I'm currently using pfSense for a "home" router/firewall and am considering reformatting that machine and using XG Firewall instead. To that end, I have many questions that I haven't been able to find satisfactory answers to, and I'm hoping that this community forum can help me.
I'd be using the "home" installation of XG Firewall, as I simply can't possibly afford the incredibly high licensing fees charged by Sophos. I had considered the Sophos UTM product, but the 50 address limitation wouldn't work due to IPv6 addresses being considered additional addresses. (With IPv6 and IOT devices, I'd be at around 60.)
My hardware is (and would be) an Intel Atom C2558 board (supermicro A1SRi-2558F) with 16 GB of RAM. (I realize that only 6GB would be used by XG.) I'd be using a 120 or 250GB SSD. The board has 4 intel gigabit NICs onboard (i354) that I configure as 1 for WAN and 2 as a LACP LAG to my switch. I like to keep the extra NIC configured (but unplugged) in case something Bad Happens to my switch and I need to get to the router without LACP. The LAG connection to the switch should support at least 4 VLAN's.
Under pfSense, while running snort IDS, a NAT firewall with many rules, and some other random things, I easily can get over 500 megabits of throughput over the WAN port from an internal vlan. Would a XG firewall configured with IDS, NAT, etc also be able to handle that with this hardware? (The Sophos documentation only seems to indicate what Sophos appliances would do, but without knowing what h/w is instead the appliance, it's impossible to know how my hardware compares.)
Can XG Firewall do selective routing between VLAN's? For example, I need to be able to access vlan "A" from vlan "B", but vlan "C" should be ALMOST completely isolated. (The exception being that vlan C needs a route to one machine on another vlan for DNS.)
Does XG firewall support DHCP relay?
Does XG firewall support uPnP? If so, is it possible to use rules of some kind to limit which devices can and can't make use of it?
What about mDNS / avahi? IGMP proxy?
Considering that I'm probably considered an "advanced" home user, If I decide to change over, should I load the v15 s/w, or would I be better off just getting the v16 beta and starting there?
I've read that the current version of XG firewall doesn't handle IPV6 DHCPv6 Prefix Delegation. Is this something expected to be implemented fairly soon, or not? Is the dhcp6 client software at least pulling a /64 from the ISP and pooling from there, or is it only getting a /128, meaning that any devices attached to the LAN side of the firewall are left with no globally addressable IPv6 options at all?
Is there a way in XG firewall to add triggered scripts of any kind? For example, being that their dynamic DNS implementation only has a very small handful of providers, and no way to add a custom provider, can some kind of trigger be added that I can use to call ddclient (or wget or curl) manually to register my dynamic address?
Jumping back to IPv6 - How is the reporting in relation to IPv6? In particular, is the router software smart enough to use NDP and ARP to combine multiple IPv6 and IPv4 addresses into a single "host" for the purpose of reporting? For example, my desktop machine currently has a SLAAC generated global IPv6 addresses, one or more temporary "privacy extension" IPv6 addresses (also global), and DHCP assigned IPv4 address. Internet traffic can come from any of those addresses. In the reporting tools, will the traffic for all those addresses be consolidated into a single entry, or do the reports scatter that data all over the place under all the different IP addresses? (Which becomes useless in 24 hours when the temporary IPv6 addresses are re-generated.)
One more: When initially installing XG Firewall, does XG allow me to choose which of the available NIC's will be the WAN port, or does it grab one automatically? If it grabs one, does it always grab the lowest one? (For example, a default linux boot might show my 4 NIC's as "eth0 - eth3") Installation might become rocky if I'm left guessing which of the 4 ports it might have assigned as WAN...
I appreciate any answers to my many questions...
Take care
Gary
This thread was automatically locked due to age.
