Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Subscribers 28 subscribers
  • Views 14120 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Home better h/w: UTM 110/120 Rev5 or XG 115 Rev2 ?

Escape75

Hey guys,- I'm fairly new to Sophos and I'm trying to get a home router in place with a decent firewall,

L2TP over IPSEC VPN without 3rd party clients, something around 100 mbit down, and 10 mbit up performance.

 

Right now I'm using generic Asus home wireless router, and I will be changing that to be access point only,

and I'm either considering Sophos or something else that's fairly easy to setup, for example, an ubnt EdgeRouter.

 

So my question is, without spending a bunch of money, I can get some used UTM 110/120 rev5 (still newest I think ?)

or an XG 115 rev2 (one model older than the refreshed rev3), and I will be trying to install XG Firewall Home on it,

and I was just wondering which of these hardware boxes (or maybe something different ?) would be a better fit ?

 

Edit: From the specs pages, it looks like XG 115 r2 can do 350 mbit VPN compared to 180 mbit for UTM 110/120 r5,

so it seems the XG is a better unit even though they look virtually the same ?

 

I'd like it to be stable, of course, I don't need wireless, and I'm alright with opening the box up, replacing the SSD, etc.

It also has to be fanless because it will be sitting next to my PC :)

 

Any suggestions?

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    to be honest, you will archive most likely more performance with some "home made" XG home. 

    You can use up to 4 Cores and 6 GB RAM with the Home License. UTM120 and XG115 do not have such hardware. 

    Check out the other guys with home build XGs. 

    https://community.sophos.com/products/xg-firewall/f/hardware

    Or ask Ian  ;) 

  • 0 in reply to LuCar Toni

    True, but if I can spend $150 on a used UTM or XG,- I would not be able to build one for that :)

    and I think the performance that I'm looking for should be easily achievable by the above 2 units,

    100 mbit down (full time firewalled), and 10 mbit up (for then VPN is running for remote access).

  • 0 in reply to Escape75

    Hi,

    the question for you is how many devices will be on your network and what will they be doing? How much experimentation  will you be doing with the XG to tweak its performance?

    Yes, you would be very hard pressed to make a home unit for $150, but from other discussions modifying an existing Sophos hardware is a bit risky because they re not straight PCs.

    Ian

  • 0 in reply to rfcat_vk

    I'm not worried about experimenting a little, and this would be a home router anyways, but I just wanted to make sure ...

     

    1) XG 115 rev2 is faster than the UTM 110/120 rev5.

    2) I can load SW-17.1.3_MR-3-250 XG Home on an XG with a swapped SSD.

    3) It will do at least 100 mbit L2TP/IPSEC VPN

  • 0 in reply to Escape75

    Hi,

    they both will do what you want. The reason I ask about the experimentation is the speed of the updates to the configuration.

    Ian

  • 0 in reply to rfcat_vk

    Can you elaborate on that last statement ?

    Do you mean there's often new updates and they might not work, or cannot upgrade existing configurations ?

  • 0 in reply to Escape75

    Hi,

    I built a lower power (10w device)  using a commercial box with J1900 (quad core celeron), 6gb ram, 4 intel NICs and SSD and found the XG GUI quite slow when updating rules etc that is what that comment is about. The box was very responsive to user websurfing requests.

    Ian

  • 0 in reply to rfcat_vk

    Interesting, I wonder how good the "official" XG 115 units run then ...

    The new one uses an Intel Atom E3940 @ 1.60GHz, almost identical to J1900.

  • 0 in reply to Escape75

    I am still struggling about the fact of "Ebay Appliance".

     

    XG is shipped in commercial version with Base License until year 2999. Base license has VPN (IPsec SSL remote access / site to site) included. But you cannot use any module else like Web filter, IPS etc. They are bind to ether subscriptions or XG home. 

    So you could run this with the bought version in your scenario. But i do not know, what you will get from the Ebay vendor. I cannot comment the source of this device. 

    Home is bind to Software Appliances only, so you would have to "reinstall" the hardware appliance with the XG Software ISO. Otherwise the hardware image will decline the Home License / SN. 

  • 0 in reply to LuCar Toni

    Correct, I was thinking about re-installing the XG Home from an ISO and running that way.

    This should give me all the new features, and VPN access, etc.

Reply Children
  • 0 in reply to Escape75

    Hi Martin,

    correct, you might need to search h the XG forums for advice if your replacement disk does not install correctly.

    The newer chip while slower should perform better because some of the newer security features are inbuilt.

    Please update how you go?

    Ian

  • 0 in reply to rfcat_vk

    Ok, I will play around with the XG on a VM and go from there.

    Can the XG hardware host the UTM 9.1 Home Firewall as well?

    Just wondering, I’m guessing the interface would be more responsive ...

  • 0 in reply to Escape75

    Hi Martin,

    I believe so.

    Both firewalls work well on a VM. I have in the past run both on a VM, but to reduce the heat and power I went for a lower power box which works well. 

    Ian

  • 0 in reply to rfcat_vk

    I don't want to steer off topic here, but just testing UTM9 on a VM and how can this firewall rule possibly allow L2TP over IPSEC from outside on WAN ?

    Any to Any is set to Drop ...

     

  • 0 in reply to Escape75

    Hi Martin,

    are you saying it is allowing it?  What does the VPN tab show and if you configured it during the installation as default, the rules will be hidden and have a higher priority than 1.

    A minor thing is rule 6 should be internal any any drop/reject.

    Ian

  • 0 in reply to rfcat_vk

    Maybe I'm not understanding the firewall and it works different than on other systems ... :)

     

    I created an l2tp server on the UTM, and I'm running it virtually with 2 nic's bridged,

    the other options such as reply to pings, etc., all seem to work although after playing

    with it for a brief period only I could not the get pings setup in a way where it would

    not respond to pings from WAN, but would respond to pings from LAN interfaces.

    (Of course I could setup firewall rules for that ..)

     

    But what's happening is that under firewall, I select show All rules, there's only

    the automatically setup ones, and I disabled all of them, and left any-any-drop

    and I can connect to my WAN interface l2tp server just fine ...

     

    EDIT: After I enable spoof protection it blocks access, ...

    I'm assuming things don't work properly because it's running on a VM

    and I'm testing from that same system that the VM is running on ...

     

    I see ... it's using my aliased .10.x instead of .12.x to connect to .12.70 (UTM)

    Spoofed packet UDP 192.168.10.75 : 500 → 192.168.12.70 : 500

  • 0 in reply to Escape75

    So far so good, I was able to purchase a Sophos XG 115 rev 2

    from ebay.com for about $130 USD shipped which I think was

    an excellent deal :) It was apparently first purchased in 2017.

    Once I receive it I’ll see what to do, right now it runs 17.1.1 MR-1.

  • 0 in reply to Escape75

    Ok, I was playing around with my "new" XG115 and it came with 17.1.1 MR-1 with an expired license (no surprise there)

     

    So I downloaded 4 ISO's, XG HW, XG SW, UTM HW, UTM SW and here's my findings ...

     

    XG HW - works and restores appliance to factory firmware, won't work because license is expired, home license doesn't work.

    XG SW - works great, you install the Home Serial and it will expire in year 2999, so a good choice,- maybe best out of all 4?

    UTM HW - works as well, you just need to remove /etc/asg and register with UTM Home license. Install fix same as below.

    UTM SW - works great, use Home license, will expire in 3 years. Use "mount /dev/sdb1 /install" fix when installing from USB.

     

    No surprise both UTM IOS's work as they are virtually identical for contents,

    but what is surprising is that the XG SW knows it's running on a real appliance and it will configure itself for it.

     

  • +1 in reply to Escape75

    I belive the answer to this question is:

    UTM 110/120 Rev5 is slower (hardware wise) than a XG 115 Rev2.