AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Sophos home router11/26/2023 The Sophos home edition is rather limited in features and even the Home Premium subscription tops out at 10 devices (no idea if that is enforced don't want to find out at the wrong moment). I've also never had (or at least noticed) any intrusion or virus in the family network, where only I ever worry about security. It's currently running on Suricata (Snort is still single threaded, I believe), using the biggest non-commercial ruleset (ETOpen + Snort subscriber) and doesn't throttle any of my current 400MBit bandwidth due to CPU limitations (that's where both the Atom and the VM bottlenecked). ![]() But I tend to go heavy on Suricata and Snort intrusion detection rule sets and that does cost a bit to significant CPU overhead. Typical pfSense appliances, even the ones they sell with support, are still Atom based and of course an Atom will let Gbit bandwidth pass from one end to the other. You also want to have AES-NI instruction set support (which the J1900 lacked). ![]() You sure won't be in the same situation, but having Intel NICs on every end of your firewall is strongly recommended to use accellerated code paths in various modules of pfSense. I got a very special motherboard for it, a Mini-ITX with 8 (eight!) Intel Gbit ports, sheer overkill, but I got it cheaper than new RAM, as it works with the very same two 8GB DDR3 SO-DIMMs, I had already paid and used in the Atom: It even fit into the same chassis! at least after I upgraded the appliance to an i7-7700T (35 Watt), which I Noctuad down to unnoticeable sound emissions. The GUI is nowhere near as nice as Astaro/Sophos/UTM and it's still obvious that the original business model was based on selling the documentation not the software, but it works, it is very well supported and it can take the load. But pfSense is worth the overhead, and I practically never need to deal with the BSD underneath the Web-GUI. kid's 0.9x OS with the Minix knock-off file system in the old days, CentOS has been my mainstay for at least a decade and BSD these days feels rather "raw". Yes, even if I preferred *real* Unix like AT&T SysV R3 or 386BSD over that Linus T. I looked around the free personal firewall scene and evaluated a couple of them to settle on pfSense. There are also simply too many good reasons to make your primary firewall an independent appliance. I tried running the appliance as a VM on my 24/7 home-server, a entry level Xeon with plenty of RAM and muscle, but since that's based on Windows server (Terminal server and desktop as well as VM host and file/print server), all type 2 hypervisors seemed challenged with such I/O intensive loads (and no IOSR-V or similar). When Astaro got bought up by Sophos, the pressure to purchase got stepped up but also my bandwidth increased from low Mbits to hundreds and a point where the Atom was becoming a bottleneck. Networking isn't my IT-primary but I really needed to keep my home, lab and family safe (two dozen physical computing devices from smartphones to big workstations). I've really liked the user interface, of course it was complex, but mostly because the appliance grew ever more powerful as well. Initially it ran on a decomissioned corporate notebook with a secondary Ethernet as PCMIA card, but eventually it graduated to a J1900 Atom with dual Ethernet NICs. ![]() I started with UTM when Astaro came out with the free version more than 15 years ago.
0 Comments
Read More
Leave a Reply. |