Meraki MX64 or Sophos UTM9 or Pfsense

[Burner27]

Currently at the 300/20 level for internet speeds from Spectrum. I would like to use the best possible router I can. I have the current hardware available to me:

Cisco Meraki MX64 (Got this free for attending a webinar) Yes, I know it is limited to 250Mbps download. Comes with 3yr advanced license - meaning everything is enabled

Or use pfsense or Sophos UTM9 on the following hardware (yes i know it is overkill)

I7-6700K
Gigabyte GA-170N Gaming 5 mobo
16GB DDR4-2400
256GB Intel 6 m.2 SSD (yes I know it is NVMe)
Intel Pro1000 PT Dual port server NIC

I want to use content filtering/IPS/Application filtering (probably eliminates pfsense just on that), and country blocking

I think it would be between Sophos and the MX64 based on the above criteria but not sure if it is a colossal waste of resources running it on that hardware or not.


Opinions/advice are welcome.

Thank you!

 

[Genx87]

I have not used the MX series yet. I do use Meraki MR and MS series stuff and absolutely love it. Discussing with others that have deployed MX. They say it is a very watered down firewall\ips\app filter device. And logging is not there yet. If you have one for free give it a shot and see how you like it. I wanted to see if it would be a replacement for our Sophos UTM 9. But without the logging capability forget about it.

So, I say Sophos UTM 9. Stay away from XG imo. Let us know how the MX works if you try it.

 

[Burner27]

I did try installing Sophos on that box, but it stalls @ 66%. Been doing some reading and people have been saying it needs to have a VGA output for it to work. This board only has HDMI/DVI-D outputs (neither of which work when I connect a monitor to them - i.e.: I used an HDMI to VGA adapter --no go and I used a DVI-D cable to a DVI-D montor--still gets stuck at 66%) Tried one work around that directs you to launch a second instance of the installer but I get a 'bus error' when i do that. Any suggestions?

Pfsense isnt an option in your opinion?

 

[Genx87]

That is a weird requirement. But the machines I have installed on all had VGA outputs. So anything is possible. Another option is to virtualize it. I run Sophos at home virtualized on a 2016 box.

 

[Burner27]

Hrmm, i can virtualize, but do you take a performance hit with it being virtualized?

 

[XavierMace]

My UTM install is virtual (on ESXi), no issues or hit that I've noticed. Your hardware is wildly overkill for it, so it would be a shame to dedicate it all to UTM.

 

[Burner27]

The fact the Meraki limits me to 250Mbps is a thorn in my side. With my previous router, I could hit 350Mbps, so sacrificing 100Mbps using the Meraki isnt very appealing. Previous router was Pfsense on the above mentioned HW. Yeah, it is way overkill, but I think Sophos would best suit me--I just cant get it to install on that HW.

 

[Fardringle]

I got the free Meraki device from attending a webinar as well. The management software (web site) is great, and the access point worked really well...for about two weeks. I put it in the break/lunch room at my wife's office to provide wifi access for personal devices while people were on break, so they wouldn't be connecting those devices to the business network. Then it started dropping connections randomly, and throttling down the wifi speed to "B" (11mbps) or worse. I called Meraki and they said that their lower end MX series devices aren't designed to handle the sustained bandwidth of even a single Netflix stream (most of the break room use is web browsing and Netflix type stuff). I don't know if that is true or if the rep I called was full of BS. Either way, it only lasted two weeks, and if it can't handle a single video stream it sure can't handle any moderately heavy business traffic..

 

[Genx87]

I got the free Meraki device from attending a webinar as well. The management software (web site) is great, and the access point worked really well...for about two weeks. I put it in the break/lunch room at my wife's office to provide wifi access for personal devices while people were on break, so they wouldn't be connecting those devices to the business network. Then it started dropping connections randomly, and throttling down the wifi speed to "B" (11mbps) or worse. I called Meraki and they said that their lower end MX series devices aren't designed to handle the sustained bandwidth of even a single Netflix stream (most of the break room use is web browsing and Netflix type stuff). I don't know if that is true or if the rep I called was full of BS. Either way, it only lasted two weeks, and if it can't handle a single video stream it sure can't handle any moderately heavy business traffic..

Im going to call BS. The MR18s they give out for free work fine for small confined areas. The only issue that may happen is due to it being an N device. If there is a lot of congestion on the bands it will, like any radio, have problems. But the MR18 is a severe step up from consumer grade stuff. If the MR18 couldnt do it, it is either defective or congested like crazy. I ran an MR18 in a test for weeks with upto 20 concurrent users without issue. We use MR42s and never have a problem.

 

[Genx87]

Hrmm, i can virtualize, but do you take a performance hit with it being virtualized?

Nothing you would probably notice. I went from an E5200, 60GB SSD 8GB RAM bare metal install to virtualized on an i3 6100, 32GB ram, and a raid 5 SSD. The previous bare metal would run in the 10-15% range. This virtual machine(4 core,8GB ram, 100GB disc) barely cracks 3% at full load. Full load being 125Mbps download.

 

[Fardringle]

Im going to call BS. The MR18s they give out for free work fine for small confined areas. The only issue that may happen is due to it being an N device. If there is a lot of congestion on the bands it will, like any radio, have problems. But the MR18 is a severe step up from consumer grade stuff. If the MR18 couldnt do it, it is either defective or congested like crazy. I ran an MR18 in a test for weeks with upto 20 concurrent users without issue. We use MR42s and never have a problem.

It's most likely that I just got a bad unit, but I felt it was worth passing on the BS I got from their "support line" especially if that's a regular occurrence with them (I have no idea if it is). And they they wouldn't replace it with a working unit for me to test because (according to them) I was exceeding the specifications of the device.

 

[Genx87]

It's most likely that I just got a bad unit, but I felt it was worth passing on the BS I got from their "support line" especially if that's a regular occurrence with them (I have no idea if it is). And they they wouldn't replace it with a working unit for me to test because (according to them) I was exceeding the specifications of the device.

That is terrible. Who is your Meraki sales rep? I would pass that onto them.

 

[XavierMace]

Eh, I was never happy with my MR18's either. I get far better range and performance out of my Sophos AP15's.

 

[Burner27]

Ok, so Meraki MX64 or Sophos UTM 9?

 

[XavierMace]

Assuming this is for home, keep in mind after 3 years your Meraki is a brick unless you pay them (at least that's the case with their AP's). UTM is free, period. Although you still need an AP of some point for wireless.

 

[Fardringle]

That is terrible. Who is your Meraki sales rep? I would pass that onto them.

I don't have one. The "lack of" support experience on that demo unit pretty much chased me away from them before I ever bought anything.

 

[sdifox]

So esxi or hyperv the box and host Sophos or pfsense in vm

 

[Burner27]

I wish I could bare-metal the Sophos on the hardware I have, but it's a no-go. I will try hyper-v/Sophos first. Initial impressions on the Meraki are 'it feels slower' than the pfsense box I was using on older hardware.

 

[sdifox]

I wish I could bare-metal the Sophos on the hardware I have, but it's a no-go. I will try hyper-v/Sophos first. Initial impressions on the Meraki are 'it feels slower' than the pfsense box I was using on older hardware.

you can run plex off the same box in another vm

 

[Geofram]

I run Sophos UTM 9 myself with a gigabit internet connection (Google Fiber), and it works great. The PC I'm using is a five year old i3 (I forget which exact model). Only time I've seen any slowdown is with IPS/Filtering/etc turned on while downloading from Steam or similar game download services. At that point I have to turn off IPS if I want it to download at full speed. I don't have any problems with anything else. I ran it in a VM for a long time as well, using Hyper-V, and it worked just fine.

Not sure about the installation problems. I've never used a VGA connection when installing it, though I suppose the motherboard does have one.

 

[Burner27]

I have another machine I can use that has the following specs:

Intel G3220 CPU (dual core 3.0GHz)
Asus H81M-K Motherboard
8GB DDR3-1600
Kingston 120GB SSD
Dual port Intel 1000PT server card

Is a dual core going to cut it for Sophos?

 

[XavierMace]

What Sophos (or any device of this type) needs depends on what all you're doing with it.

That's my Sophos VM with 4 cores (host is running E5-2670 V2's), 8Gb of RAM. Firewall, IPS, Wireless, and VPN enabled. 20-ish devices running through it. You're likely fine with that dual core given it's relatively higher clock speed (compared to many servers). IPS modules (Snort) on most of these BYO firewalls are single threaded so they like clock speed. I'd say give it a go. At the least it's going to give you a feel for how you like it. Keep in mind if you were looking at buying a hardware box from Sophos, to get one that will do 300mbps on all features (individually, not with all turned on), you'd be looking at the SG135 at a minimum. For reference:

• SG105 --> Intel Atom E3826 1.46GHz | 2GB RAM
  
• SG135 --> Rangeley C2558 2.4GHz | 6GB RAM
  
• SG210 --> Celeron 2.7GHz | 8GB RAM
  
• SG310 --> Core i3 3.5GHz | 12GB RAM

So your box would be sitting between a SG210 and SG310. That said, that does not mean you can turn EVERYTHING on with any of those boxes and still get 300mbps.

 

[mnewsham]

I've got myself a new 1gbps down and up connection, but after doing some research it would take a decent bit of computer for me to get something that can manage Firewall, IPS, and VPN without limiting me to 500-600mbps or slower.

So for now anyway, i'll just have to make do.

 

[Burner27]

Assuming this is for home, keep in mind after 3 years your Meraki is a brick unless you pay them (at least that's the case with their AP's). UTM is free, period. Although you still need an AP of some point for wireless.

Yeah and it isnt cheap to renew.

 

[Burner27]

What Sophos (or any device of this type) needs depends on what all you're doing with it.

That's my Sophos VM with 4 cores (host is running E5-2670 V2's), 8Gb of RAM. Firewall, IPS, Wireless, and VPN enabled. 20-ish devices running through it. You're likely fine with that dual core given it's relatively higher clock speed (compared to many servers). IPS modules (Snort) on most of these BYO firewalls are single threaded so they like clock speed. I'd say give it a go. At the least it's going to give you a feel for how you like it. Keep in mind if you were looking at buying a hardware box from Sophos, to get one that will do 300mbps on all features (individually, not with all turned on), you'd be looking at the SG135 at a minimum. For reference:

• SG105 --> Intel Atom E3826 1.46GHz | 2GB RAM
  
• SG135 --> Rangeley C2558 2.4GHz | 6GB RAM
  
• SG210 --> Celeron 2.7GHz | 8GB RAM
  
• SG310 --> Core i3 3.5GHz | 12GB RAM

So your box would be sitting between a SG210 and SG310. That said, that does not mean you can turn EVERYTHING on with any of those boxes and still get 300mbps.

ok, so for a home user, what features are recommended to have enabled in Sophos?