Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating from Opnsense

Hi all,

I am a home user have been a user of Opnsense for a few years but recently removed this setup as it was constantly failing to reroute ipv6 when a connection dropped and was restarted which required 95% of the time to reboot the whole unit.

I have since been using an ASUS ZenWifi XT8 mesh system, which is fine but does not give me the full configuration I would like to do,

I have installed the latest XG onto my Quotom PC which has 4 nics installed, but have not yet finished setting this up as would like some more info if possible.

Can the ports be reconfigured so Port 1 is WAN and Port 2 is LAN? Will it cause issues with the current defaulted firewall rules

Can I use aliases or groups to define a list of devices ie we have multiple xbox's and nintendo switches and on Opnsense I had an alias group setup so i only needed to do one rule for each group instead of each device.

On OS, you could use Hybrid mode for the NAT (which I used), can this be done on XG or must rules be manually added

XG says there is a limit to 50 devices for home users, is this active devices or total list of devices (inclusive of inactive)

Is IPv6 fully supported (I have the ND/PD inforrmation from my ISP which I can manually use or can be obtained from DHCP from PPPoE connection)

What are the major benefits of using the XG over Opnsense/Untangle

How does it perform with Guest Network as I work from home on a regular basis, so have my work stuff connected to the guest network

There are probably more questions but I think I've asked quite a bit so far to get me started

Thanks in advance

This thread was automatically locked due to age.
  • Hi,

    I can provide some of the answers to your questions as at v19.0.1 mr-1

    IPv6 is not fully supported, though it will pickup and external address using DHCP and you will need a NAT for all rules, no exceptions.

    IPv6 does not support FQDNs

    Usually at installation they are the other day around, you can change them but make sure you are using different port to access the XG GUI.

    All rules must be manual added either via GUI, CM or APIs

    You can configure devices into groups, in my case I use clientless users and groups.

    To make clientless users work reliably you will need to create static IP addresses outside of the DHCP range.

    In most cases you only need one general NAT (MASQ) except for hairpin or WAF type rules.

    Guest network, that is up to you how you create it and what rules you apply

    My practice is to delete the default rules created at installation and build my own, I get meaningful names fro rules and devices.

    The XG DNS is not connected to the DHCP server.

    The fifty user limit is a UTM restriction, XG is memory limited. You home XG is 4 CPUs and 6 GB of memory. You will be working very hard to use up the 6gb of memory.


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the response

    As I use IPv6 across most of my devices I would need it to be fully supported, so looks like it may not be suitable for my setup

    Guest network would be via the ZenWifi only (I need to check if supported when in AP mesh mode), but I know currently when setup using the ZenWifi I had to enable vlan trunking on the switch ports to be able go from remote node to main node) - would XG be able to deal with this as ASUS weren't forward in providing the vlan id's their product uses for guest networking.

    Does the XG not receive the DNS server list from the PPPoE connection, or must this be setup seperately, ie currently I have my ISP's DNS Servers listed, along with Google DNS and Open DNS

    Can the XG be used as a Time Server so it gets time from a list of servers and whenever a client requests the time check it reports it back to them?

    My system should be ok as with OpnSense never ran out of memory with the various rules and plugins active - current system is a Quotom PC running an i5-5200U with 8GB memory and 128GB storage


  • Hi,

    xg cannot be used as a time server, I built my own ntp server using a raspberry pi4 and hairpin loop settings in the firewall. XG picks up DNS from the isp dhcp response and you can add dns.

    I use both ip4 and IPv6 on my networks, the downside is you need a different name if using clientless and or static address assignments. The dns allows you to assign the two addresses to the same name, strange setup.

    XG only supports sophos AP/x, no third party APs.

    home licence 4 cpu, 6gb of ram.


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • IPv6 in Sophos Firewall isn't in a good state right now, and since you heavily rely on It you will only get headache from trying to fix "unfix-able" issues.

    What are the major benefits of using the XG over Opnsense/Untangle

    In the other hand, if you want a Firewall that actually have security features, then you should at least try out first before going back to opnsense.

    On major benefits: TLS Inspection, a good IPS, decent application and web filtering, industry-leading AV scanning with zero-day protection (cloud sandbox) which are all available with the home license.

    Meanwhile, you can forget about having NTP server directly on the Firewall or other features that home users would use such as UPnP. (None are available.)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 MR1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Thanks for the replies

    Based on the fact that IPv6 is not fully supported and the product doesn't allow the use of third party access points I would have to look at a different solution as both of these are requirements needed.

    I'm fine with setting up rules insteadf of using UPnP, but did want the ability for the system to also be used as time server, so that the time provided to all devices is the same and not from different sources.

    thanks again for the feedback