Sophos

[joeschmuck]

The only downside really is you have to run RAM in pairs, as the board doesn't allow a single RAM configuration.

Well I didn't see that in the user manual however it recommends a pair to enable Interleave mode which makes the RAM work faster than a single stick. Of course I'd purchase a pair myself too.

Looking at what I could for benchmark testing, it's difficult to see how fast this MB/CPU is that you are choosing, it certainly sounds nice and to be honest, I'd like to play around with one to check it out.

 

[zoomzoom]

Well I didn't see that in the user manual however it recommends a pair to enable Interleave mode which makes the RAM work faster than a single stick. Of course I'd purchase a pair myself too.

Looking at what I could for benchmark testing, it's difficult to see how fast this MB/CPU is that you are choosing, it certainly sounds nice and to be honest, I'd like to play around with one to check it out.

I thought I had read that in the manual, but re-reading it, I'm not sure where I pulled that out of Thanks for bringing that to my attention, I'll edit my post to remove that information

The C2558/C2758 are almost identical to the C2550/C2750 (which runs in my AsRock C2750D4I), with TurboBoost being dropped for QuickAssist and Intel 64... everything else is exactly the same

• Comparison of the two: http://ark.intel.com/compare/77987,77988

 

[joeschmuck]

I'm not sure where I pulled that out of

Because the user manual sucks when it talks about the memory. It doesn't give an example of a single slot configuration and makes the assumption everyone will want a pair installed, which may be true in 99% of the cases. You could purchase a single stick if you want however if you plan to use it as a VM platform, a pair is by far the better choice from a speed perspective. If it was only a UTM device then I'd personally likely opt for a single 8GB stick of RAM but it would depend on RAM pricing of course.

 

[jgreco]

Not sure what they've done for the Avoton, but for the Xeon stuff, the topic of memory is sufficiently complicated that Supermicro mostly omitted that from the manual back in X9 days and created an entire guide.

http://www.supermicro.com/support/resources/memory/X9_DP_memory_config.pdf

http://www.supermicro.com.tw/support/resources/memory/X10_memory_config_guide.pdf

the latter of which is actually the DP guide even though it doesn't say so. I don't see a UP guide. I expect that, as with the X9_DP, the UP is very similar to the DP with just the obvious differences. Might be worth contacting Supermicro to see if they've done the same thing for the Avoton (guessing: not).

 

[Ericloewe]

If there's no official recommendation, my suggestion is to use one of the DIMM slots from the dual-channel configuration.

 

[zoomzoom]

Any recommendations on Sophos UTM setup guides? I'm still in the process of reading the manual, and am going through section by section as I navigate the web portal, however a setup guide for reference would be awesome to be able to read =]

 

[pirateghost]

Any recommendations on Sophos UTM setup guides? I'm still in the process of reading the manual, and am going through section by section as I navigate the web portal, however a setup guide for reference would be awesome to be able to read =]

The best thing I can tell you is to just use the initial setup wizard. Get basic functionality working. Then start messing with it.

There is no 'setup guide' because just like freenas, there are too many different configurations and possibilities.

 

[TheDubiousDubber]

Any recommendations on Sophos UTM setup guides? I'm still in the process of reading the manual, and am going through section by section as I navigate the web portal, however a setup guide for reference would be awesome to be able to read =]

I, more or less, asked the same question back on page 5 of this thread. Got some good replies, so if you haven't already, check back there. If you have any further questions, feel free to ask. I recently got mine going with no prior knowledge of Sophos.

 

[HardChargin]

One key thing (of many) I learned, from the manual, is to disable the WebAdmin management from the WAN/External Network post install. By default it is enabled. Be careful not to lock yourself out. Also, I used the Shields Up service from the Gibson Research site to test my security from the outside.

 

[joeschmuck]

One key thing (of many) I learned, from the manual, is to disable the WebAdmin management from the WAN/External Network post install. By default it is enabled. Be careful not to lock yourself out. Also, I used the Shields Up service from the Gibson Research site to test my security from the outside.

Guess I didn't catch that one, where is the setting to disable it?

 

[pirateghost]

Guess I didn't catch that one, where is the setting to disable it?

Under manage, web GUI?

Should not be set to 'any' but you should configure it for your subnets

 

[joeschmuck]

Thanks and Done.

 

[pirateghost]

I always add in a couple of my vlan subnets in there as well as my vpn subnets so I can manage remotely over VPN

 

[joeschmuck]

I thought about adding my second subnet but I only use it for my VM machines to keep them off my normal subnet in case of something stupid happening. Nope, no VPN subnets yet either. I know I can do it but when I attempted it the first time I encountered issues with my second WAN connection, it's fixed now but I haven't sat down yet to fool with it.

 

[zoomzoom]

My network layout: Modem --> Sophos [192.168.1.0/25] --> WRT1900ac [192.168.100.0/26; Sophos static IP 192.168.1.2]

• I've added a route in Interfaces & Routing - Static Routing for WRT1900ac
  • 192.168.1.2 --> [Gateway] WRT1900ac [192.168.100.0/26]
    • Can access WRT1900ac's WebAdmin page from 192.168.1.2 (as well as from 192.168.100.1), but cannot access any other address on it's own subnet [192.168.100.0/26]
      • I receive the Sophos error page with the reason being: "Connection to server timed out"
  • I've also modified the WAN interface on OpenWRT to static, as well as moved it from the WAN firewall zone to the LAN firewall zone
    • Proto: Static; IP: 192.168.1.2; Netmask: 255.255.255.128; IP gateway: 192.168.1.1; Custom DNS: 192.168.1.1 & 192.168.100.1
  • On Sophos, eth0 is WAN and eth1 - 3 are configured as a LAN bridge.
    • I wasn't sure if I should configure OpenWRT on it's own port outside of the bridge, and figured I'd wait for input from anyone who has more experience with this than I do.

I'm obviously missing the correct configuration to be able to access the separate subnet, just not sure what.

• I haven't yet added any static device routes into Sophos's DNS, and will be tonight when I have time... so this could be the issue, but I figured I should ask anyways since I've never ran more than one managed router within a network before. I know it'd be easier to put Sophos and the WRT1900 on the same subnet, however I wanted to have a failover for FreeNAS in case OpenWRT locks up when I'm not at home. (Speaking of which, would I gain anything by setting up link aggregation with the two LAN ports on FreeNAS since there will now be two separate subnets on two separate routers?)

 

[HardChargin]

My network layout: Modem --> Sophos [192.168.1.0/25] --> WRT1900ac [192.168.100.0/26; Sophos static IP 192.168.1.2]

• I've added a route in Interfaces & Routing - Static Routing for WRT1900ac
  • 192.168.1.2 --> [Gateway] WRT1900ac [192.168.100.0/26]
    • Can access WRT1900ac's WebAdmin page from 192.168.1.2 (as well as from 192.168.100.1), but cannot access any other address on it's own subnet [192.168.100.0/26]
      • I receive the Sophos error page with the reason being: "Connection to server timed out"
  • I've also modified the WAN interface on OpenWRT to static, as well as moved it from the WAN firewall zone to the LAN firewall zone
    • Proto: Static; IP: 192.168.1.2; Netmask: 255.255.255.128; IP gateway: 192.168.1.1; Custom DNS: 192.168.1.1 & 192.168.100.1

I'm obviously missing the correct configuration to be able to access the separate subnet, just not sure what.

• I haven't yet added any static device routes into Sophos's DNS, and will be tonight when I have time... so this could be the issue, but I figured I should ask anyways since I've never ran more than one router within a network before. I know it'd be easier to put Sophos and the WRT1900 on the same subnet, however I wanted to have a failover for FreeNAS in case OpenWRT locks up when I'm not at home. (Speaking of which, would I gain anything by setting up link aggregation on the two LAN ports on FreeNAS since there will now be two separate subnets on two separate routers?)

I'm no network expert by any means, but that wont stop me from taking a stab at this one. That said, take this with a grain of salt. If I understand correctly what you've got there, you are double NAT'ing which I think in general is bad practice. Depending on what you are trying to accomplish, it looks to me like what you want to do is configure your WRT1900 as an Access Point (not a default gateway), and plug a cable from your LAN/Internal network from your Sophos UTM into a LAN port (not WAN) on your WRT1900. Any mis-configurations aside, this should put your wireless network on the same subnet as your LAN and it will get IP addressing/leases the same as the devices on your LAN. Essentially your wireless router just becomes a pass through. If you are looking to put your wireless on a separate network, it's probably best done using another port/zone (WLAN) on your Sophos UTM and then configuring the appropriate Firewall/NAT rules. Again, I'm no expert here, so take it for what it's worth.

 

[zoomzoom]

I'm no network expert by any means, but that wont stop me from taking a stab at this one. That said, take this with a grain of salt. If I understand correctly what you've got there, you are double NAT'ing which I think in general is bad practice. Depending on what you are trying to accomplish, it looks to me like what you want to do is configure your WRT1900 as an Access Point (not a default gateway), and plug a cable from your LAN/Internal network from your Sophos UTM into a LAN port (not WAN) on your WRT1900. Any mis-configurations aside, this should put your wireless network on the same subnet as your LAN and it will get IP addressing/leases the same as the devices on your LAN. Essentially your wireless router just becomes a pass through. If you are looking to put your wireless on a separate network, it's probably best done using another port/zone (WLAN) on your Sophos UTM and then configuring the appropriate Firewall/NAT rules. Again, I'm no expert here, so take it for what it's worth.

The WRT1900 isn't set up as a default gateway... the static route type I configured to be able to access it from the Sophos subnet is a gateway route. The only default gateway configured is Sophos.

I'm not looking to separate the wireless lan from the ethernet lan bridge on the WRT1900... I want the WRT1900 on it's own subnet (192.168.100.0/26], which is already set up, Sophos on it's current subnet of 192.168.1.0/25, and both to be able to access each other's IPs. I know how to allow access to Sophos's IPs in OpenWRT, but I'm not sure what needs to be configured on Sophos to be be able to access the OpenWRT subnet from Sophos's subnet.

• If need be, I can reassign eth1 [WAN] on the WRT1900 to the LAN bridge, however I wasn't sure if I'd be able to configure the WRT1900 with a separate subnet if I did so and still have traffic routed correctly. (WAN [eth1] has already been assigned to the LAN firewall zone on OpenWRT, so I know this isn't a firewall issue on OpenWRT's end)

I read a few tutorials on how to set up the WRT1900 as only an access point, however every tutorial I read stated the DHCP server would then need to be set up on the 1st router [Sophos], which I don't want due to the 50 IP limit (currently I have 40 IPs statically assigned on the WRT1900ac). I know this isn't that complicated to accomplish, I'm simply unsure how to configure it correctly in Sophos.

 

[TheDubiousDubber]

Is there a reason you are creating two different subnets?

I was, more or less, going to say the same thing as HardChargin. I understand you have 40 statically assigned IP's, but do you have need for more than 50? Unless you have tons of VMs taking up all the IPs, what is it that has you needing more than 50?

 

[HardChargin]

If you are trying to preserve (hide) IPs for licensing reasons, it seems you will have to have some form of double NAT'ing which I think will greatly complicate your network(s) and make it more difficult to get them to talk to each other the way you want.

 

[pirateghost]

If you don't use the sophos box for dhcp, IP addresses aren't counted. FYI