Meraki MX64 or Sophos UTM9 or Pfsense

[XavierMace]

That kinda depends on your usage and preference and how you prioritize speed vs security. I forgot to mention, I've got Antivirus enabled as well. If you're only looking to match what you'd get feature wise out of a normal consumer router, DHCP and Firewall's pretty much it. The more security you enable, the lower your overall max bandwidth will be. IPS is generally the biggest hit performance wise, unless you're doing some of the more advanced real time stuff. But that's usually because your hitting CPU limits.
Do you want to use it's Antivirus or do you already have a solution you're happy with?
Do you want it to do webpage content filtering (this is separate from malicious page blocking), IE blocking kids from pr0n?
Do you need the ability to VPN into your network?
Do you need it to do DHCP or do you have another DHCP server?

I've got some performance tuning info in this thread as well as some IPS numbers: https://forums.anandtech.com/thread...le-sophos-utm-performance-bottleneck.2485531/

Also keep in mind that if you've never used a business class firewall before, it's configuration will be a bit less plug and play compared to your normal home router.

 

[Burner27]

Do you want to use it's Antivirus or do you already have a solution you're happy with? ------Have antivirus installed on all machines, but if the one in Sophos is just as good I would switch to that.
Do you want it to do webpage content filtering (this is separate from malicious page blocking), IE blocking kids from pr0n? - No webpage content filtering, but would like to do malicious page blocking.
Do you need the ability to VPN into your network? Not at this time
Do you need it to do DHCP or do you have another DHCP server? Needs to be DHCP server.
Also keep in mind that if you've never used a business class firewall before, it's configuration will be a bit less plug and play compared to your normal home router.---I have been using pfSense for a while and it has never given me an issue. The reason for this thread is 'can I do better' than pfSense?

 

[Burner27]

Are there any risks (other than the host failing) to running a VM instance? I do have a quad-port NIC in my server 2012R2 machine (5820K, 32GB ram). It only is used as a file server and HyperV host for a Ubuntu VM running Plex. Two of the ports are unused and i can make sure the host OS has no access to them.

 

[XavierMace]

Theoretically, running it as a VM technically exposes the host to the internet. That said, I've never seen any documentation of definitive proof of being able to exploit that and then even if it's possible that's such a targeted, advanced attack I would say it's a non-concern for a home user.

However, that's based on using ESXi. Based on your wording, you're running Hyper-V on a full blown 2012R2 install with it already performing other duties. I would be far more hesitant to do it in that situation.

In either case, one of your NIC ports would be a dedicated WAN port. LAN port doesn't need to be dedicated.

 

[sdifox]

Theoretically, running it as a VM technically exposes the host to the internet. That said, I've never seen any documentation of definitive proof of being able to exploit that and then even if it's possible that's such a targeted, advanced attack I would say it's a non-concern for a home user.

However, that's based on using ESXi. Based on your wording, you're running Hyper-V on a full blown 2012R2 install with it already performing other duties. I would be far more hesitant to do it in that situation.

In either case, one of your NIC ports would be a dedicated WAN port. LAN port doesn't need to be dedicated.

I am not aware of any issues with exclusive access to nic. But then, I don't exactly keep up with the latest exploits.

Just create a vswitch, assign one of the NICs to it, and don't share with host os. of course the risk factor is higher than running pfsense on dedicated machine but not by a great deal.

VTx and VTd were designed for this, the isolation is handled on HAL level so it should be fine.

 

[Burner27]

I am not aware of any issues with exclusive access to nic. But then, I don't exactly keep up with the latest exploits.

Just create a vswitch, assign one of the NICs to it, and don't share with host os. of course the risk factor is higher than running pfsense on dedicated machine but not by a great deal.

VTx and VTd were designed for this, the isolation is handled on HAL level so it should be fine.

Yeah, that's what I did for the NICs. Not shared with Host OS.

Is Sophos more secure than pfsense?? I know 'out of the box' Sophos blocks almost everything whilst pfsense allows almost everything. This is where the learning curve comes in for each product. The Meraki isnt impressing me. 2x while running speedtest the device locked up. This is after it did a FW upgrade on its own. It also limits me to 250Mbps. The pfsense HW box I have lets me go beyond what I am paying for. 300/20 is what I pay for and with pfSense I get 355/24. So I am not sure if it worth keeping the Meraki in play when it limits me.

I have been happy with pfSense until I saw what Sophos can do. I dont think pfSense has the features that Sophos has (at least not in some of the packages they have available). I just want it to run on the HW that pfsense is on now...

 

[XavierMace]

Sophos is an Enterprise class product. pfSense is good, but it's shall we say amateur roots show. It's flexibility is great, but it's no where near as refined. I will say for a basic install, it does run a little bit thinner than Sophos.

 

[Burner27]

I was able to install Sophos v9.5 without any issues, but it still has a lot of bugs in it. Too many to make me feel confident in using it.

I am currently trying the MX64 now. Seems ok.

 

[XavierMace]

Care to elaborate on the bugs? I've been running it for ages without any issues.

 

[Burner27]

You've been running v9.5 for ages? Head over to their forums. There are a lot of people who have found things don't work.

 

[XavierMace]

You could say that about literally any product. There's no shortage of bugs in Cisco equipment either. I've have to check when exactly I did the first 9.5 update, but I know I've gone through at least 3 of them so far without issue.

 

[Burner27]

I think I have a defective MX64. The thing locked on me twice last night, and then refused to let my iPad connect without acknowledging the Meraki splash page which isnt even turned on!

 

[Burner27]

So I called Cisco the next day and stated my issues. They agreed to overnight me a new one. I received the new one and so far have not had any issues. It came with the 3yr advanced security license like the last one, but I dont think I will renew it since it is so friggin expensive.

Does anyone see and potential security issues with having it configured via cloud management? I always have in the back of my mind that 'big brother' is watching......

 

[mnewsham]

You can pretty much assume all cisco gear either has hardware backdoors that a nation state actor could potentially abuse, or have the potential to easily have said hardware backdoor put in place.

Whether or not they ARE abusing said backdoors is another question.

 

[Burner27]

Yeah, I figured that. What about the open source arena? Pfsense for example?

 

[mnewsham]

Yeah, I figured that. What about the open source arena? Pfsense for example?

If you're using your own consumer hardware and throwing pfsense on it you're about as secure as it gets on a budget.

You're still relying on there not being hardware backdoors, for example Intel's management engine or AMD's platform security processor are commonly thought to contain government hardware backdoors that can operate outside the normal operating system in it's own encrypted environment with access to the network stack and your OS.

I tend not to worry about this stuff personally however.

 

[XavierMace]

It came with the 3yr advanced security license like the last one, but I dont think I will renew it since it is so friggin expensive.

You know it's a door stop once the license expires, right?

 

[Burner27]

You know it's a door stop once the license expires, right?

Yes i do, but my job will pay for renewing the license

 

[Burner27]

Ended up nixing sophos as i had 'weirdness' occur several times, and I couldn't find a resolution. I tried pfsense for a while as well. Liked it too, but ultimately went back to the Meraki because it has the 3 year license (why not use it). Ideally, i'd like to see if it can do ad-blocking. I know pfsense can with pfblockerNG installed. My 3 year license is up next year, and i can pay for a renewal, just dont know if I should (if there is anything else out there that is cheaper/better)

Advice is welcome and appreciated

 

[sdifox]

Ended up nixing sophos as i had 'weirdness' occur several times, and I couldn't find a resolution. I tried pfsense for a while as well. Liked it too, but ultimately went back to the Meraki because it has the 3 year license (why not use it). Ideally, i'd like to see if it can do ad-blocking. I know pfsense can with pfblockerNG installed. My 3 year license is up next year, and i can pay for a renewal, just dont know if I should (if there is anything else out there that is cheaper/better)

Advice is welcome and appreciated

Didn't you say your work pays for meraki renewal?

 

[Burner27]

Didn't you say your work pays for meraki renewal?

Yes that is correct. I would like to have a bonus rather than them spending money on a license though....LOL

 

[sdifox]

Ended up nixing sophos as i had 'weirdness' occur several times, and I couldn't find a resolution. I tried pfsense for a while as well. Liked it too, but ultimately went back to the Meraki because it has the 3 year license (why not use it). Ideally, i'd like to see if it can do ad-blocking. I know pfsense can with pfblockerNG installed. My 3 year license is up next year, and i can pay for a renewal, just dont know if I should (if there is anything else out there that is cheaper/better)

Advice is welcome and appreciated

Didn't you say your work pays for meraki renewal?

Yes that is correct. I would like to have a bonus rather than them spending money on a license though....LOL

You can just keep the meraki then. Use adguard dns if you want to block ads.

 

[Genx87]

That is too bad about the Sophos. I am moving from UTM9 to XG home this week. XG is finally at a feature level I like.