This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding newer compatible NIC hardware that is supported by Sophos firewall home is becoming increasingly difficult

This is becoming an exercise in frustration trying to find a newer device on which to run the Sophos UTM or XG.

Years ago when fanless dual NIC PCs used the Intel i211 chipset, it was supported by Sophos, despite them being made for "consumer use".

Now recently there are a plethora of very fast, efficient fanless PCs that have the upgraded Intel i225 chipsets, yet they are not supported due to them being designed for consumers according to what is said on the forums here.

Most home internet connections are becoming fast enough that the much slower CPUs used in these devices with the supported older NICs cannot keep up with the demands of the IPS.

Sophos still will not release the version 3 of Snort which supports multithreading which can take advantage of multiple CPU cores, instead relying on their proprietary  "Xstream Flow" technology which utilizes a separate CPU for just the IPS/DPI in the XGS devices which are marketed towards business.

It would be great if Sophos could simply put out a list of supported NIC chipsets, but they won't, and the hardware compatibility database (I used comic sans on purpose) is more like personal anecdotes of hardware that should work, the "updated" hardware compatibility list (comic sans again) doesn't even exist. support.sophos.com/.../KB-000034600

I suppose the only way to tell is to find out what linux kernel the UTM 9.7 is using and then see what Intel drivers are included in that kernel.



This thread was automatically locked due to age.
Parents
  • UTM version 9.712-13 has Linux kernel 3.12.74-0 which has support for the following Intel chip[sets:

    82575/6, 82580, I350, I354, and I210/I211 based gigabit network connections

    Intel® PRO/1000 PCI-E (82563/6/7, 82571/2/3/4/7/8/9, or 82583) I217/I218/I219 

    Intel® PRO/1000 PCI and PCI-X family of gigabit network connections according to their website. 

    https://www.intel.com/content/www/us/en/support/articles/000005480/ethernet-products.html.

    So any Intel NIC listed here should work, right?

  • IntelRegistered PRO/1000 PCI-E (82563/6/7, 82571/2/3/4/7/8/9, or 82583) I217/I218/I219 

    Uh yeah, I would say no to that.  I have an i217 and it works like utter garbage in UTM.  This is the result with an i217 using UTM.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Why is this post only showing like the first 10 or so posts?  We have so much more below this, and I can't get further down the page to see it.  It conveniently stops after a Sophos employee post.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I was having issues with getting the Sophos Central webpage to load with Chrome. It turned out to be an adblock extension. Try disabling any adblockers, or use a different browser and see if that is causing the issue.

  • Neither option works unfortunately.  It stops after your post below:

    That might be something I consider. I have all but abandoned the idea of a fanless PC due to slow IPS performance, but will look at some refurbished Dell and Lenovo desktops that have the quad core i5 CPUs.

     I'm already considering KVM or VMWare on it along side Pihole. So, I think this might be the way to go.

    And, I know we've had more conversation than that with Patrick. A lot more.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • That's strange because that's where it stops for me too. Maybe you're thinking of a different post that was discussing hardware?

    Maybe it was this one https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/137167/reliable-poweredge-sc-440-comes-to-an-end

  • Initially, yes that was the one I was thinking of, but was quite sure we had more going on here than what I can read.  Of course, I could just be carb loaded into hazy, old age, holiday loaded, egg nogged out of my mind.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I don't know what's different, but I installed 9.714-4 on a Dell 7050 SFF, i7-6700. It has a built-in I219-LM (eth0) and it came with a I210 pci-express card (eth1). No issues with either. I checked the kernel log multiple times over the course of several hours. I don't see any e1000e hangs or resets.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • The i219 may work just fine with UTM, the i217 with UTM is worthless.  i210 should work just fine.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I see in your system you have an i225 nic. Are you using a VM? I'm considering that path since there's really nice fanless appliances out there using the i225 and the newer i226 NIC chips. I have seen some videos online about Proxmox with that one german guy on youtube who is a Sophos engineer who gets really excited explaining how to install Sophos XG on proxmox. 

    I tried out Proxmox and it detected all my hardware, unlike Vmware ESXi, which did not support my dual NIC card.

  • No, I use a dedicated system for my UTM.  Supermicro SuperServer LGA1150 350W 1U Rackmount Server, SYS-5018D-MF.

    Proxmox is by far a better product than VMWare, I do have a Proxmox environment running HomeAssistant and two Windows servers with SQL on a dual Xeon server (older hardware, but works well).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Alan, ESXI supports very specific hardware. With each newer version older hardware support is removed. Great for the enterprise, not so much for the smaller end user.

    https://www.vmware.com/resources/compatibility/search.php

    I switched to proxmox back in may '21 after running esxi for ~4 years. The newest version at the time 7.xx did not support the nic (rtl8125) on the new board. I was trying to save as much electricity as possible (running headless even). Proxmox is much more user friendly to different hardware. Running almost 2 years now without a hick up.

    Regarding i225v, jury is still out.  Lots and lots of issues with this nic implementation on various hardware (intel and amd). Experienced this myself with system instability on several b550 boards (amd). Ultimately got a board with the rtl8125. This issue was under windows.

    More recently picked up a 12700k + asus z690 tuf wifi d4 from microcenter few months ago. In this implementation, no issues with the i225. Now there's reports of issues with the i226 on newer boards - https://www.techpowerup.com/forums/threads/psa-intel-i226-v-2-5gbe-on-raptor-lake-motherboards-has-a-connection-drop-issue-no-fix-available.303854 .

Reply Children
  • That is why I'm hesitant. There's always complaints about the new Intel series NICs on the newer firewall appliances.

    The most likely route is going with an embedded cpu motherboard like the Asrock J5040 mITX that has PCIe slots so that anyone can use the NIC card they want, which will eliminate the need for virtualization.

    Sorry if I keep regurgitating the same things over and over but other firewall software out there seems to have the newer linux kernels to support the latest NIC cards.

  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    I have symmetric gigabit fiber here, connections that are not white listed (ie some speed test sites), it still tops out at nearly 500mbps/thread - snort of course is at 100%.  Local speed test sites are white listed so they're not subject to snort inspection.

    It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

  • It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

    It's pretty much maintenance mode at this point, I think.  They haven't addressed driver issues for years, they have a clear agenda to push everyone to a product that is still in development essentially for that 'bleeding edge' tech.  When they finally announce EOL officially, that will be the flag for me to move on I think.  I am not a fan of XG, they want to push everything to central management which I don't want to do, XG isn't user friendly for me... and I've been using this product since v5 when it was Astaro. 

    My how time flies...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I have mixed feelings about XG too. After having used the UTM for 7 years, XG was hard to get used to. There are aspects of it that make you say to yourself "what were they thinking?" But then again the same can be said for the UTM. Like why have a seperate window pop up for every single log in the UTM? 

    I honestly like both, but the UTM just feels easier to configure while the XG is a future proof product with it's DPI and support for TLS 1.3 inspection. It's just a shame they choose to stick with such an old Linux kernel.

  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    Do you recommend running a proxmox server right behind a modem, directly exposed to the internet? I would not feel comfortable doing that unless the proxmox server was behind a firewall, in which case would introduce double NAT, but the Proxmox server would be protected. Someone enlighten me about how effective the built-in firewall of Proxmox would keep my network. Unless of course I could look into DMZ

  • When UTM finally ends, i'm going to pfsense or opnsense. Don't know what the XG devs were smoking when they designed the flow, but it makes no sense to me at all.

  • Exactly that. For instance, why would you set up email/SMTP settings in the Administration page,

    then have to go to Email-->Email logs to see if it worked? Shouldn't everything related be in the same section? It requires too much jumping around to get things done. The interface was also different in version 17 and a lot of the guides and tutorials are based on the older version which have a different outlay.

  • My set up is as follows;

    ONT  (fiber to ethernet media converter) connected to UTM's wan nic. The wan nic is in passthrough mode so utm has direct access to it. This seemed to make sense at the time I set this up and thus far has worked well.

    However, if you have unsupported nics then passthrough would defeat the purpose. Briefly poking around proxmox settings, it appears to be a front end of sorts for iptables. So if you're familiar with that, you can make it work.

    I can understand the reluctance of exposing a nic directly to the internet. But would it be be considered exposed if there's no IP assigned other than in a vm? Only the vm would have the public ip. Further, that vnic would not be assigned to any other guest.

  • But would it be be considered exposed if there's no IP assigned other than in a vm?

    I'm not sure if that's a real question or a hypothetical question, but in the end you are trusting the developers of Proxmox to not have any "call home" telemetry or unknown bugs that can allow data to leak out of the VM, and the whole idea seems counterintuitive.

    On second thought, the NIC of the firewall even when running bare metal is exposed too. So maybe it is not less secure to have it virtualized. 

  • It's a fair concern.

    My point was, the public/wan ip is not defined anywhere in the proxmox settings. It exists only in the guest vm. Any traffic trying to get out would still have to go through utm to do so. Same for inbound traffic.

    Fwiw, my proxmox management is on a different subnet entirely from anything else on the network. While it's defined as an additional address on the lan side, it could very well be on its own vlan as well.

    Internet access operates at osi level 3. Unless something on the isp's end is probing your network at layer 2, i don't see how it can gain access to anything at layer 3 as it would have to go through UTM.