Jump to content

Sophos (or maybe other) Hardware Firewall Build

SimssmiS
By SimssmiS
in Servers, NAS, and Home Lab
 Share
Posted

Hi Guys,

 

my Plan is to set up a Hardware Firewall for my Home Network,

I looked at the Sophos UTM220 but it is noisy as hell.

I need a system, that is 100% silent and can still handle my needs.

I mostly need it for VPN and ipv6 / ipv4 conversions.

 

Any Ideas?

 

(if you need more Information please ask. I'm at work but will answer asp.)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Are you particularly tied to Sophos as the firewall/UTM implementation, or is that just an example?

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, brwainer said:

Are you particularly tied to Sophos as the firewall/UTM implementation, or is that just an example?

Sophos was suggested by someone else but I`m open for other options.

Main Problem to solve is:

I've got a IPv6 only Internet Connection (IPv4 through DSLite Tunnel). This is the reason I can't access my Unraid Server and Plex Server from anywhere but my home Network. So if you've got a Solution... go ahead :)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

FortiGate SMB series are good option, most of them are fanless. I use a FortiGate 60D at home but you might not need a model that high, 30E (E series is new and much faster) will likely do everything you need.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
15 minutes ago, leadeater said:

FortiGate SMB series are good option, most of them are fanless. I use a FortiGate 60D at home but you might not need a model that high, 30E (E series is new and much faster) will likely do everything you need.

They look quite expensive but I could maybe fetch a used one from eBay.

are there any software costs (one time or monthly) I would like a one time pay solution 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, SimssmiS said:

They look quite expensive but I could maybe fetch a used one from eBay.

are there any software costs (one time or monthly) I would like a one time pay solution 

FortiGate isn't the best pick then, there is software licensing that you need to maintain. 

 

You could just build your own firewall using Sophos XG Home edition which is free, only cos would be in the PC parts.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

That would not be any Problem but I need suggestions for the PC parts (low noise, low power consumption)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, SimssmiS said:

That would not be any Problem but I need suggestions for the PC parts (low noise, low power consumption)

Almost any ITX system would do, there are also Atom based motherboards which include the CPU on them designed for this type of use case.

 

Why are you looking at a Sophos UTM 220 anyway? That's an older model is it not? It's also much higher rated than you likely need for a home connection.

 

UTM has been superseded by XG as far as I'm aware, Sophos XG 85 might be all that you need.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

I'm mostly looking for a good price... the UTM 220 would cost me about 150€ used

 

I muss admit I am not able to judge what I need since I have never worked with hardware firewalls before.

I have a 400k down and 20k up connection and a lot of devices in my Network all attached to my zyxel gs1920-24

How would I set up WLAN with a firewall by the way? right now its coming from my router but that would not go through the firewall right?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, SimssmiS said:

I'm mostly looking for a good price... the UTM 220 would cost me about 150€ used

 

I muss admit I am not able to judge what I need since I have never worked with hardware firewalls before.

I have a 400k down and 20k up connection and a lot of devices in my Network all attached to my zyxel gs1920-24

How would I set up WLAN with a firewall by the way? right now its coming from my router but that would not go through the firewall right?

Just look at the firewall spec sheet for the firewall throughput performance figures, if it's above your internet connection speed you'll be fine.

 

Just plug the current wireless router in to the LAN side of the firewall turn off all NAT and routing functions. Give it an IP in the LAN range and configure DHCP forwarding to the IP address of the firewall. In this configuration it's operating an AP only mode, some devices actually have an AP only mode option in the configuration interface.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, SimssmiS said:

I'm mostly looking for a good price... the UTM 220 would cost me about 150€ used

 

I muss admit I am not able to judge what I need since I have never worked with hardware firewalls before.

I have a 400k down and 20k up connection and a lot of devices in my Network all attached to my zyxel gs1920-24

How would I set up WLAN with a firewall by the way? right now its coming from my router but that would not go through the firewall right?

400kilobit down and 20kilobit up? if that's your speeds, then anything made in the last decade and a half will be fast enough.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Don't rule out a PFSense build. Judging by your connection speed, low end hardware would be perfectly fine, as long as the CPU supports AES-NI. The new releases will only support CPUs with that instruction set.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
45 minutes ago, brwainer said:

400kilobit down and 20kilobit up? if that's your speeds, then anything made in the last decade and a half will be fast enough.

400MBit/s Down and 20/MBit/s Up

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 hour ago, leadeater said:

Just look at the firewall spec sheet for the firewall throughput performance figures, if it's above your internet connection speed you'll be fine.

 

Just plug the current wireless router in to the LAN side of the firewall turn off all NAT and routing functions. Give it an IP in the LAN range and configure DHCP forwarding to the IP address of the firewall. In this configuration it's operating an AP only mode, some devices actually have an AP only mode option in the configuration interface.

my router is my modem so I should probably get an access point...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, SimssmiS said:

my router is my modem so I should probably get an access point...

What type of internet connection is it? If it's fibre you should be able to plug the firewall directly in to the ONT.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, leadeater said:

What type of internet connection is it? If it's fibre you should be able to plug the firewall directly in to the ONT.

UnityMedia Cable Connection 

the provider has to accept my device for the connection and I#m pretty much bound to theirs

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
12 minutes ago, SimssmiS said:

UnityMedia Cable Connection 

the provider has to accept my device for the connection and I#m pretty much bound to theirs

Ok yea you'll have to keep their device in front of the firewall then. Ubiquiti make very good low cost APs.

 

You'll also need to check that you can configure your current router in bridge mode otherwise there is little point in doing this. If you can't you'll have to disable NAT on the firewall and let the ISP modem do NAT, the only other alternative is double NAT which is a very bad idea.

 

If you can't get the public IP address on to the firewall your configuration options will be much more limited and certain configurations may not even work, your ISP router could get in the way.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 hours ago, leadeater said:

Ok yea you'll have to keep their device in front of the firewall then. Ubiquiti make very good low cost APs.

 

You'll also need to check that you can configure your current router in bridge mode otherwise there is little point in doing this. If you can't you'll have to disable NAT on the firewall and let the ISP modem do NAT, the only other alternative is double NAT which is a very bad idea.

 

If you can't get the public IP address on to the firewall your configuration options will be much more limited and certain configurations may not even work, your ISP router could get in the way.

Could you suggest a cable modem for bridge mode (i can maybe get an approval by unitymedia)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, SimssmiS said:

Could you suggest a cable modem for bridge mode (i can maybe get an approval by unitymedia)

I haven't dealt with cable, there are a few others on the forum that have. @Lurick @brwainer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Do you actually need the layer 3 filtering and advanced firewall features of a sophos or Fortigate? Because there are a lot of good firewalls out there from brands like Ubiquiti that are inexpensive and really good, but don't have the layer 3 firewalling.

My native language is C++

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Servers, NAS, and Home Lab

×