Ryzen should work fine. If you're doing a physical firewall you shouldn't need to do anything. If virtual, you'll need AMD-v enabled in the BIOS (but you likely have that already if you installed proxmox or another hypervisor).
Many current Sophos XGS firewalls run on AMD CPUs (AFAIK the XGS 87 up to the 136), and the underlying OS is Linux-based (although it's currently using Kernel 4.14.277), so it should work fine. And if not, you can simply disable any CPU features that your virtualized appliance cannot handle.
Hello, are there any security implications to hosting your firewall in a virtual environment, can the host be compromised or is it still protected by the firewall?
Virtualisation is inherently "less secure" than bare metal but it's more academic than reality these days. Pretty much everything you use is virtual (even big cloud providers). Regardless of virtualised or not, if your firewall is compromised it's already game over to be honest. For a homelab you have nothing to worry about with virtualising.
@@Jims-Garage Thank you for this I am going to virtualise. I am also going to setup the two firewalls in active-passive and I just wondered how you managed to cluster your two servers in Proxmox as I read you need three to have a cluster?
Hi Jim, I’ve setup my virtual Sophos Firewall but I’ve ran into a problem that I hoped you may be able to help with. I have it running on a Dell Optiplex 7050 and have 4 NICs I’ve configured one for the WAN and one for the LAN. The WAN is showing as connecting and live in Sophos but when any device connects to network they don’t get any internet. It’s like the Sophos isn’t distributing the internet to any of the VLANs. Any advice?
HI Jim, great video. Ran through all the steps with ease thanks to the great guide. I do have a problem connecting to the webUI though. I have a bit of a strange setup as I am configuring my new server in my summer house which is away from my main network and will only be temporary until i have everything setup correctly. My as-is Setup: Router (in my loft) -connected to a 8 port switch (in my loft) -connection from switch out to my summer house wall port I have a 5 port switch connected to wallport in summerhouse (temporary) I have the host (proxmox PC) connected to this switch, also have a TP-Link AP connected to this switch onboard NIC controls the host (proxmox) dual port intel i350T2 is setup for SophosXG - LAN and WAN My first issue is sussing out which port on the i350T2 is WAN and LAN - so far ive just swapped between them. My main issue is how should i connect my cabling? Should my cable be going to the switch or from the i350T2 to onboard NIC or something else? I use a laptop connected to TP-Link AP to connect to webUI if that helps. Not quite sure what I'm doing wrong.
Thanks! That's a lot of switch daisy chaining! Typically you'd want the ISP router in modem only mode (albeti it doesn't matter that much), and connected directly to the WAN port on the XG. Having said that, your current setup should work, just realise that you're doubled NATed. For determining which port is which you can use ethtool. It enables you to blink the leds on the respective NICs. You can then tally this with the MAC and ID in Proxmox to work out which is which. In your scenario, you will then want the XG WAN going into your switch which will then go to your existing ISP router. Anything you want behind the Sophos XG will need to be plugged into the LAN port - you'll there likely want another switch (or you could use a vLAN on your existing switch if supported, and make use of it for Sophos). It's the same concept as in my HA Sophos XG video whereby I split the single internet connection to 2 firewalls.
@@Jims-Garage Hi Jim, Thank you for the detailed reply. The daisy chaining of switches is just temporary as I was building my new server away from any wired ethernet source and it doesn’t have an onboard wifi card. This server will be running wired in the loft once complete. I do have my Virgin router in modem mode, connected to my openWRT router but I’m not to impressed with openWRT coming from an untangledFW setup previously. So at the moment it should be pretty much ready to go. As soon as I’m ready to put it in my loft as my sole router/FW I just remove the WAN and LAN cables from my existing setup and hey presto were good to go? (In theory) Thanks Stuart
While comparing firewall functionality in the Mikrotik RB4011 router to using Sophos XG, I got the impression that Sophos may even replace the ESET Antivirus prog running on my current Win10 PC's (with regular subscription cost of course). The screen showing at 17:37 above looks very much like the functions provided by ESET - but better. Am I misreading these ideas?
@@Jims-Garage So maybe I should disable FW in the MT and just let it route, do VLAN & DHCP duties, and manage all the MT AP's with CapsMan. Acronym soup there 😄
It's a little clunky, you have to create an account first. Might be worth checking out my later videos on OPNSense and pfSense if you're struggling. They're equally good alternatives.
Sure, a couple of options spring to mind. You can basically buy an 'off the shelf', something like a Qotom (www.qotom.net/) and just spend what you like. You don't need anything flash, a quad core with 8GB RAM and 4 NICs would be more than enough. Just bear in mind that most options like this are not upgradable... Otherwise, you can DIY. Same rules apply as above, a basic quad core with 8GB RAM (XG can only use 4 cores and 6 GB). Most old consumer boards, or old workstations will only have a single NIC so you will need to buy a PCIE expansion such as an i210 or i350. As tech moves on quadcores are making less sense, base models are usually 6-8 cores now, and thus would be wasted (hence why virtualisation is a good idea). For reference, if buying new, Intel® Processor N97 would be fine.
Maybe a stupid question , but if I want to use vlan do i have to use a switch with layer 2 or 3 , or can i do it with a intel 4 port ethernet card on sophos xg ?
@@brewland great, if you're virtualising you'll need at least 3, with a quad you'll have two spare. These will be useful as you can put VMs on each nic. As they don't share a nic, each VM will have full speed networking. Even if you upgrade later to 10 Gb, they'll be useful (and also hold their value for resale).
Thanks for the vidoes! I have a mini PC (quietbox) with dual NIC board- it's old dev box from work - it has 64gb ram, nvme and usb-c (I've attached a thunderbolt DAS) - Can I run more than just the firewall on it - i.e some LXC's or do I need to have a seperate machine on the Lan/Switch? Just seems a waste of a good machine.
That's a great little machine. It's better to have 3 NICs, but you can use a virtual bridge to connect VMs to your physically assigned firewall LAN port (create a private internal network on Proxmox).
@@Jims-Garage I have been looking at this switch Cisco Catalyst 2960X 48 Port Managed Switch for my first managed switch, it is rack mountable and POE+ so it does fit the bill quite nicely for a longueur term perspective within the homelab. Do you think it is a sound decision?
@@Vaillant44 features wise it seems to be perfect, and isn't affected by licencing troubles. However, it is a "proper enterprise" switch and sound levels might be an issue without modding. Check this out: www.reddit.com/r/homelab/comments/133volt/catalyst_2960x_sfp_sound_control/
quick question can i do this with out a switch? or is it needed i just ordered a quad nic but i dont have a switch or can i use this one? to still set this up TP-Link TL-SG108 8 Port Gigabit Unmanaged Ethernet Network Switch my friend has this 1 and said i can have it so im curious
You can use without a switch, you'll just be limited to the number of ports on the nic assigned to the firewall (in your case 1 nic port for wan, 3 for Lan). That switch is also fine to expand the Lan port and give you 8 additional ports (doesn't support vlan though).
@@Jims-Garage hmm ya I want to do vlans damn so I might just wait to start this till I get a switch as well this is the one I was thinking on getting trendnet teg-3102ws would you say this is a decent one?
@@Jims-Garage perfect I’m just trying to keep the budget as low as possible but be able to attempt everything you can do in the series so far definitly be fun watching and just learning new things and a new hobby honestly
Hi Jims. Thanks for Tutorial. It's very good. I have question: is Sophos xg Home Edition free or only free for 30 days? and which is better Sophos xg home or OPNsense to use? which is easier? Thanks.
Sophos XG is free with the limits of 4 cores and 6GB of ram (more than enough for home use). Better is completely subjective, Sophos XG is easier IMO (that's why I use it).
super. befor, I try to use pfsense (hp T620 plus with 2. Rj45) , than opnsense (hp T620 plus with 2. Rj45) Now I think, i try to use sophos xg home. (i can't install sophos on hp T620 plus). It's also for produtiv sophos on VM to install and to use? or is better to install on Hardware?
Really love your tutorials, but does this mean the firewall is another PC? Also, can I just use my windows PC as the firewall? Or do I need to reformat it to another OS? My Current Setup Modem > Cisco Switch > Servers and Devices I only have 1 Server node with 2 NICs, can it act as the firewall as well? Do I need to reconfigure the setup to be Modem > Server(Firewall) > Cisco Switch > Devices I got all my devices for free from school because I wanted to learn, but am sort of a novice when it comes to configuring. Is the server still safe even tho it also acts as the firewall in this case? Thanks
@@TTV-VoidGG pretty much yes across the board there. I have a dedicated Proxmox machine that hosts all of my virtual machines. One of those virtual machines is the firewall. The firewall has 2 dedicated NICs (1 for wan and 1 for LAN), it has a 3rd for all the VMs to share). This setup is fine for a homelab and will mean all traffic goes through the firewall before hitting your network.
@@Jims-Garage so this means, even if I only have the Server with a VM running the firewall and 3 Nics, the solution is possible. How do I point for example kubernetes to pass through the firewall if they're in the same Node?
Great video :) Will this also work if you run your proxmox on a AMD Ryzen CPU? or do you have to use different settings on the CPU settings?
Ryzen should work fine. If you're doing a physical firewall you shouldn't need to do anything. If virtual, you'll need AMD-v enabled in the BIOS (but you likely have that already if you installed proxmox or another hypervisor).
Many current Sophos XGS firewalls run on AMD CPUs (AFAIK the XGS 87 up to the 136), and the underlying OS is Linux-based (although it's currently using Kernel 4.14.277), so it should work fine. And if not, you can simply disable any CPU features that your virtualized appliance cannot handle.
Opened exactly how I hoped it would! 30 seconds in and you got like "like", Jim.
Haha, thanks! :D
Thanks for the demo and info, have a great day
Thanks, you too!
I have talk talk for my isp, I'm also lucky to still have first BT modems that came with a router. But I just use the BT modem and my pfsence box.
Hello, are there any security implications to hosting your firewall in a virtual environment, can the host be compromised or is it still protected by the firewall?
Virtualisation is inherently "less secure" than bare metal but it's more academic than reality these days. Pretty much everything you use is virtual (even big cloud providers). Regardless of virtualised or not, if your firewall is compromised it's already game over to be honest. For a homelab you have nothing to worry about with virtualising.
@@Jims-Garage Thank you for this I am going to virtualise. I am also going to setup the two firewalls in active-passive and I just wondered how you managed to cluster your two servers in Proxmox as I read you need three to have a cluster?
@@AndrewTaylor-f9j a full functioning cluster should have 3 for quorum. You can run with 2 though
@@Jims-Garage Do you have a video on how you've setup your Proxmox cluster?
Hi Jim, I’ve setup my virtual Sophos Firewall but I’ve ran into a problem that I hoped you may be able to help with. I have it running on a Dell Optiplex 7050 and have 4 NICs I’ve configured one for the WAN and one for the LAN. The WAN is showing as connecting and live in Sophos but when any device connects to network they don’t get any internet. It’s like the Sophos isn’t distributing the internet to any of the VLANs. Any advice?
HI Jim, great video. Ran through all the steps with ease thanks to the great guide. I do have a problem connecting to the webUI though. I have a bit of a strange setup as I am configuring my new server in my summer house which is away from my main network and will only be temporary until i have everything setup correctly.
My as-is Setup:
Router (in my loft)
-connected to a 8 port switch (in my loft)
-connection from switch out to my summer house wall port
I have a 5 port switch connected to wallport in summerhouse (temporary)
I have the host (proxmox PC) connected to this switch, also have a TP-Link AP connected to this switch
onboard NIC controls the host (proxmox)
dual port intel i350T2 is setup for SophosXG - LAN and WAN
My first issue is sussing out which port on the i350T2 is WAN and LAN - so far ive just swapped between them.
My main issue is how should i connect my cabling? Should my cable be going to the switch or from the i350T2 to onboard NIC or something else?
I use a laptop connected to TP-Link AP to connect to webUI if that helps.
Not quite sure what I'm doing wrong.
I also tried changing the network ipv4 address to 172.16.16.17 but got error so i manged to change it to 172.16.16.15 but still no joy.
Thanks! That's a lot of switch daisy chaining! Typically you'd want the ISP router in modem only mode (albeti it doesn't matter that much), and connected directly to the WAN port on the XG. Having said that, your current setup should work, just realise that you're doubled NATed.
For determining which port is which you can use ethtool. It enables you to blink the leds on the respective NICs. You can then tally this with the MAC and ID in Proxmox to work out which is which. In your scenario, you will then want the XG WAN going into your switch which will then go to your existing ISP router. Anything you want behind the Sophos XG will need to be plugged into the LAN port - you'll there likely want another switch (or you could use a vLAN on your existing switch if supported, and make use of it for Sophos). It's the same concept as in my HA Sophos XG video whereby I split the single internet connection to 2 firewalls.
@@Jims-Garage
Hi Jim,
Thank you for the detailed reply. The daisy chaining of switches is just temporary as I was building my new server away from any wired ethernet source and it doesn’t have an onboard wifi card. This server will be running wired in the loft once complete.
I do have my Virgin router in modem mode, connected to my openWRT router but I’m not to impressed with openWRT coming from an untangledFW setup previously.
So at the moment it should be pretty much ready to go. As soon as I’m ready to put it in my loft as my sole router/FW I just remove the WAN and LAN cables from my existing setup and hey presto were good to go? (In theory)
Thanks
Stuart
Can the Sophos XG be installed in an appliance firewall instead of the PC I'm using to host proxmox? I want to buy one that has 4 NICs. Thanks Jim
@@patho977 sure, any PC will work.
While comparing firewall functionality in the Mikrotik RB4011 router to using Sophos XG, I got the impression that Sophos may even replace the ESET Antivirus prog running on my current Win10 PC's (with regular subscription cost of course).
The screen showing at 17:37 above looks very much like the functions provided by ESET - but better.
Am I misreading these ideas?
No, you're right. You can deploy Sophos antivirus and it plugs straight into Sophos XG.
@@Jims-Garage So maybe I should disable FW in the MT and just let it route, do VLAN & DHCP duties, and manage all the MT AP's with CapsMan.
Acronym soup there 😄
Not sure what they've done to their website; but can't even find the downloads section;
It's a little clunky, you have to create an account first. Might be worth checking out my later videos on OPNSense and pfSense if you're struggling. They're equally good alternatives.
If I wanted to go non virtual, can you recommend some options from a hardware standpoint or even Mini PCs with dual or more NICs
Sure, a couple of options spring to mind. You can basically buy an 'off the shelf', something like a Qotom (www.qotom.net/) and just spend what you like. You don't need anything flash, a quad core with 8GB RAM and 4 NICs would be more than enough. Just bear in mind that most options like this are not upgradable...
Otherwise, you can DIY. Same rules apply as above, a basic quad core with 8GB RAM (XG can only use 4 cores and 6 GB). Most old consumer boards, or old workstations will only have a single NIC so you will need to buy a PCIE expansion such as an i210 or i350. As tech moves on quadcores are making less sense, base models are usually 6-8 cores now, and thus would be wasted (hence why virtualisation is a good idea).
For reference, if buying new, Intel® Processor N97 would be fine.
Maybe a stupid question , but if I want to use vlan do i have to use a switch with layer 2 or 3 , or can i do it with a intel 4 port ethernet card on sophos xg ?
Quality content, Jim!
Thanks, quite a bit to go until I'm in the same league as others, but baby steps :)
@@Jims-Garage An Intel I350-T4 is en route. Presumably, I need the extra NIC's to be able to follow along with this video and the ones going forward.
@@brewland great, if you're virtualising you'll need at least 3, with a quad you'll have two spare. These will be useful as you can put VMs on each nic. As they don't share a nic, each VM will have full speed networking. Even if you upgrade later to 10 Gb, they'll be useful (and also hold their value for resale).
can you use a Cisco ips 4240 for a home firewall?
Thanks for the vidoes! I have a mini PC (quietbox) with dual NIC board- it's old dev box from work - it has 64gb ram, nvme and usb-c (I've attached a thunderbolt DAS) - Can I run more than just the firewall on it - i.e some LXC's or do I need to have a seperate machine on the Lan/Switch? Just seems a waste of a good machine.
That's a great little machine. It's better to have 3 NICs, but you can use a virtual bridge to connect VMs to your physically assigned firewall LAN port (create a private internal network on Proxmox).
@@Jims-Garage Thanks, I'll take a look.
How can I build firewall using currentware
I'm not familiar with currentware I'm afraid
Jim, I'm a bit confused, you talked about managed switch but you show an unmanaged one. What would be a switch you recommend?
I recommend one of the cheap, Netgear managed switches (one of the prosafe ones). I started out with this 8 port managed one: amzn.to/3OIPQU3
@@Jims-Garage I have been looking at this switch Cisco Catalyst 2960X 48 Port Managed Switch for my first managed switch, it is rack mountable and POE+ so it does fit the bill quite nicely for a longueur term perspective within the homelab. Do you think it is a sound decision?
@@Vaillant44 features wise it seems to be perfect, and isn't affected by licencing troubles. However, it is a "proper enterprise" switch and sound levels might be an issue without modding. Check this out: www.reddit.com/r/homelab/comments/133volt/catalyst_2960x_sfp_sound_control/
@Jims-Garage thanks Jim that is a deal breaker for me at this time. Never thought of it.
@@Vaillant44 Check out the Mikrotik ones. Could be what you're looking for.
quick question can i do this with out a switch? or is it needed i just ordered a quad nic but i dont have a switch or can i use this one? to still set this up TP-Link TL-SG108 8 Port Gigabit Unmanaged Ethernet Network Switch my friend has this 1 and said i can have it so im curious
You can use without a switch, you'll just be limited to the number of ports on the nic assigned to the firewall (in your case 1 nic port for wan, 3 for Lan). That switch is also fine to expand the Lan port and give you 8 additional ports (doesn't support vlan though).
@@Jims-Garage hmm ya I want to do vlans damn so I might just wait to start this till I get a switch as well this is the one I was thinking on getting trendnet teg-3102ws would you say this is a decent one?
@@InsaiyanTech yes, looks like a good entry switch. 2.5Gb, 10Gb and managed 👍
@@Jims-Garage perfect I’m just trying to keep the budget as low as possible but be able to attempt everything you can do in the series so far definitly be fun watching and just learning new things and a new hobby honestly
Hi Jims. Thanks for Tutorial. It's very good.
I have question: is Sophos xg Home Edition free or only free for 30 days?
and which is better Sophos xg home or OPNsense to use?
which is easier?
Thanks.
Sophos XG is free with the limits of 4 cores and 6GB of ram (more than enough for home use). Better is completely subjective, Sophos XG is easier IMO (that's why I use it).
super. befor, I try to use pfsense (hp T620 plus with 2. Rj45) , than opnsense (hp T620 plus with 2. Rj45)
Now I think, i try to use sophos xg home. (i can't install sophos on hp T620 plus).
It's also for produtiv sophos on VM to install and to use? or is better to install on Hardware?
@@khanhthedag7269 do either, you're unlikely to notice a difference. I run it virtually, many advantages imo.
to firmware upgrade, i must have valid subcription support. why? i have to buy something for use home edition? @@Jims-Garage
Really love your tutorials, but does this mean the firewall is another PC?
Also, can I just use my windows PC as the firewall? Or do I need to reformat it to another OS?
My Current Setup
Modem > Cisco Switch > Servers and Devices
I only have 1 Server node with 2 NICs, can it act as the firewall as well?
Do I need to reconfigure the setup to be
Modem > Server(Firewall) > Cisco Switch > Devices
I got all my devices for free from school because I wanted to learn, but am sort of a novice when it comes to configuring.
Is the server still safe even tho it also acts as the firewall in this case?
Thanks
Posted an edit to the comment.
You need another PC. You can either run it bare metal or virtualised (like I do).
@@TTV-VoidGG pretty much yes across the board there. I have a dedicated Proxmox machine that hosts all of my virtual machines. One of those virtual machines is the firewall. The firewall has 2 dedicated NICs (1 for wan and 1 for LAN), it has a 3rd for all the VMs to share).
This setup is fine for a homelab and will mean all traffic goes through the firewall before hitting your network.
@@Jims-Garage I see! Cool! Thanks man, so that means I just need an additional NIC to act as a third in this case.
@@Jims-Garage so this means, even if I only have the Server with a VM running the firewall and 3 Nics, the solution is possible. How do I point for example kubernetes to pass through the firewall if they're in the same Node?
Thank you
You're welcome
Jim in the sons of the forest 😂
Haha, I had to Google it though! 🪓
Sophos XG Home can use up to 6GB of ram
4 cores and 6 GB, did I say something wrong? In my experience 4GB is perfectly fine.
@@Jims-Garage 4GB is fine but you said it can only use 4GB but it can use up to 6GB for the Home version.
@@travis_smartley oops, good spot. You are right and I did know that. Pressure must have got to me, ha. At least you can easily change for your VM.
Good job. ty
Thank you for your support.
Make a video going over rule configuration! :)
Coming soon!
HOW DAAARE YOU STEAL THAT CARRRR