Hardware Limitations In Home version

C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)

I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location.  There are tons of other UTM packages out there that don't have hardware limitations.  I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak.  I guess I'll just stay on PFsense until they finally decide to remove the limitations.  Thanks

That makes no sense to me at all.

What possible reason would you have for a home machine to have more hardware resource than the limitations?  I've got a home license running on a I5-3470 Dell Optiplex 3010 - old machine, it has an SSD and have installed a hardware based dual network card from HP.

And it works better than anything else I've come across.

I also supply through my consultancy practice to several customers the Sophos XG and SG firewalls, and we have several virtual machines, most of which are set with 4GB RAM and 2vCPU - and for offices with 50 users these work well - the CPU passthrough is usually a E5-2697v4 running on Dell R730 hardware...

The point is, the 6GB RAM and 4vPUC is very generous, and if configured correctly not an issue for most users, let alone home users.

I tend to use the home machine for what it's intended for, and this protects the perimeter of my home very well, I also use it as a machine where I can apply patches and test things before I roll out to customers.

I am very grateful that Sophos have the decency to be able to offer a FREE product such as this to home users.

The limitation could be removed with the annual plan of $50/yr for the home premium.  What you see is fair is your opinion; what I see is fair as a power home user / home lab is different.  The limitation isn't necessary, and pushes people away from the product, which it has done to me.  Thanks for your response, and your need to belittle my desires.  It doesn't seem this product is in primetime for power users.

I sill fail to see where there is a problem, even for power home users...

If I can push this through an Azure machine, over Express Route and then out of the ISP - it has 4GB RAM and 4vCPU, and not get about 25% CPU, I don't think there is a problem.

Would you use a faster computer if there were no hardware limitations?  If you had a 7th generation intel with 16gb of ram, a 3 year old computer, would you want hardware limitations on it? You don't see a problem; I do.  No argument in the world will change my mind that there shouldn't be hardware limitations built into the software.

It would depend on the task in-hand, but comparing desktop PC's with firewalls is not really the same, although you would specify both to do the job in hand, for example you would put in a really decent graphics card if the end user was editing video, working on photos most of the time - also the lifecycle of a PC is about 5 years, and software is 3 years in general.

With a firewall, you can specify this dependent on your networking requirements, the throughput of the home version, for a standard user, or even a power user at home is more than sufficient for the task it's designed to do?

More to the point, if you're specifying this in Azure, would you put in the fastest, most expensive costing machine just....because?

Why would you have a machine that's capable of delivering 40Gb connection from the internet, when at the moment the fastest home is about 1Gb?  Just think about the cost of all that wattage with the CPU and RAM costs...if a machine is using 100w, that's going to cost 38p a day (16p/kwh) / £11.78 per month - so wouldn't it make more sense to put in a CPU with 4-cores and lower the RAM budget to half that?

One day it may get to that performance, but by then I can guarantee you that the hardware you're using now, will be in a landfill.

I'm currently testing Untangle, which I have paid the $50 license for, but I expect I'll be switching back to Sophos XG Home edition.  I agree with Tim's comments TBH and I'm currently running it on an Atom quad core PC, 4GB Intel NICs with 4GB that I paid circa £200 for.

I do like pfsense, both are a good product, but I'd still use Sophos XG home.

My only wish is that applying the home product to an appliance was supported.  

What is guaranteed is that Untangle, Sophos XG or pfsense is better than the Unifi UDM-Pro junk.

Let us go back a little time in history, Astaro used to charge home users  $50 annual fee, but decided the administration cost was too high so changed the UTM to a maximum of 50 IP addresses not including interfaces.

Ian

You seem to fail to understand, there is no limitation on CPU performance, jus the number of real cores.

As BLS has pointed out most home user hardware is way more powerful that the top of the range Sophos hardware.

The recommendation for home users is 4 real CPU cores running as fast as you can. I7s are a waste of money and generate too much heat, you need CPUs that do not have extra features like a maths co-processor which adds no performance value.

Ian

You seem to fail to understand, there is no limitation on CPU performance, jus the number of real cores.

As BLS has pointed out most home user hardware is way more powerful that the top of the range Sophos hardware.

The recommendation for home users is 4 real CPU cores running as fast as you can. I7s are a waste of money and generate too much heat, you need CPUs that do not have extra features like a maths co-processor which adds no performance value.

Ian

I’m not arguing it’s overkill, but I just don’t want the hardware limited.  There’s 16gb of memory.  The only thing I can think of is this is built on a 32bit version and they don’t have a 64bit version available.

Hi Michael,

I run a 6gb system and use all of that memory, to go above 4gb (3.8) you need a 64 bit system. My system uses 3.5gb of the available memory. Now in v17 you will find most home users with 6gb were running about 75% memory utilisation which has been fine tuned in v18.

Ian

75% is horrible.  If you had more available memory it wouldn't be pushing the limit like that.  I just don't get it.  Do they not have a 64-bit system available?  

Hi Michael,

let me try an put things into perspective

1/. XG is a 64bit OS.

2/. many XG  installations only have 2gb of ram using v17, v18 needs 4gb.

3/. 75% ram usage on a linux system is not an issue like on a MS system. Linux has a very much better memory management system and uses swap effectively.

4/. a while ago many forum member were very upset that their XG's memory usage was running around the 70-80% mark. Sophos XG devs took notice added a lot of new functionality and refined the XG, they also tuned the load management as reported in the GUI and diagnostics. 

My system is currently showing around 60% memory usage which grows if I leave the GUI open for too long, but shrinks when the GUI is closed. Prior to v18 my XG memory usage was around 75% on a 6gb system.

If you are a home user and like to fiddle with your firewall settings, then a J1900 or XG85/6 or XG 105/6 is not for you. If you are a set and leave then they will be fine depending on your internet connection speed of course. I have J1900 4 port NIC system which I use for testing, but it is too slow when making changes or reviewing logs for my regular use.

Ian 

I had a feeling, which is why I feel like they should just unlock it rather than have the hardware limitations on the package.  Until they remove the hardware limitations I can't see the reason to switch to Sophos.  I think this is a sad thing they have chosen to do, and could have easily unlocked for the $50/year subscription; as well as allowing unlimited devices.  It's not hard to prove the device is at a house location.  I hope the developers actually read this post, and see the benefit for unlocking the hardware limitations.

There's quite a lot of people arguing on their behalf that the hardware limitations in the software are more than enough hardware.  I feel these people just don't understand that you should be allowed to use faster processors and more ram if you deem it necessary.  I understand the company wants you to buy their devices, but then why have a software package available at all to home users.  They obviously realized a need, but determined that a limitation should be on that need.  

Any who this seems pointless at this time; as the developers will not unlock the software package for users.  Therefore, I will continue to use PFSense rather than giving the Sophos developers a yearly subscription fee.  Good luck to others; maybe they will finally realize this is the right thing in V20.

There is a thing of cutting off your nose to spite your face - by all means stick with PFSense if you so wish - just to ask....you are aware of the security vulnerabilities that exist in the product?

If not, pass me your IP address and I'll give you a demonstration...

Hi Michael,

you can use the fastest intel processor money can buy, nothing stops you building a system around it, but you need a special mother board, big power supply and lots of heatsinks. But you gain nothing in performance eg my e3 is the same processor Sophos use in their topend models.

Also it is not a developer issue it is a marketing issue.

Please let Tim demonstrate PFSense to you.

Ian

As a company, before we take on support of clients networks we put things through a PEN test, PFsense has always produced interesting results to say the least, it's good for a "home" protection and better than the NAT based solutions you had with the standard routers provided, but no where near good enough for the enterprise.

You have to think, what would you prefer?  An enterprise solution for home, albeit with some hardware limitations, or an open-source experiment for the home market.

@Michael Caplan

Sophos don't want your $50. More hassle than it is worth and I can well understand why they dropped it for UTM. One of the things I don't miss moving to XG is the 50 IP limit. In itself it was OK for a home network but as it is my 'playground' I quite often exceeded it testing new network setups. Ended up having to reinstall UTM each time it happened.

I don't agree it is 'easy' to verify whether Home is genuinely being used at 'Home' - which would also require more time and effort (which means money). Sophos put a cap on to prevent people using it illegally in large commercial environments.

I am grateful to be able to use it free at home. It also benefits Sophos (which is why they do it). From being able to use it and evaluate it at home, I have since become a Sophos partner and have several installations planned for customers.

I also really can't understand your view point. The current cap should allow you to use it in a home environment, even with 1Gb connections, for the forseeable future as long as you have the right spec hardware. What is the problem?

@Mike Scott

I've installed the home edition on both a 125 rev2 and a 430 (my current home kit). It can be tricky getting it to install on the installed SSD so I just replaced it with a new SSD and then installation was easy. A small SSD is cheap and I got the 430 for £300 which is cheaper than anything I could buy new of similar spec and it fits nicely in my rack (yes, I'm sad enough to have a rack at home). The only thing you lose is hardware specific support (for instance the LCD display doesn't show anything meaningful).

Makes sense and the best way of understanding what you're taking on.  Many years ago when I worked in the MSP space we walked away from a big customer as so many issues were identified during the pre-onboarding process.  They refused to have items address or money spent, so the contract never moved forward.  I visited their rented datacentre space in Canary Wharf and it was horrific.

Interesting re pfsense, particularly as I've seen large orgs using it.  Going to google it a bit more, even with version 2.4.5?  Problem with any vendor is getting past the marketing blurb.  Take Unifi for example, awful edge products imho

I've worked with Fortigate, Cisco (PIX/ASA), Microsoft ISA (shudder)..  My main skills though is infra, vmware, Wintel, networking and so forth.

Only exposure to Sophos XG at the moment is at home and I like it.  The problem with any solution installed at home is are they left in the default setup.