sophos, so please keep my bias into account!  pfSense works great virtualised (both vmware and kvm), in fact I have not used it on baremetal yet :)

 

 

I'm doing it to protect the VMs that will be exposed on the OVH hypervisor. So in that sense, I'd be using it as a UTM. I bit the bullet and installed Sophos UTM and woke up today with 30 emails from the firewall, so I might just go back to pf. I love pfSense, same as you. I've also had pf running on baremetal and it runs exceptionally well with Realtek cards. 


74 posts

Master Geek
+1 received by user: 8


  Reply # 1989277 6-Apr-2018 10:20
Send private message quote this post

TheoM:

 

To be a full UTM. I'm now also considering pfSense and Microsoft Forefront TMG paired together. pfSense can do it on it's own, but then you run into the fact it's using ClamAV for scanning, whereas Sophos UTM uses... well, Sophos

 

 

Forefront TMG is end of life...

 

Ive used Sophos UTM9 and XG, currently using XG. You can change the AV engine to use Sophos or Avira.

 

 


1401 posts

Uber Geek
+1 received by user: 133


  Reply # 1989334 6-Apr-2018 11:02
Send private message quote this post

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)


217 posts

Master Geek
+1 received by user: 37


  Reply # 1989337 6-Apr-2018 11:14
Send private message quote this post

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

 

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

 

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).




57 posts

Master Geek
+1 received by user: 3


  Reply # 1989366 6-Apr-2018 11:20
Send private message quote this post

timbosan:

 

Just to muddy the waters, what about Untangle?  I haven't tried running it virtualised but it is supported:

https://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

I run it at home, have done for several years.  Rock solid and feature rich.  Can be free or paid (for better anti-virus, etc.)

 

 

Better AV? How so?

 

vulcannz:

 

Just be aware that performance for UTM on either will be a bit CPU hungry. Most good UTM boxes will use an ASIC or custom CPU to attain good UTM performance.

 

I have always found pfsense a bit of a mishmash of plugins - that often impacts on performance and the security of a product (you never see them submitted into major testing places like NSS Labs).

 

I'm not a sophos fan, but that is the way I'd probably go between the two (fwiw firewalls are what I live and breeth).

 

 

It shouldn't matter too much. E7 CPUs ftw!


1401 posts

Uber Geek
+1 received by user: 133


  Reply # 1989399 6-Apr-2018 11:33
Send private message quote this post

TheoM:

 

Better AV? How so?

 



Sorry, I wasn't clear, I meant that the paid Untangle AV is better than than free Untangle AV.  Not better than others product.

Free = ClamAV. https://wiki.untangle.com/index.php/Virus_Blocker_Lite 
Paid = Untangle threat intelligence database + Bitdefender's signature database + heuristic scan + dynamic analysis. https://wiki.untangle.com/index.php/Virus_Blocker 

Untangle Support says Bitdefender is in the top 10 - https://support.untangle.com/hc/en-us/articles/201766697-How-does-Virus-Blocker-compare-to-brand-name-virus-blockers- 


217 posts

Master Geek
+1 received by user: 37


  Reply # 1989410 6-Apr-2018 11:56
Send private message quote this post

timbosan:

 

TheoM:

 

Better AV? How so?

 



Sorry, I wasn't clear, I meant that the paid Untangle AV is better than than free Untangle AV.  Not better than others product.

Free = ClamAV. https://wiki.untangle.com/index.php/Virus_Blocker_Lite 
Paid = Untangle threat intelligence database + Bitdefender's signature database + heuristic scan + dynamic analysis. https://wiki.untangle.com/index.php/Virus_Blocker 

Untangle Support says Bitdefender is in the top 10 - https://support.untangle.com/hc/en-us/articles/201766697-How-does-Virus-Blocker-compare-to-brand-name-virus-blockers- 

 

 

 

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

 

No SSL decrypt and no sandbox = your firewall AV is meh.


2075 posts

Uber Geek
+1 received by user: 494


  Reply # 1989411 6-Apr-2018 11:56
Send private message quote this post

UTM is great and a lot more user friendly for long term home lab usage.

 

 

 

I have been running a UTM VM as my gigabit UFB router for a year and a half now and it works great and very reliable.


1401 posts

Uber Geek
+1 received by user: 133


  Reply # 1989417 6-Apr-2018 12:02
Send private message quote this post

 

moot point tbh, SSL Decryptor for untangle "starts" at $10us per month (I think this is a standard feature on sophos). I also don't see what the restrictions are for file size and concurrent session scan limits are (which are always there for proxy based engines), and I do not see any sandbox technology in their AV layer (think you pay for that on sophos, but at least you have the option).

 

No SSL decrypt and no sandbox = your firewall AV is meh.

 



Interesting stuff!  I see XG is available free, and runs similar to Untangle (on a dedicated PC with dual NIC's), I will have to look into this more.


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48


Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.