This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding newer compatible NIC hardware that is supported by Sophos firewall home is becoming increasingly difficult

This is becoming an exercise in frustration trying to find a newer device on which to run the Sophos UTM or XG.

Years ago when fanless dual NIC PCs used the Intel i211 chipset, it was supported by Sophos, despite them being made for "consumer use".

Now recently there are a plethora of very fast, efficient fanless PCs that have the upgraded Intel i225 chipsets, yet they are not supported due to them being designed for consumers according to what is said on the forums here.

Most home internet connections are becoming fast enough that the much slower CPUs used in these devices with the supported older NICs cannot keep up with the demands of the IPS.

Sophos still will not release the version 3 of Snort which supports multithreading which can take advantage of multiple CPU cores, instead relying on their proprietary  "Xstream Flow" technology which utilizes a separate CPU for just the IPS/DPI in the XGS devices which are marketed towards business.

It would be great if Sophos could simply put out a list of supported NIC chipsets, but they won't, and the hardware compatibility database (I used comic sans on purpose) is more like personal anecdotes of hardware that should work, the "updated" hardware compatibility list (comic sans again) doesn't even exist. support.sophos.com/.../KB-000034600

I suppose the only way to tell is to find out what linux kernel the UTM 9.7 is using and then see what Intel drivers are included in that kernel.



This thread was automatically locked due to age.
Parents Reply
  • I see in your system you have an i225 nic. Are you using a VM? I'm considering that path since there's really nice fanless appliances out there using the i225 and the newer i226 NIC chips. I have seen some videos online about Proxmox with that one german guy on youtube who is a Sophos engineer who gets really excited explaining how to install Sophos XG on proxmox. 

    I tried out Proxmox and it detected all my hardware, unlike Vmware ESXi, which did not support my dual NIC card.

Children
  • No, I use a dedicated system for my UTM.  Supermicro SuperServer LGA1150 350W 1U Rackmount Server, SYS-5018D-MF.

    Proxmox is by far a better product than VMWare, I do have a Proxmox environment running HomeAssistant and two Windows servers with SQL on a dual Xeon server (older hardware, but works well).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Alan, ESXI supports very specific hardware. With each newer version older hardware support is removed. Great for the enterprise, not so much for the smaller end user.

    https://www.vmware.com/resources/compatibility/search.php

    I switched to proxmox back in may '21 after running esxi for ~4 years. The newest version at the time 7.xx did not support the nic (rtl8125) on the new board. I was trying to save as much electricity as possible (running headless even). Proxmox is much more user friendly to different hardware. Running almost 2 years now without a hick up.

    Regarding i225v, jury is still out.  Lots and lots of issues with this nic implementation on various hardware (intel and amd). Experienced this myself with system instability on several b550 boards (amd). Ultimately got a board with the rtl8125. This issue was under windows.

    More recently picked up a 12700k + asus z690 tuf wifi d4 from microcenter few months ago. In this implementation, no issues with the i225. Now there's reports of issues with the i226 on newer boards - https://www.techpowerup.com/forums/threads/psa-intel-i226-v-2-5gbe-on-raptor-lake-motherboards-has-a-connection-drop-issue-no-fix-available.303854 .

  • That is why I'm hesitant. There's always complaints about the new Intel series NICs on the newer firewall appliances.

    The most likely route is going with an embedded cpu motherboard like the Asrock J5040 mITX that has PCIe slots so that anyone can use the NIC card they want, which will eliminate the need for virtualization.

    Sorry if I keep regurgitating the same things over and over but other firewall software out there seems to have the newer linux kernels to support the latest NIC cards.

  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    I have symmetric gigabit fiber here, connections that are not white listed (ie some speed test sites), it still tops out at nearly 500mbps/thread - snort of course is at 100%.  Local speed test sites are white listed so they're not subject to snort inspection.

    It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

  • It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

    It's pretty much maintenance mode at this point, I think.  They haven't addressed driver issues for years, they have a clear agenda to push everyone to a product that is still in development essentially for that 'bleeding edge' tech.  When they finally announce EOL officially, that will be the flag for me to move on I think.  I am not a fan of XG, they want to push everything to central management which I don't want to do, XG isn't user friendly for me... and I've been using this product since v5 when it was Astaro. 

    My how time flies...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I have mixed feelings about XG too. After having used the UTM for 7 years, XG was hard to get used to. There are aspects of it that make you say to yourself "what were they thinking?" But then again the same can be said for the UTM. Like why have a seperate window pop up for every single log in the UTM? 

    I honestly like both, but the UTM just feels easier to configure while the XG is a future proof product with it's DPI and support for TLS 1.3 inspection. It's just a shame they choose to stick with such an old Linux kernel.

  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    Do you recommend running a proxmox server right behind a modem, directly exposed to the internet? I would not feel comfortable doing that unless the proxmox server was behind a firewall, in which case would introduce double NAT, but the Proxmox server would be protected. Someone enlighten me about how effective the built-in firewall of Proxmox would keep my network. Unless of course I could look into DMZ

  • When UTM finally ends, i'm going to pfsense or opnsense. Don't know what the XG devs were smoking when they designed the flow, but it makes no sense to me at all.

  • Exactly that. For instance, why would you set up email/SMTP settings in the Administration page,

    then have to go to Email-->Email logs to see if it worked? Shouldn't everything related be in the same section? It requires too much jumping around to get things done. The interface was also different in version 17 and a lot of the guides and tutorials are based on the older version which have a different outlay.

  • My set up is as follows;

    ONT  (fiber to ethernet media converter) connected to UTM's wan nic. The wan nic is in passthrough mode so utm has direct access to it. This seemed to make sense at the time I set this up and thus far has worked well.

    However, if you have unsupported nics then passthrough would defeat the purpose. Briefly poking around proxmox settings, it appears to be a front end of sorts for iptables. So if you're familiar with that, you can make it work.

    I can understand the reluctance of exposing a nic directly to the internet. But would it be be considered exposed if there's no IP assigned other than in a vm? Only the vm would have the public ip. Further, that vnic would not be assigned to any other guest.