DIY Home Firewall – Part 1 Sophos XG

I have been a  ASUS fan for a long time. Had been running AC-87U for a while at my house. I had the Merlin firmware on it with a Openvpn client to my VPN provider. Served my needs for a few years before I realized that  I wasn’t  able to run a secure VPN server on it/ behind it.  I used a Synology NAS behind the router to host a VPN server and connect to it when I was outside the network. And in no time the NAS was hacked 🙂 – how did I know ? Well the light’s wont stop blinking even when I’d shut down all packages. I Ran a packet capture  and sure enough it was running a crypto mining malware. Anyways more on that later.

I looked around and a few options presented themselves for a home firewall

  1. Sophos XG UTM – An Enterprise grade true UTM with features like IPS, AV, Firewall, Anti-Spam etc. A very nice GUI and a forever Free Home License. (https://demo.sophos.com/webconsole/webpages/login.jsp – user:demo pass:demo)
  2. Pfsense – An open source firewall with ‘packages’ that you can configure to get near to a UTM performance. Widely supported and a range of tutorials available on the web.
  3. Opnsense – A fork from Pfsense  with a slicker GUI and some improvements/enhancements from Pfsense
  4. Untangle – Marketed towards SME’s with extensive reporting features, a home license is 50$ a year. You could also get a community version without a charge. (http://demo.untangle.com/admin/index.do)
  5. Clear OS – While not exactly a firewall, ClearOS is an operating system for servers, gateways and firewalls. It delivers applications through a marketplace to enable SMB’s to consume services without the need for multiple hardware. They offer an online demo here – https://www.clearos.com/clearos-live-demo
  6. Ubiquiti USG – An appliance based firewall, delivers excellent value for money and can be controlled via an intutive portal. Offers fancy dashboard for reporting based on Deep Packet Inspection (DPI)

My internet connection at home is a 1G Fiber broadband. The fiber terminates on an ISP provided ONT box, which acts as a layer 2 device. The ONT gives a RJ-45 handoff.

So with my needs clear, 1G throughput and a couple of RJ45 ports (one for LAN and one for WAN), SSLVPN server – i started searching.

I eliminated the Ubiquiti USG because it doesn’t offer an inbuilt SSL VPN server and the people on the forums reported throughput issues on the smaller USG-3P device. The 4P device looked too big for my house and so i skipped it.

Untangle was easy to eliminate as I wasn’t too fond of the GUI (personal choice) . ClearOS was also eliminated as it looked too heavy for my requirements. So choice was down to Sophos XG, Pfsense and Opnsense.

I ended up selecting Sophos XG as the UI looked polished and components looked easy to setup (this would change later, as I moved to Opnsense ultimately). Part of it was also because I wanted somethign that would just work, without having to spend a great deal of time on it (trying to be lazy).

For the hardware, i zeroed it down to a Qotom 335G4 box from China. It has an i5 processor with 4 cores , upto 8 GB RAM, support for AES-NI and most importantly all Intel NIC’s (apparently all platforms XG, pfsense and opnsense reported issues with RealTek NIC’s). I ordered it with 8GB RAM and a 60GB SSD (came installed as a msata drive) . It also has a SATA connecter – so you can hook up a SATA SSD to the box later.

Ordered the box from Alibaba and it was with me in a couple of days.

Q300G4 Ports 800

The install was a breeze.I got the ISO from the Sophos XG site after registering. I used Etcher to burn the ISO to a USB drive. Connected the box to power and an HDMI monitor. To boot from the USB, hit DEL during startup (when you see the boot logo). Continue with the onscreen instructions, till you device reboots from the inbuilt storage.

The only confusing part is that XG doest not recognise the ports in order (same for OPNsense while PfSense recognised them in order)

For XG (default config) - The LAN Port is the one on the extreme left and WAN is the 3rd port from left.
For OPNsense - The LAN Port is the one one extreme left and WAN is the one next to it (or second from the left).
For pfswense - The first port from left is WAN and the one next to it is LAN (or the second from left)

So you would want to connect your PC to the extreme left port and wait for the DHCP to assign you an IP. Once connected the default IP for the web admin is https://172.16.16.16:4444. You can change this after you run the initial setup. The initial setup is nothing too complicated and will get you up and running in about 5 minutes. The initial config also has a default rule allowing all outbound LAN communication and blocking all inbound.

I reconfigured the ASUS router under AP mode and in no time, I had a functional UTM on. I suppose the entire thing took about 20 minutes and I was back on the internet – sweet !.

Once you are on and connected, here are few things you can do to complete your setup

  1. Define DHCP pool and create static MAC to DHCP bindings
  2. Create Users or clienteles users
  3. Enable user authentication ( I do this only for the guest network). All other devices have a static MAC to IP binding.
  4. Enable SSL VPN
  5. Enable IPS policies and AV
  6. Create custom firewall rules
  7. Create schedules for internet access
  8. Enable content filtering
  9. Create a VLAN for separating IOT traffic
  10. Add more firewall policies for IOT to WAN communication; LAN to IOT communication
  11. Enable multicast broadcast across VLAN’s for DLNA access from one VLAN to the other.

Sophos has some pretty good documentation on this and the forums are very helpful ( the guys are awesome !)

With IPS and and content filtering on – I get about 300Mbps on the wireless network (more than enough for my needs). Sophos uses snort which is single threaded which explains that it doesn’t go beyond 300Mbps on a single connection. If you have a few machines running in parallel or if you iperf3 to a public perf server with multi-thread you can go upto 700Mbps in my case. Under normal loads with about 20 devices the CPU stays under 5%.

To conclude , if you are looking at a home firewall solution to replace your router and you want things to just work (limited customization) SophosXG offers a very compelling UTM in a box solution – worth a try !

End – for now

P:S – I’ll probably do a Sophos vs Pfsense vs Opnsesne post later.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s