Firewalls in a VM

I was rereading a lot of my old posts and realized there are a lot of things I haven’t updated the site on. I’ve moved on from Sophos UTM appliance to the much more configurable PFSense!

The Issue

I used Sophos UTM9 for about a couple months – then I realized that there was an IP limitation for the home license. In a house with 7 people, with multiple devices each, IPs are consumed much faster than I had anticipated.

The good

The good thing about the UTM appliance was that the IPS detection and logging was excellent. I was able to see 1. the violated IPS rule, 2. the targeted internal host, and 3. the attacker’s IP.

This made IPS very easy to gather statistics on who was being attacked, or if a host machine was reaching out and potentially opening up a vulnerability. However, the IPS worked flawlessly.

The bad

The bad thing about this was that snort was single threaded. So connections would only use one core and this dramatically affected performance. A 500Mbit ISP download was shot down to 300-350Mbits. It wasn’t that bad but considering we are paying for 500… it would have been nice to see that number more often.

I loved everything about the Sophos UTM – it’s ease of use, the user-friendly web portal for VPN client download, and so much more. What killed it for me was the fact that it limited it to 50 internal IPs. With multiple IP cameras, smart home devices like the Google Home Mini, and way too many PCs, 50 IPs was simply not enough. So I started looking for something else!

Sophos XG, perhaps?

I suspended the UTM VM and downloaded the XG home edition image. First impressions? It was VERY beautiful. The main page was well laid out, with familiar graphs and statistics of the UTM appliance.

But the configuration was using a different model than the UTM.

Confusion

Unlike applying IPS on an interface, IPS rules are applied within the firewall rule level – similar to a Fortigate setup. This would mean that you have more granularity in which rules to apply the IPS, but it only really makes sense in multi-VLAN environments.

Since we only have a single LAN, there was no point in this. QoS was also the same here. I had to configure QoS from within every firewall rule? Who has time for that??

Access management for SSH, web portal, admin page, VPN etc., was neat, but it was a very unique implementation in comparison to the UTM appliance. The XG was REALLY advanced and the learning curve was way too steep.

Performance – The killer

I really did spend the time to set up XG though, and thought it was a very powerful appliance. But the shortfalls came to the same thing as when I first setup the UTM appliance. Major packet loss. I verified that the MTU was 1500, but there was no ECN check box like the UTM. That was what solved the UTM from losing packets. The congestion notification helped dramatically and it was no where to be found in the XG’s maze of options.

Packet loss was definitely a major factor in my decision to abandon XG as a whole. Maybe it was due to the VM NIC type… E1000?

The little things

I did want to use the XG for its ease of setting up VPN – a really solid part on Sophos for getting it right. PFSense on the other hand was a little more… technical. More on that later.

XG had the same IPS reportings, but not packet filtering. I wanted to see how many packets I’m filtering, and what IPs they originate from. That’s what I loved about the UTM – it was VERY informative. Too bad it only provided 50 IPs.

QoS didn’t work for me on the XG. Configuring it was difficult even on the UTM, but once I got the hang of it, it worked perfectly. The XG was pretty much crippled because the QoS and IPS rules were applied on the Firewall rule page (oh, and that was also mixed in with NAT rules… WHY???)

Conclusion

To sum it all up, UTM was near perfect. The home license was what failed me. I know I can buy a commercial license with more features and no limits, but at the end of the day… It’s not free.

XG was decent. Great in some areas, but too much nonsense to deal with to get it up and running. I’ll MAYBE give it another go but it doesn’t seem promising from first impressions.

I’ve moved on to PFSense. I’ll make a separate post on why I made this decision, but in short, it just works. Not that I didn’t have any issues with it, but the massive community helped making the appliance a joy to work with.

Leave a Reply

Your email address will not be published. Required fields are marked *