Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 29 subscribers
  • Views 2355 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multi-Gig XG Hardware

Gkeg

Hi All, and thanks in advance for your help. I've been using Sophos XG for about 2 years now and I've absolutely loved it. I just moved into a brand new house and have ATT symmetrical 5Gbps fiber at the same price as my old Xfinity cable internet! 

I have a Zyxel XS1930-12HP and WAX650S already, so all I need is a firewall setup capable of pushing that 5Gbps connection. My current Qotom i3 box had no trouble with 1Gpbs lopsided cable at all, but it only has 1Gbe NICs. 

After 2 weeks without a firewall and since heavy reading... I still can't figure out what I should get. Is anyone using "multi-gig" NICs? Preferably the NICs would be able to negotiate 1000/2500/5000 like my other equipment. I know I need Intel, but what chipset?

Does anyone have a mini PC recommendation with 2 NICs minimum and perhaps a newer i5 so I can push those speeds with IPS?

Very grateful for any help, thank you!



This thread was automatically locked due to age.
  • 0

    Hello!

    I recommend you (if possible) to use 10G NIC's.

    The Linux Kernel on XG isn't "new", so there's chances of those 2.5G/5G Multi-Gig NIC's to not be detected correctly. (Or to not be detected at all.)

    Gkeg said:
    oes anyone have a mini PC recommendation with 2 NICs minimum and perhaps a newer i5 so I can push those speeds with IPS?

    For 5Gbit/s get the fastest 4 cores processor you can - doing 5Gbit/s of only IPS will be relatively easy, the main issue there will be if you want to decrypt the TLS Traffic.

    I don't have recommendations on mini-pc, but if you want to be sure get something like an AMD Ryzen 3300x or i3-10100. (Or if you can find, get a mini-pc that has a I3-8100)

    After all that, there's some tweaks you need do later (after you get your box), such as switching to hyperscan on IPS engine.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Thanks, Prism! Is there anywhere I can find which 10Gbe NIC chipsets/cards will work? I have seen some threads about people saying for instance the i219 does not work. How about the x550-T2? That seems like a simple and cheap enough 10Gbe RJ45.

  • +1 in reply to Gkeg

    The current Intel drivers that are supported are: (That I know of)

    • e1000e
    • igb
    • ixgbe

    The x550-T2 uses ixgbe driver which is supported by the Firewall.

    Here's a list of controllers that are used by the ixgbe drivers, all of them are at least 10Gbit/s, you can use this to find a network adapter for you. (But I'm not sure if all of them will work, from my experience the X520 and X540 controllers works just fine.)

    • Intel® Ethernet Controller 82598
    • Intel® Ethernet Controller 82599
    • Intel® Ethernet Controller X520
    • Intel® Ethernet Controller X540
    • Intel® Ethernet Controller x550

    And yes, the i219 chipset doesn't work.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Excellent, thank you so much for your help.

  • 0 in reply to Gkeg

    I don't know if you can find them, but the x520 are usually much cheaper.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    It looks like the gateway NIC only supports 1/2.5/5Gbe, not 10Gbe, so I think I will have to use the x550 since supposedly it can negotiate 5Gbe

  • 0

    For anyone interested in what I ended up building...

    My PC needs an upgrade anyways, so I decided to scrap those parts into my Sophos XG along with some additional equipment. Here will be the final specs of the device. I should know by Sunday night if everything is working, and will update this thread.

    CPU: Core i3-9100

    Motherboard: ASRock Z390M-ITX/AC

    RAM: 2x8GB Corsair Vengeance LPX DDR4 3200MHz C16 (CMK16GX4M2B3200C16)

    Power Supply: Corsair SF600 - 600 Watt Fully Modular 80+ Gold

    Case: Silverstone SST-ML06B-E

    NIC: Vogzone for Intel X550-T2 10Gb NIC / Dual RJ45 PCI-E 3.0 x4 (I'm pretty sure this will work fine in my x16 slot)

    This will be connecting to an ATT BGW320 gateway's 5Gbe port, which will be in IP Passthrough mode.

    The other port will be a trunk port into my Zyxel XS1930-12HP.

    Coming from the Switch:

    A POE++ port on its own VLAN will connect into a Zyxel WAX650S for WiFi. This will feed phones, Amazon fire sticks, etc. Then I'll have 2 more VLANs, one for my work computer and one for my wife's work computer+printer.

    A 3rd VLAN for my gaming PC.

    A 4th VLAN for the TV in the Living Room since it will be right next to the switch, no reason to put it on WiFi.

    A 5th VLAN with all my mini-PC servers running various infrastructure services for the rest of the devices.

    I plan for IPS inspection between each VLAN... let's see if this thing can handle it all and push that 5Gbe on a speedtest!  Once we're there, I'll start seeing how well it can handle SSL decryption.

  • 0 in reply to Gkeg

    Looks good, but a reminder the Home Edition can use only 6GB of RAM, so it will be a waste to have 16GB on the box.

    And don't forget to enable legacy bios (CSM) on the motherboard, since the Firewall doesn't support UEFI only motherboards.

    At last, after installing the Firewall, ssh on it and go to the console (Option 4), then use "set ips search-method hyperscan". *

    * On the Home Edition It defaults to a much slower regex engine.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Ahh, I forgot the RAM limitation. That's just the RAM already in that motherboard. I suppose I could pull one stick... do you think I would get better performance being oversupplied though just due to the dual channel?

    When I search the command I see:

    Set the search method to be used for IPS signature pattern matching.

    ac-bnfa (low memory usage, high performance)

    ac-q (high memory usage, best performance)

    hyperscan (low memory usage, best-performance)

    Is there a good document or easy explanation as to what these different methods are? Am I losing out on deeper inspection with hyperscan? is ac-q better?

  • 0 in reply to Prism

    I fired up a spare machine with v18.5.1 and 2 INTEL i210s and two INTEL X540s

    The drivers installed for the X540. It does not connect at 10gb from setup and does not get an address. If I put it though a switch it gets an IPv6 link local address that is after I set ifconfig Port3 up.

    Next trick will be to configure the GUI and see what happens.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?