This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommendation Hardware / CPU for Home Use

Hello,

i recently discovered the free offerings from Sophos for home users.

I find them quite appealing. I downloaded Sophos XG and installed it in a VM on my Notebook. I messed around with it quite some time and I am blown away of the features and capabilities. Now I want to buy hardware and install it in my home. Now to my question/problem: How should I size it?

Usecase:

-4 separated VLANs / Zones

-VPN for Mobile Devices and Notebooks

-Permanent VPN to 2 or 3 remote sites, all are running Fritz!Box

-Clientless VPN access

-Intrusion prevention, Web and Application Filtering/Policies, Web server protection, Advanced threat protection, Firewall rules, Routes

-Dynamic DNS

-2 Access Points

-Permanent Users: only 2

-Internet Speed: 50 Mbit Down / 10 Mbit Up; VDSL50 from 1&1; eventually Cellular WAN in the future

-Around 70 devices, including Server, NAS, PCs, Smartphone, Smarthome etc

Additional requirements:

-Not to expensive ~250€

-Future Proof for the next years

-4 NICs

-Low power consumption

-Quiet operation

So I narrowed down a few devices, all from vendor Qotom, all from Aliexpress.

All have 4 x Intel I211.

But which CPU?

Is a Atom J1900 sufficient? This would be the cheapest option. But isn’t it a bit old?

Or model Q335G4 with Core I3 5005U?

For a mit more money I could get Q370G4 with Core I7 4500U.

Additional to all of these is a SSD with 120GB and 8GB RAM.

Thanks in advance for every opinion and recommendation.

Greetings

MExtreme

This thread was automatically locked due to age.

+1 Prism over 5 years ago

Hi,

First thing, the XG Home License have an limit of 4 cores and 6GB of ram. even if you have 8GB you will be limited to 6GB.

Also you can look at the forums. there's a lot of posts like yours that have already been answered.

Since you currently have a 50/10 Mbit connection, the J1900 is more than sufficient for it. I'm currently using a J1900 with 4GB of ram on XG v18 with a 240/120Mbit connection, almost everything on my network is currently using IDS/IPS, Web/App filtering/Polices, Advanced threat protection and AV + HTTPS Decrypt, I'm able to reach 180Mbit/s with all this features enabled. The only thing on my network without IDS/IPS is my computer, so I'm able to reach full speeds with it.

VPN throughput with AES-128 is at maximum 70-80 Mbit/s with the J1900. (It doesn't have AES-IN instruction on the CPU)

The VPN throughput can probably be a little higher or lower, but that's the speed I've managed to get in a real-world test.

Just a note: For some reason I've been getting higher throughput with the J1900 on the V17.5.8 MR-8, but that's probably because of a miss-configuration of the IDS/IPS.

TL;DR: The J1900 is a good choice for your network, but if you have any plans on getting 200Mbit/s WAN throughput or higher, or you want to be future proof, then you will be better with the I7-4500U.

Thanks,

If a post solves your question use the 'Verify Answer' button.

Ryzen 5600U + I226-V (KVM) v21 MR1 @ Home

Sophos ZTNA (KVM) @ Home
- 0 MExtreme over 5 years ago in reply to Prism
  
  Thank you Prism for your answer.
  
  Prism said:
  
  First thing, the XG Home License have an limit of 4 cores and 6GB of ram. even if you have 8GB you will be limited to 6GB.
  
  I know. But since there is only a single SODIMM slot, I can only use 4GB or 8GB.
  
  Prism said:
  
  Also you can look at the forums. there's a lot of posts like yours that have already been answered.
  
  I searched around in the forums. I knew before my question, that my configuration will work.
  
  My research is also a reason, why I decided on 4 x Intel I211.
  
  But to find some real world performance figures is difficult, especial with the features enabled.
  
  Prism said:
  
  I'm able to reach 180Mbit/s with all this features enabled.
  
  So again: Thanks for this answer. It is exactly what I was looking for.
  
  Prism said:
  
  It doesn't have AES-IN instruction on the CPU
  
  Yeah, I'm aware of it. But I didn't knew, how big the impact on performance will be.
  
  Prism said:
  
  if you have any plans on getting 200Mbit/s WAN throughput or higher
  
  I would really like, to have a higher WAN speed. Sadly I can't get faster connection.
  
  Only way would be Cellular, but this costs a fortune in Germany.
  
  Prism said:
  
  TL;DR: The J1900 is a good choice for your network
  
  Thanks for your advice
  - 0 Antonio Cienfuegos S over 5 years ago in reply to MExtreme
    
    Hi MExtreme,
    
    Don't discard the option of a low profile appliance, an example:
    
    https://www.ebay.com/itm/HP-T620-PLUS-Thin-Client-Quad-Core-GX-420CA-16GB-F-4GB-R-Intel-Pro1000-39Y6138/202784836845?hash=item2f36eb0ced:g:lgwAAOSwxU9df4lh
    
    Or minitx boards and slim cases.
    
    Good luck!
0 Alan_S over 5 years ago

Also take a look at this thread that discusses the Fitlet2 with J3455. It will support up to 4 NICs.

Some more discussion here. You'll need to use (Google Translate unless you speak Finnish).
- 0 Mark Jorissen over 5 years ago in reply to Alan_S
  
  Anyone using hardware NUC with a 1 Gbit fibre internet connection? Currently using a Zotax 4 core C1323 with 8 Gb, Intel N3150 1.6 Ghz but this doens't do this well (trougput max about 300 Mb/s compared to 1Gb/s). Would like to know the specs for NUC / CPU to get full performance when using DPI, scanning traffic, etc.
  
  I know that this PC is old, but it's formfactor is great, and it has 2 nics out of the box.
  
  Perhaps I'll test XG v18 with macMini 2014 (SSD) and a thunderbolt NIC in the future (read somewhere that this could work)
  - 0 packet1 over 5 years ago in reply to Mark Jorissen
    
    While it's not a NUC, I'm using an older Supermicro 1U with a Core2Quad Q6600 processor and 8GB of ram. I've got a symmetrical 1G connection but I don't do any sort SSL decryption or VPN termination on XG. It's also in transparent bridge mode sitting behind another server that runs OPNSense on similar hardware.
    
    FWIW, I've got no trouble downloading at max speeds (think 105MB/sec+). I don't know if that's because I have my rules misconfigured or what, but looking at the dashboard I see when incoming traffic getting blocked because they're classified as attacks, and my outgoing traffic is getting classified and sorted into categories.
    
    The processor I'm using probably would get killed if I tried doing anything requiring encryption since it has no AES-NI.
0 MExtreme over 5 years ago

To give back some feedback: based on research and the answers from the forum (thanks again) I decided on J1900.

I bought a cheap device from aliexpress with 4 x I211 NIC and the J1900, 4GB RAM and 64GB mSATA SSD.

It's passive cooled and has 2 USB ports.

The installation worked flawlessly, everything works fine.

My ISP recently upgraded (surprisingly) to 80/30 Mbit.

As a modem I chose the dirt cheap FritzBox 7412.

All my requested features work fine.

The horsepower is definitely enough.

Most time the CPU utilization is in the single percentage, with peaks at ~35% with much VPN traffic.

RAM usage is around 70%.

To buy more powerful hardware would have been a waste of money.
- 0 rfcat_vk over 5 years ago in reply to MExtreme
  
  Hi,
  
  the J1900 will struggle with v18 even with 4gb of ram. You will need at least 6gb. On my 6gb system running V18 EAP2 memory sits around 68%. You will also need to manage your disk utilisation, especially the reports section.
  
  If you intend doing any changes on a regular basis the J1900 will be too slow.
  
  Ii was running a J1900 with 8gb (6 active) ram on a 100/40 and it worked very well for throughput on v17.5.x but was almost unmanageable on v18.
  
  Extra processing power is not a waste of money because it gives you head room to grow your configuration as you acquire more devices for home eg IoT devices needing higher security eaxta firewall rules etc.
  
  Ian
  
  I am currently running the CPU in my signature because the the more modern lower performing MB fails to complete the installation of V18 EAP2 and this one needs changing because one of the NICs died during installation very annoying.
  
  XGS118 - v21.0.1 MR1
  
  XG115 converted to software licence v21.0.1 MR-1
  
  If a post solves your question please use the 'Verify Answer' button.
  - 0 MExtreme over 5 years ago in reply to rfcat_vk
    
    Hello rfcat_vk,
    
    thanks for your answer and your knowledge.
    
    As you can assume from this thread, I'm an absolute beginner with Sophos.
    
    I worked with firewalls from Zyxel in the past. But even midrange devices won't come close to my J1900 with XG.
    
    Neither with feature nor with GUI performance.
    
    So I'm quite impressed and satisfied how my device works.
    
    My goal was to build a very cheap firewall, which can handle everything described above.
    
    rfcat_vk said:
    If you intend doing any changes on a regular basis the J1900 will be too slow.
    
    I am patient ;)
    
    rfcat_vk said:
    Ii was running a J1900 with 8gb (6 active) ram on a 100/40 and it worked very well for throughput on v17.5.x but was almost unmanageable on v18.
    
    I hope they improve on performance until release.
    
    rfcat_vk said:
    Extra processing power is not a waste of money because it gives you head room to grow your configuration as you acquire more devices for home eg IoT devices needing higher security eaxta firewall rules etc.
    
    As mentioned, I am a beginner and really happy with the first weeks of using the firewall.
    
    So I posted my conclusion, to give some feedback.
    
    I hope my device will handle the next few years. I don't want to upgrade the hardware after two weeks of usage.
  - 0 rfcat_vk over 5 years ago in reply to MExtreme
    
    HJi,
    
    when you migrate to v18 you will find 4gb of ram will not be enough, also the J1900 will have throughput issues. I just downloaded the update to my MBP and it pushed the CPU and ram considerably. My ram went over 4gb. CPU went from 3% to 15% on a quad core e3.
    
    The issue being the Sophos hard ware is tuned to provide peak performance where as the home hardware is not.
    
    Enjoy your new security.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 Prism over 5 years ago in reply to rfcat_vk
    
    when you migrate to v18 you will find 4gb of ram will not be enough, also the J1900 will have throughput issues.
    
    Well, let's hope it's fixed on EAP 3. The current throughput in v18 is... bad...
    
    Also, I've noticed your using e3-1225v5, how is the throughput on it? in v17 and v18. I'm asking this because your using the same CPU as XG 430 Rev. 2.
    
    Thanks,
    
    If a post solves your question use the 'Verify Answer' button.
    
    Ryzen 5600U + I226-V (KVM) v21 MR1 @ Home
    
    Sophos ZTNA (KVM) @ Home
  - 0 rfcat_vk over 5 years ago in reply to Prism
    
    Hi Prism,
    
    I used to have a 100/40 network and downgraded to a 50/20. The downloads on either one were capable of pushing the links to maximum speed. Current speed tests show the link is running around 48mb/s and that is what the latest MBP update showed yesterday. I went with the e3 because the J1900 was so slow in updating the GUI on v17.5 and even slower on v18.
    
    After the BIOS upgrade the XG is much faster in starting and performing GUI updates.
    
    The power usage varies from 15w when idle to 30w under load.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.