After taking down my Sophos rig due to the Heartbleed issue (and some trouble reinstalling), I wanted a new toy (I guess) so I picked up an EdgeRouter Lite. I've had it running for about a month and it's great and all (it's plenty fast, uses no power, totally silent), but it has some shortcomings and after literally years of running UTM's I feel a bit lacking.
I'm thinking about putting a UTM in place again, but now I have the ERL and I'm past the return period. So, I'm thinking about leaving it in place and running the UTM behind the router--either running a very low power dedicated box, or finally breaking down and building an ESXi box (I don't really want to have a virtual machine on the perimeter, even if it's silly). Additionally, I've added a new AP/guest VLAN, and everything is (mostly) running peachy, and it would be nice to mostly drop-in the UTM and be back in business.
Is this just a poor plan, should I scrap the ERL all together, or is it doable? I'm not necessarily looking to have a transparent device, but I also don't want to deal with dual-NAT and the like. For the UTM, I would probably like to use these features (from what I can remember):
-IPS/AV/filtering
-Email relay (relays server mails through Comcast service thanks to their port blocking)
-Full usage reporting would be nice, along with daily executive report emails
-DNS (because it's not fully ready on the ERL other than forwarding)
-Maybe firewall (though I have mine well set on the ERL)
-VPN endpoint (OpenVPN)
-Maybe a HTTP reverse proxy, but that's up in the air
I think that's most of what I am using. Network layout will of course be a challenge, but being that it would be behind the router, it would also take some load off the UTM device.
Currently the VLANs are "untagged" for the regular network, and a tagged VLAN for the guest wireless. It seems I read Sophos doesn't necessarily support the untagged VLAN. Will that have to change?
This thread was automatically locked due to age.
