Another "is this enough hardware" question

Hi Richard,

the 3160 chip is good, I have a Zotac CI323 Nano (60Gb SSD/8Gb RAM) box with much the same setup (except that it is a 3150), although I had heard a while ago with problems with the NICs on the Jetway boxes, I am not sure about these issues now (they may well be fixed), I have the home license installed.

FYI: the other boxes from Zotac don't seem to play well with Sophos (or Linux for that matter).

Even when I have all the modules running, I don't see it getting much above the 15% mark (on a 40/10 FTTC), and that's when I am streaming 2 HD Videos.

remember that the Home license only supports 6Gb of RAM.

Thanks Jason.

The bit that worries me is that if you can hit 15% CPU on 40/10 FTTC, then I might run out of CPU before I run out of bandwidth with 400mbit down (Virgin 350mbit service, which is provisioned at 402mbit on the modem).

Mind you, I mostly care about hitting max bandwidth on my main desktop and my home server, which I guess I will be excluding from most rules.

With the home license only supporting 6GB ram, will it not work if I have more (which might mean buying a 2GB stick!) or will it just only use 6GB (which is fine)?

The LAN PHYs on the model I'm looking at are Intel 211s, so hopefully not going to have issues like I've read the 219s do.

Hi Richard,

if the intel Chips support AMT then there are no LAN drivers included in the UTM iso...

home License from UTM will use full ram as far as i know... the XG home is limited to 6GB RAM.. not the UTM one.. (anyone correct me if i´m wrong).

look at the new zotac CI 327 model, it has no Intel LAN Chips and a good cpu in it.. UTM will install on it directly...

Ah, that CPU is not going to be man enough though.

I don't remember having issues with NIC compatibility last time I used Sophos, although it was a while ago. Perhaps I'll have to look at another product, I don't want to spend loads of money on hardware and find it doesn't work.

Hi Richard,

when I was hitting just under 15%, I was trying to find out what my maximum CPU was going to be, so I used everything, all modules working, even created an SMTP server and ran some very large file through it, while surfing the web, and also running application control, (and a S2S VPN).

Obviously, there would be no need to proxy video streams from netflix & amazon prime, etc.

currently I have about 30 devices inside the network, most of which are on wifi (2 x AP50) with a mesh network, and four of those devices stream videos (Kodi, netflix, amazon prime, etc) and I hardly hit the 5% mark.

the I211's will not be a problem, currently have an SG135 on the bench at work, which has these NICs.

I wanted to find a unit with the intel 3160 (lower power and more bang for the buck so to speak), but at the time could only find the 3150 available.

good to know that the UTM supports all RAM, always thought it was just 6Gb.

Have you considered the qotom boxes?

https://www.aliexpress.com/store/product/QOTOM-Q355G4-2017-New-fanless-X86-4-LAN-Micro-Computer-I5-5250U-Dual-core-onboard-1080P/108231_32800711474.html

The 5250u is a somewhat more beefier than the celeron mentioned above.  I'm running this set up with utm home under esxi with a 350/25 mbps pipe.  With all the security turned on, i'm still able to get full bw on straight forward speed tests.  I've only been able to test vpn speeds up to my full upload of ~25 mbps.

The qotom uses 4 intel I211-AT nics which I believe are supported directly. 

This box is available from ebay and amazon too.  One caveat.  They advertise it as fanless, but even at idle, the chassis was hot to the touch.  Under heavy load too hot.  I picked up one of these at amazon for cheap - https://www.acinfinity.com/component-usb-fans/multifan-s3-quiet-usb-cooling-fan-120mm/ .

Essentially it's a 120mm case fan with grill guards,  rubber feet, 3 speed fan controller and usb interface for power.  Used a 1amp cell phone charger brick instead of plugging it directly into the motherboard usb header.  Cheaper to replace a power brick than a motherboard.  With the fan placed in the center, the chassis is barely luke warm, even after full load.

Thanks, that Qotom box actually really appeals to me, but I've received the Jetway one today so will try with this first :)

It uses the same i211-AT NICs so should be fine.

The 5250u is certainly more beefy, it's a proper broadwell CPU. Perhaps my next upgrade!! :)

With UTM9 and web filtering enabled, I get about 140mbit throughput, at about 30% CPU. I'm assuming this means I'm maxing out a single core and can't go higher.

XG gets me more but, it has some strange behavior, it takes a lot longer to "ramp up" but hits about 250mbit.

I can't quite figure out how to bypass the rules for certain MACs.

Note that Jason appears to have been multitasking and gave you an answer for the XG solution and that his download speed is only 10% of your 400Mbps.  Your limit will be around 40Mbps per connection with Intrusion Prevention active.  If you have ten users downloading simultaneously, you might be able to fill the pipe.  Check out the recent posts in the "Unofficial HCL" pinned to the top of this forum.

Cheers - Bob

Thanks Bob.

I'm now using the Qotom box, with the i5 5250U, 8GB Ram, and a 256GB SSD.

This is working quite well, the CPU definitely has a lot more heft to it. I've solved the heating issue by enabling TDP-Down in the bios, taking it from 15W TDP to 9.5W TDP. Obviously this will have a performance impact, but it performs much better than I actually need anyway.

I've turned off IPS, and this is giving me speedtests in the 380mbit range with very little CPU load.

Web filtering is active, with the exception of requests from my desktop and server.

I had blocked outgoing port 53 (DNS) as I was using a static entry for www.google.com to forcesafesearch.google.com, but this actually broke the chromecasts which have hardcoded google dns.

I added a DNAT rule in to translate all outgoing DNS requests to the router IP (192.168.2.100) and this seems to have solved it, while maintaining my filtering.