This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Qotom/ProtectLI FW2B appliance? (Fitlet2 J3455 purchased)

Curious if anyone has used one of these for Sophos?

https://protectli.com/product/fw2b/

  • Intel Celeron® J3060 Dual Core at 1.6 GHz (Turbo 2.48 GHz)
  • 2 Intel® Gigabit i211-AT Ethernet NIC ports
  • AES-NI

I'd think it could handle gigabit speeds, with IPS/Snort, disabled that is.

Thoughts?

 

...am looking for a replacement for my Realtek NIC failing Zotac...but my requirements remain the same.  Fanless, small form factor.  I don't want a server or anything like that, so keep landing on these Qotom style appliances.  I did however find a fitlet2 that has a J3455 cpu that is also probably an option.



This thread was automatically locked due to age.
  • For anyone in same boat...what I've learned has pointed me more to the Celeron J3455, though the E3950 is also a capable one.

    Pretty close to buying the fitlet2 with the J3455 with the i211 Intel NICs.  The pfsense/opnsense crowd have used these succesfully, so I figure it can handle Sophos as well. I plan on restoring my prior configuration to see how it goes. 

  • I have a FW2B, chosen specifically for its mostly generic Intel hardware.

    When you install XG1 on it, the NICs are selected "backwards" - the WAN is LAN and vice versa. This will cause no end of confusion until you realize this.

    I've also been trying to sort out a USB keyboard oddity (Protectli case number 12073) where the keyboard works just fine during the installation process, but isn't recognized after the first boot. The console login is displayed, but there's no keyboard response, and typing into the login prompt produces no response at all.

    Console login and the NIC reversal issues aside, the FW2B and XG1 Home (17.5.1 MR1) seem to work just fine. Traffic flows, and I can manage it from the web UI or SSH console. I've only had it online for a few days, so I can't comment on its stability yet. I mounted to the back of my main monitor using the supplied VESA monitor mount, and it doesn't generate a whole lot of heat.

    The ProtectLi support folks are good and straightforward, and are sending me a new box to test.

    I'll repost here when I know more.

    Sophos XG1 (SFOS 17.5.9 MR-9) on ProtectLi FW2B

  • Thanks for your reply.

    At this time I have already made the decision to move forward with the Fitlet2 from fitpc.com (US local reseller so didn't have import duties or VAT). The Fitlet2 is an Israeli product, not Chinese.  I purchased the J3455 Celeron, barebones version.  I've now had it up and running for awhile and can report I have had no issues related to it.  The SSD installation was a bit unclear, mostly due to the instructions, but once figured out it made sense and wasn't difficult.  It is a slick little appliance, and I recommend it.

    The fins do get a little warm, but that is to be expected, and its nothing out of the ordinary for a fanless appliance.

    The Fitlet2 J3455 I found to be the most cost effective appliance/CPU option available.  I looked long and hard at all the ProtectLi, Qotom, Shuttle, etc., and it just seemed to be a notch above the rest in my analysis.  The J3455 is a relatively newer more powerful Celeron then what I found on other appliances, and is currently handling my 300Mbps fiber connection w/o problems.  Some have reported it can handle a 1Gbps connection, and based on what I'm seeing I would think it could.

    So......I did not install my prior UTM configuration on it. I wanted to try to get Intrusion  Detection going without throughput being impacted materially, and as most know that is not possible with UTM (Snort).  I am under the impression XG uses Snort as well.  So, I decided to try somethign new...OPNSense.  I'm not going to get into much else as this is a Sophos forum.  I had few gripes about the UTM product, used it for a few years with success, and have recommended/installed their appliances to small businesses, I just wanted to try somethign else at home for awhile.  I'm confident the Fitlet2 would handle either UTM or XG with little to no issue.

  • Oh...one last note that might help some...

    If you have noticed a marked decrease in your throughput using ATT Fiber with their Pace gateway using your Firewall in the DMZ PinHole IP Passthrough configuration...and like I was thought it was your RealTek NICs failing, check out the ATT forums.

    They pushed a firmware update awhile ago that impacted throughput in that configuration, and everyone's dropped to around 50Mbps.  It took a long time to figure that out, but it wasn't my Zotac.  Unfortunately I figured that out after I had purchaed the Fitlet2 and got it up and running, when throughput through the Pace was still 50Mbps.  Frustration!

    I was able to get a new NVG599 modem from ATT, put the Fitlet2 in its IP Passthrough, and it all works fine now.

    The Zotac has been re-purposed for Pi-Hole and my Plex server.

  • Good notes, indeed!

    Unfortunately, I'm stuck in rural DSL-land, and barely see 12Mb/S on a bonded pair, so I seriously doubt that I'll push the performance limits of either the hardware or the XG software.
    My replacement arrives today (weather allowing), so perhaps I'll have better news to report...

    Sophos XG1 (SFOS 17.5.9 MR-9) on ProtectLi FW2B

  • Yeah, your system won't get taxed with those speeds.

    Check out Pi-hole, it s a DNS sinkhole. It should help a little with your throughput as it blocks all sorts of ads at the DNS level.

    pi-hole.net

  • Thanks - I may just do that.

    I also found in the process of troubleshooting my migration to XG that the DHCP options don't translate.
    You have to re-enter any custom settings you've defined manually via CLI or admin console.

    Sophos XG1 (SFOS 17.5.9 MR-9) on ProtectLi FW2B

  • I'd recommend using Pi-hole also for DHCP...

  • Does Pi-hole support DNS registration (not DynDNS)?
    That's one of my gripes in UTM & XG...

    Sophos XG1 (SFOS 17.5.9 MR-9) on ProtectLi FW2B

  • No, I don't believe so.

    It is a DNS sinkhole, that you can also have run your DHCP server on your network.