Multi-Gig XG Hardware

Alright, I ended up creating a VLAN with all other ports forbidden on my Zyxel X1930-12HP and then used those ports to connect the ATT gateway and the Sophos XG. Everything connected at 5G/10G now. Hopefully this is a secure enough design. I don't know how possible VLAN hopping is...

Unfortunately no, it cannot talk to the ATT router when I set it to 10Gb. I guess I will have to go the switch route.

Hi Gkeg,

the options are 1gb or 10gb. You could try setting the interface to 10gb and see if you can get traffic though it?

Then there is another approach and this to put a dumb switch that is capable of 2.5 gb and 10gb between your fibre and the XG.

Ian

Okay, I'm up and running... and the XG sees the two 10 gig NICs and DHCP worked fine and everything, I'm passing traffic... HOWEVER... it can't seem to negotiate 5Gbe! I even set the ATT gateway to not autonegotiate, just solid 5Gbe and it still says 1Gbe in Sophos! Any ideas? This is a really devastating scenario since this would render my 2.5 gig fiber useless unless I move off of Sophos XG... and I really love XG!

Excellent insights, thank you! The last of my parts will be here in less than 24 hours so I'll provide an update once I'm all up and running... assuming I'm up and running!

Hi,

I fired up the box and configured it. The 10G interfaces are installed and show in the interface tab Initially the DHCP request was not honoured, but I suspect that was more a driver issue in auto negotiation not working. I changed the interface to 10g full duplex and an address was assigned, both I4 and IPv6. The interface was changed back to auto negotiate and the address was assigned again. 

Just to make sure all the configuration changes stuck I restarted the XG and yes, the configuration changes stuck showing IP4 and IPv6 connected at 10GB/s.

The software version is v18.5.2 mr-2, When the XG115w was updated to v18.5.2 I was concerned about memory usage, appears though this is an issue with MR-2 because the new box with a fast E series XEON (new variety) and 16gb of ram though only 6gb is used by the XG the memory usage shows 63%. Strange,bevause my e3 XG never got that high even running v19 EAP1.

Enjoy your 10gb system.

Ian

I fired up a spare machine with v18.5.1 and 2 INTEL i210s and two INTEL X540s

The drivers installed for the X540. It does not connect at 10gb from setup and does not get an address. If I put it though a switch it gets an IPv6 link local address that is after I set ifconfig Port3 up.

Next trick will be to configure the GUI and see what happens.

Ian

Ahh, I forgot the RAM limitation. That's just the RAM already in that motherboard. I suppose I could pull one stick... do you think I would get better performance being oversupplied though just due to the dual channel?

When I search the command I see:

Set the search method to be used for IPS signature pattern matching.

ac-bnfa (low memory usage, high performance)

ac-q (high memory usage, best performance)

hyperscan (low memory usage, best-performance)

Is there a good document or easy explanation as to what these different methods are? Am I losing out on deeper inspection with hyperscan? is ac-q better?

Looks good, but a reminder the Home Edition can use only 6GB of RAM, so it will be a waste to have 16GB on the box.

And don't forget to enable legacy bios (CSM) on the motherboard, since the Firewall doesn't support UEFI only motherboards.

At last, after installing the Firewall, ssh on it and go to the console (Option 4), then use "set ips search-method hyperscan". *

* On the Home Edition It defaults to a much slower regex engine.

For anyone interested in what I ended up building...

My PC needs an upgrade anyways, so I decided to scrap those parts into my Sophos XG along with some additional equipment. Here will be the final specs of the device. I should know by Sunday night if everything is working, and will update this thread.

CPU: Core i3-9100

Motherboard: ASRock Z390M-ITX/AC

RAM: 2x8GB Corsair Vengeance LPX DDR4 3200MHz C16 (CMK16GX4M2B3200C16)

Power Supply: Corsair SF600 - 600 Watt Fully Modular 80+ Gold

Case: Silverstone SST-ML06B-E

NIC: Vogzone for Intel X550-T2 10Gb NIC / Dual RJ45 PCI-E 3.0 x4 (I'm pretty sure this will work fine in my x16 slot)

This will be connecting to an ATT BGW320 gateway's 5Gbe port, which will be in IP Passthrough mode.

The other port will be a trunk port into my Zyxel XS1930-12HP.

Coming from the Switch:

A POE++ port on its own VLAN will connect into a Zyxel WAX650S for WiFi. This will feed phones, Amazon fire sticks, etc. Then I'll have 2 more VLANs, one for my work computer and one for my wife's work computer+printer.

A 3rd VLAN for my gaming PC.

A 4th VLAN for the TV in the Living Room since it will be right next to the switch, no reason to put it on WiFi.

A 5th VLAN with all my mini-PC servers running various infrastructure services for the rest of the devices.

I plan for IPS inspection between each VLAN... let's see if this thing can handle it all and push that 5Gbe on a speedtest!  Once we're there, I'll start seeing how well it can handle SSL decryption.