Hi Jim, Sophos XG is awesome. I find special functions compared to other systems (e.g. the opnsense) are the application filters, the web policies and the real-time log viewer. Unfortunately, Sophos has still not managed to integrate a full-fledged DNS server. This is where opnsense scores. Thank you for this detailed video.
Agreed. I guess it's the difference between a full enterprise solution and something more for the mid tier. Typically DNS is done outside of the firewall
Thank you for sharing this! I have a fresh install of Sophos XG and tried to expose a port using server access assistant DNAT. Firewall logs shows the port is accepted but I'm not getting a inbound connection and just outbound only. Online port checker says the port is closed :(. I just wanted to know if there's a setting I need to check prior to port forwarding? Thanks.
Question, Do you have to create an allow firewall rule for other VLANs to access those DNS server IPs? or could you get round this easily and more streamlined by pointing the VLANs to the firewall and the firewall would be able to pass it on? I've never been sure if the client devices needed direct access to the Pi-Hole or not.
@@Jims-Garage so i would need a rule allowing all VLANs access to the DNS server on port 53? rather than they able to access it via jus being pointed to their firewall IP address?
Speaking of proxies, i have tried to follow your port forwarding part of the video to point to my reverse proxy running in docker on my synology nas, if i use the scheduling wizard it does not seem to work...i use port 4443 instead of 443 so i need to go from 443 incoming to 4443 on the reverse proxy IP. but when i create custom services with this and setup the port forward it doesnt seem to work correctly. Am i missing something ? @@Jims-Garage
Quite similar, except XG is not open source, but is more common in Enterprise. I run two virtual machine XGs, both with 3 NICs. They run in high availability mode for failover (I have a video on that)
@@Jims-Garage Thanks for the reply! I was just about to set up an OPNsense VM to protect my LAN and 5 WAN ips but after seeing your vid I am now considering the free, but limited to 4 cores and 6gb XG home edition (I'm a cheap skate!) - so your video was useful! Love your channel - thanks!
You have 2 Proxmox Asus and Dell. (Cluster). they are on same network? If also want make 2 Proxmox. I must give the in the same IP Range (e.g. 192.168.100.2 (for 1) and 192.168.100.3 (for 2.), right?. or can I also make the proxmox on VLAN (ID 5)? @@Jims-Garage
Hi Jim, Sophos XG is awesome. I find special functions compared to other systems (e.g. the opnsense) are the application filters, the web policies and the real-time log viewer. Unfortunately, Sophos has still not managed to integrate a full-fledged DNS server. This is where opnsense scores. Thank you for this detailed video.
Agreed. I guess it's the difference between a full enterprise solution and something more for the mid tier. Typically DNS is done outside of the firewall
Thank you for sharing this! I have a fresh install of Sophos XG and tried to expose a port using server access assistant DNAT. Firewall logs shows the port is accepted but I'm not getting a inbound connection and just outbound only. Online port checker says the port is closed :(. I just wanted to know if there's a setting I need to check prior to port forwarding? Thanks.
Hi Jim, I had downloaded Sophos XG for some time and had not yet installed it as a vm.
Time has come!
As usual....thank you!
Awesome, I hope you like it.
Really good tutorial! I learn something new "Promiscuous mode" that I wasn't aware! Thanks Jim :)
Thanks 👍 it's an important one that is often missed and people wonder why the vLAN doesn't work.
Perfect timing, just watched your previous FW vids and got the bits to build one. Thanks Jim!
Awesome 😎
Sophos only hardware? Maybe for home user - virtual mashine?
I use a virtual Sophos XG in high availability, but the core concepts are applicable elsewhere.
Is it possible to use dynamic dns behind CGNAT?
Yes, it should be but I'm not sure what good it would do. Check out my headscale video
I see a port configured for Factorio. One question: does it help to make even more Green, Red or Blue Circuits? 🤪
Well spotted! It's Sophos, obviously blue ;)
@@Jims-Garage A man of culture I see
Question, Do you have to create an allow firewall rule for other VLANs to access those DNS server IPs? or could you get round this easily and more streamlined by pointing the VLANs to the firewall and the firewall would be able to pass it on? I've never been sure if the client devices needed direct access to the Pi-Hole or not.
Yes, clients need access to the DNS server, so a firewall rule
@@Jims-Garage so i would need a rule allowing all VLANs access to the DNS server on port 53? rather than they able to access it via jus being pointed to their firewall IP address?
@@Popcorncandy09 yes, it's not a DNS proxy
Speaking of proxies, i have tried to follow your port forwarding part of the video to point to my reverse proxy running in docker on my synology nas, if i use the scheduling wizard it does not seem to work...i use port 4443 instead of 443 so i need to go from 443 incoming to 4443 on the reverse proxy IP. but when i create custom services with this and setup the port forward it doesnt seem to work correctly. Am i missing something ? @@Jims-Garage
How does Sophos XG home compare to pfsense/OPNsense and can it be run in a VM with 2 physical NICs?
Quite similar, except XG is not open source, but is more common in Enterprise. I run two virtual machine XGs, both with 3 NICs. They run in high availability mode for failover (I have a video on that)
@@Jims-Garage Thanks for the reply! I was just about to set up an OPNsense VM to protect my LAN and 5 WAN ips but after seeing your vid I am now considering the free, but limited to 4 cores and 6gb XG home edition (I'm a cheap skate!) - so your video was useful! Love your channel - thanks!
Nice overview video. Have you noticed slow routing speeds at 10gb using the free Home license?
@@DigiDoc101 no, I max it out. 4 cores and 6GB ram is more than enough for 10Gb.
God video on this Sophos stuff !
Thanks, I'm also doing some OpnSense ones now so people have a choice.
Hey James, thanks for the video.
You're welcome :)
Hi Jims, very nice and it is educational. thanks.
Very welcome, glad it helped.
You have 2 Proxmox Asus and Dell. (Cluster). they are on same network? If also want make 2 Proxmox. I must give the in the same IP Range (e.g. 192.168.100.2 (for 1) and 192.168.100.3 (for 2.), right?.
or can I also make the proxmox on VLAN (ID 5)? @@Jims-Garage