Sophos

[joeschmuck]

So in a different Off-Topic thread here many folks encouraged me to give Sophos a try over pfSense and I am very glad I did. It's been running for a while now and although it's a learning experience, overall it was an easy installation. Don't get me wrong, it's not Plug-n-Play (do you windoze people remember that terminology?), there is some configuration to do and to get the most out of this product you will need to do a lot of reading and testing to ensure you got this beast setup properly.

I'm taking this slowly, but I did setup all the cool features and had to make a few minor changes to some of the default values to make everything work. For instance Netflix doesn't like to run using the default setup, even when you have inserted many rules in an attempt to get things to work, so I changed the Web Protection mode from Transparent to Standard. It's of course better I believe to leave it in transparent overall but this was the quick fix vice turning off the web protection service.

My test rig is pulling 58 watts of power and I could save a lot of money buy taking this hardware and re-purposing it as my firewall.

The feature set is remarkable and worth looking into. I understand that it does run very well on ESXi although I have no intention of doing that. It would be nice to put both FreeNAS and the Sophos on the same machine, it would save me in energy costs but the idea of having FreeNAS on ESXi bugs me.

So I'd like to thank @pirateghost and @gpsguy for steering me to Sophos, it really is much better for a simple home user like myself.

As for hardware requirements, those are just as difficult to pin down as pfSense. A dual core 2GHz CPU (no particular model or brand), 2GB RAM, 40GB Hard Drive. BUT WAIT... depending on the feature set you want to use, you may want a better CPU and more RAM. I've been told that my E8500 CPU is overkill along with my 16GB of RAM but it sure does work speedy. I may remove half the RAM and underclock the CPU so I can unplug the CPU fan to see if I can go almost fanless. This would save a tiny mount of energy as well, assuming it works. I'll wait a week to ensure this software is fully operational (setup) before tweaking this kind of stuff.

-Mark

 

[pirateghost]

;)

Sophos UTM really is a great product, and it is sad that it doesn't get enough attention in a lot of the homelab(type) communities. Everyone always defaults to PFSense, which is a GREAT product, if you just want a firewall/router. When you start looking at filtering and AV options for a UTM, Sophos really shines. After testing every other option for filtering out there (even in PFSense), I cannot recommend Sophos enough. I have actually been considering purchasing a Sophos appliance, but they are pricey. Maybe one day.

If you want a lightweight, full featured enterprise router = EdgeRouterLite, or VyOS(if you want a home built)
If you want a lightweight, full featured firewall/router = PFSense
If you want a great web filter and firewall (not to mention all the VPN goodies included) = Sophos

By the way, Sophos HTML5 VPN is remarkable. If you haven't familiarized yourself with it yet, you should do so.

 

[depasseg]

Is Sophos the old Astaro?

 

[gpsguy]

Yes!


Sent from my phone

 

[depasseg]

I loved Astaro, but kept running into their free tier cap of internal IP Addresses. Very cool!

 

[pirateghost]

I loved Astaro, but kept running into their free tier cap of internal IP Addresses. Very cool!

The free home version is limited to 50 ip addresses. HOWEVER, from what I understand, the IP count is based on DHCP leases. If you run a DHCP server elsewhere on your network(I have an Active Directory domain), then your IP addresses are not counted. I hope they never change this, because, while I don't have more than 50 devices at home, I run through at least that many IPs while testing VMs and jails.

 

[gpsguy]

Unless something changed, I don't think that's the case. For the organization that I had using a 50 IP software license (paid $/year), I didn't use their DHCP server. I wasn't using ipv6, but I think if you have a device with ipv4 and ipv6, it'll use two licenses.

I migrated the smaller business to a SG210 and the other business has a UTM320 that will soon be replaced by a SG330. With their hardware appliances, one has an "unlimited" user license. Based on the hardware spec's and options chosen, you'll discover the user real limitations. And, unfortunately, the hardware generally isn't upgradable or if you do, your hardware/software support warranty will be voided.

Like pirateghost, I too have toyed with the thought of buying a Sophos appliance for home.

HOWEVER, from what I understand, the IP count is based on DHCP leases.

 

[pirateghost]

Unless something changed, I don't think that's the case. For the organization that I had using a 50 IP software license (paid $/year), I didn't use their DHCP server. I wasn't using ipv6, but I think if you have a device with ipv4 and ipv6, it'll use two licenses.

I migrated the smaller business to a SG210 and the other business has a UTM320 that will soon be replaced by a SG330. With their hardware appliances, one has an "unlimited" user license. Based on the hardware spec's and options chosen, you'll discover the user real limitations. And, unfortunately, the hardware generally isn't upgradable or if you do, your hardware/software support warranty will be voided.

Like pirateghost, I too have toyed with the thought of buying a Sophos appliance for home.

I use my Sophos UTM in transparent bridge mode. I have 4 VLANs in addition to my normal LAN. I use Sophos as DHCP server for my VLANs, but use my DC for my normal LAN. NONE of my IP addresses located in my normal LAN (VLAN1) are seen by Sophos in the license IP count. All the DHCP clients from the VLANs are counted in my license count.

 

[gpsguy]

That's good to hear. I use transparent bridge mode at work, but since I'm using an appliance I have unlimited licenses.

For the other business, I used the standard (routing) mode instead. After a few years and random problems with certain firmware with certain Intel NIC's, I convinced them to buy an appliance last year. It's been rock solid - just like my UTM at work.

 

[joeschmuck]

Well I'm up to 45 used IP addresses out of 50, but many are just still under lease and I've assigned them a static IP address via Sophos. Also, even if the address is static on the device, like my printer, it still gets counted as an IP address. That is a bit crazy but that is okay, I think I'll survive it.

Working through the issues of setting this thing up really consumes a lot of time and I'm taking a lot of notes because I can change one thing to fix one issue and it may (and has) caused issues elsewhere. It is coming together though.

Right now I have an issue where it looks like my Sophos LAN port has created a virtual IP, well I think so because it's real IP is 192.168.1.1 but I have dropped TCP packets going to 169.254.6.180 from one of my NAS units. I couldn't figure out what this was until I compared the MAC address and it is the eth0 interface on the Sophos box, which is also my LAN port.

Code:

21:00:53    Default DROP    UDP     192.168.1.50:32807  -->  169.254.6.180:49152  len=296    ttl=63    tos=0x00    srcmac=00:24:01:0b:44:75    dstmac=50:e5:49:b7:89:64

So I'm trying to figure out what to do about it, if anything. The downside is it drops a lot of packets and makes it look like there is something wrong with my NAS. Oh, I get this type of message for many devices (like cell phones, DirecTv, etc...) trying to connect to the eth0 port, I'd say most of them but I have not analyzed the data yet to make that determination. If these are a no big deal message then I'd like to stop recording them but first I'd like to understand what is going on.

I'm trying to find it via Google and the Sophos forums but nothing yet. In a few days I'm going to be forced to ask the stupid question about this, but hopefully I'll figure it out first.

 

[pirateghost]

what machine is 192.168.1.50? It looks like its trying to do some torrenting maybe?

Here is my license count, and my entire main LAN runs on 192.168.254.0/24, none of which is counted

 

[joeschmuck]

The 192.168.1.50 is a D-Link 321 NAS box. I am disabling some of the features I had setup on it in an effort to single out the issue, however I do get dropped packets from other devices also with the same type of issue, trying to use a 196.254.6.180:49152 address for the eth0 connection such as my Onkyo A/V receiver and there are other devices like my daughters TV which is only an internet driven device so I'll have to see if there is anything to note there as well. I know my DirecTv DVR needs some fixing as well, I am unable to record internet streaming content, but all in good time, I may just put that in a DMZ for now, but I need to figure out how to do that as well, but it won't take me long.

Okay, so I disabled my D-Link 321 UPnP AV Server and the dropped packets seamed to have stopped for that device. So I know now it's the UPnP A/V Server for this device. I no longer need that service so leaving it off is fine.

The Onkyo is on port 1900 and I guess that is typically blocked but I guess I'll have to create a rule to pass it. Learning time!

 

[pirateghost]

I'm sure you've already discovered that firewall rules are processed in the order they show on the list

 

[joeschmuck]

Yes, I did understand there is a priority system. As for firewall rules in general, these are much more complex over my Asus Router, that is for sure. I'll get it figured out eventually and honestly, it's the best way to learn the software, at least the sections I need to figure out. I've got my wife's facebook working so she's a happy camper, isn't that all that counts?

 

[gpsguy]

For some of your testing, consider adding an IP address to the transparent mode skiplist. I use it as a quick way of testing issues. Occasionally, I have to put my desktop in there momentarily in order to download stuff from HP.

If you are using multiple web filtering profiles, that can complicate stuff. IIRC , the webGUI for this section changed in 9.2 or 9.3. I preferred the old way.
.


Sent from my phone

 

[joeschmuck]

I am using Standard mode vice transparent mode because I was having Netflix issues.

So, no DMZ because I have figured out how to create a simple firewall to allow specific IP address ranges. For instance the DirecTv drops I figured out that DirecTv owns the IP address range 99.193.x.x so I created a firewall just for my DirecTv DVR to allow access to that entire range. I believe that is the proper method to implement a firewall rule. I originally just opened the internet up to my DVR but started to play around some more.

I'm still a little confused about the advantages between Standard and Transparent mode and if it would make a difference. But now that I know about how to create a firewall rule, well somewhat that is, I can play with the Netflix issue.

 

[pirateghost]

Transparent mode will filter all traffic through the system. Standard requires you to configure proxy settings on the clients. Transparent mode makes the most sense to me. If I have a device that can't communicate, that's the first place I look, in the web filter. I can add it quickly to the skip hosts portion, and it will not be filtered.

 

[joeschmuck]

I just got frustrated getting Netflix to work properly. It does not like transparent mode. I thought I had it going okay with HTTPS setting to not do anything but it still met in failure. Standard mode is all that works for right now. I may need to set something else up but that will need to wait until tomorrow, I'm done working Sophos for the night.

 

[pirateghost]

I just got frustrated getting Netflix to work properly. It does not like transparent mode. I thought I had it going okay with HTTPS setting to not do anything but it still met in failure. Standard mode is all that works for right now. I may need to set something else up but that will need to wait until tomorrow, I'm done working Sophos for the night.

I'll share some screenshots of my setup for ya when I get home.

 

[pirateghost]

Under Web Protection > Filtering Options > Exceptions:
Minecraft:

Code:

^http?://([A-Za-z0-9.-]*\.)?minecraftforge\.net/
^http?://([A-Za-z0-9.-]*\.)?planetminecraft\.com/
^http?://([A-Za-z0-9.-]*\.)?s3\.amazonaws\.com/MinecraftDownload
^http?://([A-Za-z0-9.-]*\.)?s3\.amazonaws\.com/MinecraftResources
^http?://([A-Za-z0-9.-]*\.)?mcreator\.pylo\.si
^http?://([A-Za-z0-9.-]*\.)?alteredsoftworks.\com
https://authserver.mojang.com/
https://libraries.minecraft.net/
https://sessionserver.mojang.com/
https://s3.amazonaws.com/
http://launcher.mojang.com

NetFlix:

Code:

    ^http?://[A-Za-z0-9.-]*netflix.com/
^http?://[A-Za-z0-9.-]*llnwd.net/
^http?://[A-Za-z0-9.-]*edgesuite.net/
^http?://[A-Za-z0-9.-]*nflximg.com/
^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
^https?://[\d+(\.\d+){3}/]*/[0-9]{8}\.ism
^https?://[\d+(\.\d+){3}/]*/[0-9]{9}\.ism
^https?://[\d+(\.\d+){3}/]*/[0-9]{10}\.ism
^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
^http?://23.7.139.*
^https?://secure\.netflix\.com/*
^https?://uiboot\.netflix\.com/*

Nintendo:

Code:

    ^https?://portal-us\.olv\.nintendo\.net/
^https?://nintendojp\.d1\.sc\.omtrdc\.net/
^https?://account\.nintendo\.net/
^https?://discovery\.olv\.nintendo\.net/
^https?://api-us\.olv\.nintendo\.net/
^https?://ninja\.wup\.shop\.nintendo\.net/
^https?://geisha-wup\.cdn\.nintendo\.net/
^https?://ias\.wup\.shop\.nintendo\.net/
^https?://nus\.wup\.shop\.nintendo\.net/
^https?://samurai-wup\.cdn\.nintendo\.net/
^https?://idbe-wup\.cdn\.nintendo\.net/
^https?://pushmore\.wup\.shop\.nintendo\.net/
^https?://ecs\.wup\.shop\.nintendo\.net/
^https?://olvus\.cdn\.nintendo\.net/
^https?://mii-secure.account\.nintendo\.net/
^https?://npvk\.app\.nintendo\.net/
^https?://ccs\.wup\.shop\.nintendo\.net/
^https?://nppl\.app\.nintendo\.net/
^https?://mii-images\.account\.nintendo\.net/
^https?://tagaya\.wup\.shop\.nintendo\.net/
^https?://pls\.wup\.shop\.nintendo\.net/
^https?://npts\.app\.nintendo\.net/
^https?://mii-secure\.cdn\.nintendo\.net/
^https?://samurai\.wup\.shop\.nintendo\.net/
^https?://web-us\.l1\.us\.vino\.wup\.app\.nintendo\.net/
^https?://tvii-prod\.l1\.us\.vino\.wup\.app\.nintendo\.net/
^https?://tagaya-wup\.cdn\.nintendo\.net/
https://54.236.89.112/
https://54.236.187.223/
https://54.236.167.22/
^https?://d1eqyqhzpk1v17\.cloudfront\.net/
^https?://cdn\.mxpnl\.com/
^https?://api\.mixpanel\.com/

Sony:

Code:

pls.patch.station.sony.com
manifest.patch.station.sony.com
lp.soe.com
^http?://([A-Za-z0-9.-]*\.)?sony\.com
^https?://([A-Za-z0-9.-]*\.)?playstation\.com/
^https?://([A-Za-z0-9.-]*\.)?playstation\.net/
^https?://([A-Za-z0-9.-]*\.)?playstation\.org/
^https?://125\.199\.254\.51
^https?://198\.107\.*\.*
^https?://184\.84\.65\.*
^https?://173\.230\.216\.*
^https?://50\.19\.100\.125
^https?://209\.251\.*\.*