This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sigh, okay I am trying XG again...

I have it installed, and I *think* I have some things configured correctly.  I have been running this only a couple of days, and that is longer than any time before.  ;)  So, there is some hope still of me keeping this (long time UTM user - old dog, new tricks issues).

I do have some questions and concerns about XG:

- Why are we not allowed to edit the Exceptions lists that are built-in?  Microsoft Updates are disabled by default in exceptions, and Office Updates are being blocked by default.  That's a bit concerning to me.

- Rules and Policies are still an absolute mess to me, but the Assistant does help a little bit (a lot) with this.  Thank you for that tool built-in.

- I do a lot of gaming and I am used to having to open ports to make things work.  I have yet to open a gaming port after being on XG - how is that possible?  And, adding a custom port to open (HomeAssistant) was painful to get right.  Does XG 'just know' what to block here?  This is my big concern with this: A rogue PC/device/etc on the local LAN transmitting out to a site.  It seems pretty solid for anything incoming, but outgoing I question.  Perhaps I don't understand the behavior of XG in how it handles outbound traffic, but at first look it feels like everything is open and you have to close everything up, completely contradictory to what it's always been.

- I have an extremely large list of web ad URLs.  It appears that the only thing I can use to add this for filtering is creating categories and applying them to be blocked in my policy.  The issue I have with this is that I am only allowed 2,000 entries per category, so this isn't an effective method of blocking ads.  I had to create seven categories and add them to a policy to filter out some ads (aside from any other filtering going on).  I could have just set this up completely wrong, but was the only thing I saw where I could import text files.

- Is there going to be any kind of allowed modifications to change the display such as the connection list?  I have a 4k monitor with a 3840 resolution.  Everything I have to scroll through to be able to see everything even with this large of a resolution because these lists don't adapt to screen sizes.

I have more, but I can make another post or reply later on.  I'm sure   will hate me being here (ha!) as I am pretty critical of this software and keeping them on their toes.  I really do want to like it and use it but I have no time for boxing matches with software, and if it's not for me then so be it.  I'll give it a fair try this time (I've only been able to stomach this software in the past for only about four hours before I went back to UTM).



This thread was automatically locked due to age.

Top Replies

  • First of all - SFOS (and UTM) was never build to be used in a Home Network. That is the reason, some of those points are not applying to most customers (at all). The reason is: Home networks uses weird approaches to certain technologies, as most vendors of software expect to have "internet access". For example, if you look into most IoT hardware and how they work, you see weird implementations of connection technologies. 

    - Why are we not allowed to edit the Exceptions lists that are built-in? Microsoft Updates are disabled by default in exceptions, and Office Updates are being blocked by default. That's a bit concerning to me.

    You should look into TLS / SSL decryption instead. There is a "managed TLS exclusion List, which includes Exceptions as well. The "Exception List" you are talking about, is the "old world of standard proxy". 

    - Rules and Policies are still an absolute mess to me, but the Assistant does help a little bit (a lot) with this.  Thank you for that tool built-in.

    Use a LAN to WAN Policy and work your way up to a more filtered way. It is actually easy to do it compared to UTM, where you have to do the same stuff 4-5 times. Think about it like: "Allowed Networks in UTM is the firewall rule in SFOS". 

    - I do a lot of gaming and I am used to having to open ports to make things work. I have yet to open a gaming port after being on XG - how is that possible? And, adding a custom port to open (HomeAssistant) was painful to get right. Does XG 'just know' what to block here? This is my big concern with this: A rogue PC/device/etc on the local LAN transmitting out to a site. It seems pretty solid for anything incoming, but outgoing I question. Perhaps I don't understand the behavior of XG in how it handles outbound traffic, but at first look it feels like everything is open and you have to close everything up, completely contradictory to what it's always been.

    It is 100% the same like UTM. As long as you are not doing TLS Decryption, you can get a firewall rule, LAN to WAN, open the ports, you had on UTM and you are in the same world. But if you start to inspect the traffic with TLS decryption, most of those apps will break, due the fact above. I personally gave up on this matter, it is not possible to workaround home apps, as they are moving with firmware updates, they build weird ways to interact with servers etc. 
    But the foundation of stateful firewalls are 100% the same. Create a firewall rule, include the ports and you have the app running. 

    - I have an extremely large list of web ad URLs.  It appears that the only thing I can use to add this for filtering is creating categories and applying them to be blocked in my policy.  The issue I have with this is that I am only allowed 2,000 entries per category, so this isn't an effective method of blocking ads.  I had to create seven categories and add them to a policy to filter out some ads (aside from any other filtering going on).  I could have just set this up completely wrong, but was the only thing I saw where I could import text files.

    Again the same answer like above - This is something, only home users are following up. Using Web categories is a way to do this, yes - But i am doing it client based (on the client itself) and not on a firewall. 

    - Is there going to be any kind of allowed modifications to change the display such as the connection list?  I have a 4k monitor with a 3840 resolution.  Everything I have to scroll through to be able to see everything even with this large of a resolution because these lists don't adapt to screen sizes.

    This is currently under review to rebuild the webadmin.

    And to be honest, if you are a home user only, the question is, why sticking with UTM/SFOS in the first place? Other products on the market offers you a set of technologies for the home network only. You properly know the vendor namens, but it is about the use case. UTM / SFOS home is a successful tool, as people can play with the technology they are using, but it does not include modern "requirements" of the home users, which come up quite frequently. It is not the targeted market for both technologies. Just talking about stuff like builtin ADblock, Pihole integration, Wildcard LE Support, and other technologies are more frequently implemented by other sharedware. 

    Jump to answer
Parents
  • Hi Amodin,

    easy bit first, the GUI display is an ongoing issue and usually get raised during each EAP.

    Next, the block advertisement using web and application policies does block most ads at least  on my system, What you can't block are the inbuilt ads to a web page, but when you click on them they are then blocked. To use the web and application policies fully you need to enable IPS rules eg LAN to WAN or one of the less strict default versions. Enable Applications even if just allow all at this stage and the same with the WEB policy. I do suggest you use the web proxy until you are more comfortable with the XG behaviour. SSL/TLS does not scan UDP in the current version of XG.

    The XG allows ports that you have enabled for your rules then opens other ports as requested by the connection, this is a function of stateful inspection design firewalls, these are closed at the end of the connection.

    The MS exception list is a bit out of date and you can add to some of the existing policies by cloning a copy and add your extras.

    Mo firewall will stop a rogue device from transmitting to the internet, but how much and where it connects to are dependent on how tight your firewall rules are. Most games will require some open rules with no scanning.

    Please feel free to ask if I have missed much.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Amodin,

    easy bit first, the GUI display is an ongoing issue and usually get raised during each EAP.

    Next, the block advertisement using web and application policies does block most ads at least  on my system, What you can't block are the inbuilt ads to a web page, but when you click on them they are then blocked. To use the web and application policies fully you need to enable IPS rules eg LAN to WAN or one of the less strict default versions. Enable Applications even if just allow all at this stage and the same with the WEB policy. I do suggest you use the web proxy until you are more comfortable with the XG behaviour. SSL/TLS does not scan UDP in the current version of XG.

    The XG allows ports that you have enabled for your rules then opens other ports as requested by the connection, this is a function of stateful inspection design firewalls, these are closed at the end of the connection.

    The MS exception list is a bit out of date and you can add to some of the existing policies by cloning a copy and add your extras.

    Mo firewall will stop a rogue device from transmitting to the internet, but how much and where it connects to are dependent on how tight your firewall rules are. Most games will require some open rules with no scanning.

    Please feel free to ask if I have missed much.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data