This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Single Board Computer (SBC) for Sophos XG Home Firewall

I apologize because it seems like there are quite a few conversations about Hardware for XG Home, However most seem old (3+ years).

A lot of SBC computers are hitting the market and seem to be just as useful for XG Home. That said, I'm hoping someone out there can point toward a trusted SBC that has performed well with XG Home.

I personally already run an ODYSSEY - X864105 (J4105 Celeron Processor) for a small home server. For that job, it does great. Would another one of those serve well as an XG Home Firewall?

I am looking to replace my Meraki MX64, which is up for license renewal at about $700. 

All suggestions and guidance are welcome



This thread was automatically locked due to age.
  • Hi,

    looks good, but I am not sure about the 'disk' being supported and the onboard wifi will not be recognised.

    Configuring it will be quite slow but as a firewall it will work well on lower speed internet connections (200mbs or less)

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you so much for this quick reply! Is there a way to estimate CPU/Memory/Disk to throughput? If I know what to look for, I suppose I can hunt around for an SBC that would support Higher Throughput.

    Another SBC that recently popped on the scene is the ASRock NUC BOX-1135G7 or ASRock NUC BOX-1165G7.

    Would either of those be a better fit for more throughput?

    My "current" requirements would ideally be to match my cable connection wire speed and no wifi. My cable is 967 Mbps/40 Mbps on a good day. Right now my MX64 is capped to 250 Mbp/s so anything flowing through it can't hit even get close to the "max" download speed of the connection.

    Thank you

  • Hi,

    for home use maximum is 4 Cores (preferably real and very fast) and 6gb of RAM. NICs should not be realtek or intel i219 (not supported) to provide the connection speed you are after. The NUCs took good.

    Make sure that the bios is not UEFI because that is not supported or has the option of none uefi boot.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • This is great information.

    Just to confirm.. There isn't a hard-and-fast direct correlation between Core Speed and Mbps Throughput, but the more you have the faster you go? As an example, I can't necessarily say 4x Core @ 2.5 Ghz = 200 Mpbs and 4x Core @ 5.00 Ghz = 400 Mbps??

    Also, the NUC appears to have one NIC that is the Intel 219V, so I'm guessing that is a no-go based on your previous comment.

    I will keep hunting.

    Thank you,

  • The current issue with CPU speed is based around XG (current version) only being able to assign one core to snort, so the actual throughput is not related to core speed in a linear fashion.

    I219s are not supported.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you Again!

    It seems like everybody is unwilling to suggested that a certain CPU/System Combination relates to throughput. I am unfamiliar with Sophos and how it works, but i'm guessing this is because it really depends on what settings are being used on the FW.

    If the best I can do is 200 - 400 Mbps, it feels like maybe I should just stick with my Meraki MX64 instead of spending money on a computer and adding Sophos XG Home to it.

    I was considering moving to the Sophos XG Home because I thought I might be able to increase my throughput to near 900/Mbps for less than the $700 Meraki Renewal.

    If you look at my hardware specifications they are similar to a top end Sophos hardware except I don't have a 10gb interface.

    Based on the above quote, could you provide an estimate of what a single connection's (downloading a large file) throughput would be on your setup? I assume that even though snort is single threaded, each new connection can be started on a new thread, which is why you mention later that multiple connections can achieve link speed. Is this correct?

  • Throughput on Sophos XG highly depends on three things,

    1. The processor.
    2. What kind of traffic is going through the Firewall.
    3. What features you're going to use.
    It seems like everybody is unwilling to suggested that a certain CPU/System Combination relates to throughput.

    A single core of a Ryzen 3300x (The processor I'm currently using.) can do around 2.8Gbit/s of IPS over a single thread. (of traffic generated through Cisco TRex.)

    With Decrypted TLS + AV It can go down to 960Mbit/s over a single TLS connection. (Single thread) (Also almost line-rate Gigabit.)

    In comparison a Intel J1900 that I had couldn't go over ~120Mbit/s over a single decrypted TLS Connection; But a Intel G5400 could get to around ~820Mbit/s over the same kind of TLS decrypted traffic.

    If the best I can do is 200 - 400 Mbps

    You won't be able to get symmetrical gigabit in your home with a potato SBC. (Unless you get those high-end NUC's)

    Also, currently on v18 MR5, Sophos XG doesn't utilize AES-NI for hw crypto acceleration, so you're stuck with your processor raw performance for anything related to cryptography.

    I assume that even though snort is single threaded, each new connection can be started on a new thread

    A single connection can't be shared over multiple cores/threads, but multiple connections will be shared to all cores/threads as expected.

    Some things to reminder, Sophos XG doesn't support NVMe for storage, neither the I219 NIC chipset. ( have more information on this.)

    Hopefully those answers cover some of your questions.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Man! This forum is GREAT both of you have provided stellar information!

    If I am ruling out SBC as an option, what is your recommended system combination (Mobo,Memory,CPU,Nics)? 

    As stated earlier, it would be great to do close to the 900/Mbps download that my connection supports.

    Also, Low power would be a HUGE plus. It's part of the reason I gravitated toward the SBC route initially

  • There are some SBC that are relatively good, the problem is the price as they tend to be at least twice the cost of building one yourself.

    If I am ruling out SBC as an option, what is your recommended system combination (Mobo,Memory,CPU,Nics)? 

    This is a problem since there's no thing as a datasheet which shows what throughput each CPU is capable of.

    From my perspective I recommend you to stick with Intel, but if you still want to get a AMD processor you can get the 3300x.

    Related to this, I've already used a Intel G5400 in the past over a gigabit network, It worked well, but not good enough, again depending on the traffic the CPU would get stuck at 100% usage constantly.

    You're best option is to look at the I3-10100 if you don't want to spend too much money, in comparison It's roughly the same performance as the Xeon E3 1275v5 which the XG 450 Rev.2 utilizes.

    For memory, get 2x 4GB stick for 8GB in Total, Sophos XG isn't memory intensive for home workloads.

    Motherboards doesn't matter that much, but don't use M.2 NVMe for storage, get an sata SSD. (Note: Depending on the motherboard you will have issues with UEFI at the installation, just be sure the motherboard supports CSM to boot the disk over BIOS as fallback.)

    Stick with Intel chipset for the NIC's, if you only want gigabit get one of those "82576 chipset", just be careful since a lot of those NIC's are cheap fake Chinese ones; For 10Gbit/s you still want to stick with Intel, X520-DA2 which uses the "82599 chipset" will work with XG. (Don't buy Mellanox NIC's since anything after ConnectX-3 won't work.)

    The I219 Intel chipset isn't supported, even if you have one XG won't detect It.

    Note: I think I'm missing something on this write-up, I will read It again later and modify It if necessary.

    Man! This forum is GREAT

    Welcome to the Community!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Becareful with the Asrock boards they do funny things with the high performance timer.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.