This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding newer compatible NIC hardware that is supported by Sophos firewall home is becoming increasingly difficult

This is becoming an exercise in frustration trying to find a newer device on which to run the Sophos UTM or XG.

Years ago when fanless dual NIC PCs used the Intel i211 chipset, it was supported by Sophos, despite them being made for "consumer use".

Now recently there are a plethora of very fast, efficient fanless PCs that have the upgraded Intel i225 chipsets, yet they are not supported due to them being designed for consumers according to what is said on the forums here.

Most home internet connections are becoming fast enough that the much slower CPUs used in these devices with the supported older NICs cannot keep up with the demands of the IPS.

Sophos still will not release the version 3 of Snort which supports multithreading which can take advantage of multiple CPU cores, instead relying on their proprietary  "Xstream Flow" technology which utilizes a separate CPU for just the IPS/DPI in the XGS devices which are marketed towards business.

It would be great if Sophos could simply put out a list of supported NIC chipsets, but they won't, and the hardware compatibility database (I used comic sans on purpose) is more like personal anecdotes of hardware that should work, the "updated" hardware compatibility list (comic sans again) doesn't even exist. support.sophos.com/.../KB-000034600

I suppose the only way to tell is to find out what linux kernel the UTM 9.7 is using and then see what Intel drivers are included in that kernel.



This thread was automatically locked due to age.
  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    I have symmetric gigabit fiber here, connections that are not white listed (ie some speed test sites), it still tops out at nearly 500mbps/thread - snort of course is at 100%.  Local speed test sites are white listed so they're not subject to snort inspection.

    It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

  • It would appear as UTM has reached EOL without being officially announced EOL. New features have been minimal over the last year+.

    It's pretty much maintenance mode at this point, I think.  They haven't addressed driver issues for years, they have a clear agenda to push everyone to a product that is still in development essentially for that 'bleeding edge' tech.  When they finally announce EOL officially, that will be the flag for me to move on I think.  I am not a fan of XG, they want to push everything to central management which I don't want to do, XG isn't user friendly for me... and I've been using this product since v5 when it was Astaro. 

    My how time flies...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I have mixed feelings about XG too. After having used the UTM for 7 years, XG was hard to get used to. There are aspects of it that make you say to yourself "what were they thinking?" But then again the same can be said for the UTM. Like why have a seperate window pop up for every single log in the UTM? 

    I honestly like both, but the UTM just feels easier to configure while the XG is a future proof product with it's DPI and support for TLS 1.3 inspection. It's just a shame they choose to stick with such an old Linux kernel.

  • Seems like a waste of other components (power supply, ram, storage) for such a low power box. I decided to go the vm route because that leave lots of future growth and options without upgrading hardware for a long time.

    Do you recommend running a proxmox server right behind a modem, directly exposed to the internet? I would not feel comfortable doing that unless the proxmox server was behind a firewall, in which case would introduce double NAT, but the Proxmox server would be protected. Someone enlighten me about how effective the built-in firewall of Proxmox would keep my network. Unless of course I could look into DMZ

  • When UTM finally ends, i'm going to pfsense or opnsense. Don't know what the XG devs were smoking when they designed the flow, but it makes no sense to me at all.

  • Exactly that. For instance, why would you set up email/SMTP settings in the Administration page,

    then have to go to Email-->Email logs to see if it worked? Shouldn't everything related be in the same section? It requires too much jumping around to get things done. The interface was also different in version 17 and a lot of the guides and tutorials are based on the older version which have a different outlay.

  • My set up is as follows;

    ONT  (fiber to ethernet media converter) connected to UTM's wan nic. The wan nic is in passthrough mode so utm has direct access to it. This seemed to make sense at the time I set this up and thus far has worked well.

    However, if you have unsupported nics then passthrough would defeat the purpose. Briefly poking around proxmox settings, it appears to be a front end of sorts for iptables. So if you're familiar with that, you can make it work.

    I can understand the reluctance of exposing a nic directly to the internet. But would it be be considered exposed if there's no IP assigned other than in a vm? Only the vm would have the public ip. Further, that vnic would not be assigned to any other guest.

  • But would it be be considered exposed if there's no IP assigned other than in a vm?

    I'm not sure if that's a real question or a hypothetical question, but in the end you are trusting the developers of Proxmox to not have any "call home" telemetry or unknown bugs that can allow data to leak out of the VM, and the whole idea seems counterintuitive.

    On second thought, the NIC of the firewall even when running bare metal is exposed too. So maybe it is not less secure to have it virtualized. 

  • It's a fair concern.

    My point was, the public/wan ip is not defined anywhere in the proxmox settings. It exists only in the guest vm. Any traffic trying to get out would still have to go through utm to do so. Same for inbound traffic.

    Fwiw, my proxmox management is on a different subnet entirely from anything else on the network. While it's defined as an additional address on the lan side, it could very well be on its own vlan as well.

    Internet access operates at osi level 3. Unless something on the isp's end is probing your network at layer 2, i don't see how it can gain access to anything at layer 3 as it would have to go through UTM.

  • Price-wise it is similar to a Qotom/Protectl fanless PC but with the ability to use your own NIC. Performance wise, it is considered good for the wattage used and is one of the faster embedded CPUs. Using only about 10 watts, it can get away with using a pico-PSU and power brick. Total cost around $350 with a good mITX case.