How to Build a Firewall
Vložit
- čas přidán 2. 07. 2024
- Today we're building a firewall using Sophos XG. I'll show you both physical and virtual installation steps, as well as general advice that can be used for any firewall you choose.
Managed Switch: amzn.to/3OIPQU3
Cat6a Ethernet Cables: amzn.to/44tGwIC
Corsair Vengeance: amzn.to/3PAUzrR
Intel i210: amzn.to/46xOylS
Intel i350T4-v2: amzn.to/3reW70k
Discord: / discord
00:00 Hardware for physical Sophos installation
01:59 How to connect Modem, Firewall, and Switch
02:36 How to download Sophops XG
03:40 Creating a virtual Sophos firewall in Proxmox
12:00 Installing Sophos XG
13:38 Connecting your devices into your new Sophos XG virtual firewall
14:04 Configuring the web GUI
18:58 First login to Sophos XG
Great video :) Will this also work if you run your proxmox on a AMD Ryzen CPU? or do you have to use different settings on the CPU settings?
Ryzen should work fine. If you're doing a physical firewall you shouldn't need to do anything. If virtual, you'll need AMD-v enabled in the BIOS (but you likely have that already if you installed proxmox or another hypervisor).
Many current Sophos XGS firewalls run on AMD CPUs (AFAIK the XGS 87 up to the 136), and the underlying OS is Linux-based (although it's currently using Kernel 4.14.277), so it should work fine. And if not, you can simply disable any CPU features that your virtualized appliance cannot handle.
Opened exactly how I hoped it would! 30 seconds in and you got like "like", Jim.
Haha, thanks! :D
Thanks for the demo and info, have a great day
Thanks, you too!
Quality content, Jim!
Thanks, quite a bit to go until I'm in the same league as others, but baby steps :)
@@Jims-Garage An Intel I350-T4 is en route. Presumably, I need the extra NIC's to be able to follow along with this video and the ones going forward.
@@snowpoked great, if you're virtualising you'll need at least 3, with a quad you'll have two spare. These will be useful as you can put VMs on each nic. As they don't share a nic, each VM will have full speed networking. Even if you upgrade later to 10 Gb, they'll be useful (and also hold their value for resale).
Good job. ty
Thank you for your support.
I have talk talk for my isp, I'm also lucky to still have first BT modems that came with a router. But I just use the BT modem and my pfsence box.
HI Jim, great video. Ran through all the steps with ease thanks to the great guide. I do have a problem connecting to the webUI though. I have a bit of a strange setup as I am configuring my new server in my summer house which is away from my main network and will only be temporary until i have everything setup correctly.
My as-is Setup:
Router (in my loft)
-connected to a 8 port switch (in my loft)
-connection from switch out to my summer house wall port
I have a 5 port switch connected to wallport in summerhouse (temporary)
I have the host (proxmox PC) connected to this switch, also have a TP-Link AP connected to this switch
onboard NIC controls the host (proxmox)
dual port intel i350T2 is setup for SophosXG - LAN and WAN
My first issue is sussing out which port on the i350T2 is WAN and LAN - so far ive just swapped between them.
My main issue is how should i connect my cabling? Should my cable be going to the switch or from the i350T2 to onboard NIC or something else?
I use a laptop connected to TP-Link AP to connect to webUI if that helps.
Not quite sure what I'm doing wrong.
I also tried changing the network ipv4 address to 172.16.16.17 but got error so i manged to change it to 172.16.16.15 but still no joy.
Thanks! That's a lot of switch daisy chaining! Typically you'd want the ISP router in modem only mode (albeti it doesn't matter that much), and connected directly to the WAN port on the XG. Having said that, your current setup should work, just realise that you're doubled NATed.
For determining which port is which you can use ethtool. It enables you to blink the leds on the respective NICs. You can then tally this with the MAC and ID in Proxmox to work out which is which. In your scenario, you will then want the XG WAN going into your switch which will then go to your existing ISP router. Anything you want behind the Sophos XG will need to be plugged into the LAN port - you'll there likely want another switch (or you could use a vLAN on your existing switch if supported, and make use of it for Sophos). It's the same concept as in my HA Sophos XG video whereby I split the single internet connection to 2 firewalls.
@@Jims-Garage
Hi Jim,
Thank you for the detailed reply. The daisy chaining of switches is just temporary as I was building my new server away from any wired ethernet source and it doesn’t have an onboard wifi card. This server will be running wired in the loft once complete.
I do have my Virgin router in modem mode, connected to my openWRT router but I’m not to impressed with openWRT coming from an untangledFW setup previously.
So at the moment it should be pretty much ready to go. As soon as I’m ready to put it in my loft as my sole router/FW I just remove the WAN and LAN cables from my existing setup and hey presto were good to go? (In theory)
Thanks
Stuart
If I wanted to go non virtual, can you recommend some options from a hardware standpoint or even Mini PCs with dual or more NICs
Sure, a couple of options spring to mind. You can basically buy an 'off the shelf', something like a Qotom (www.qotom.net/) and just spend what you like. You don't need anything flash, a quad core with 8GB RAM and 4 NICs would be more than enough. Just bear in mind that most options like this are not upgradable...
Otherwise, you can DIY. Same rules apply as above, a basic quad core with 8GB RAM (XG can only use 4 cores and 6 GB). Most old consumer boards, or old workstations will only have a single NIC so you will need to buy a PCIE expansion such as an i210 or i350. As tech moves on quadcores are making less sense, base models are usually 6-8 cores now, and thus would be wasted (hence why virtualisation is a good idea).
For reference, if buying new, Intel® Processor N97 would be fine.
can you use a Cisco ips 4240 for a home firewall?
Jim in the sons of the forest 😂
Haha, I had to Google it though! 🪓
Maybe a stupid question , but if I want to use vlan do i have to use a switch with layer 2 or 3 , or can i do it with a intel 4 port ethernet card on sophos xg ?
Thanks for the vidoes! I have a mini PC (quietbox) with dual NIC board- it's old dev box from work - it has 64gb ram, nvme and usb-c (I've attached a thunderbolt DAS) - Can I run more than just the firewall on it - i.e some LXC's or do I need to have a seperate machine on the Lan/Switch? Just seems a waste of a good machine.
That's a great little machine. It's better to have 3 NICs, but you can use a virtual bridge to connect VMs to your physically assigned firewall LAN port (create a private internal network on Proxmox).
@@Jims-Garage Thanks, I'll take a look.
While comparing firewall functionality in the Mikrotik RB4011 router to using Sophos XG, I got the impression that Sophos may even replace the ESET Antivirus prog running on my current Win10 PC's (with regular subscription cost of course).
The screen showing at 17:37 above looks very much like the functions provided by ESET - but better.
Am I misreading these ideas?
No, you're right. You can deploy Sophos antivirus and it plugs straight into Sophos XG.
@@Jims-Garage So maybe I should disable FW in the MT and just let it route, do VLAN & DHCP duties, and manage all the MT AP's with CapsMan.
Acronym soup there 😄
Make a video going over rule configuration! :)
Coming soon!
How can I build firewall using currentware
I'm not familiar with currentware I'm afraid
Jim, I'm a bit confused, you talked about managed switch but you show an unmanaged one. What would be a switch you recommend?
I recommend one of the cheap, Netgear managed switches (one of the prosafe ones). I started out with this 8 port managed one: amzn.to/3OIPQU3
@@Jims-Garage I have been looking at this switch Cisco Catalyst 2960X 48 Port Managed Switch for my first managed switch, it is rack mountable and POE+ so it does fit the bill quite nicely for a longueur term perspective within the homelab. Do you think it is a sound decision?
@@Vaillant44 features wise it seems to be perfect, and isn't affected by licencing troubles. However, it is a "proper enterprise" switch and sound levels might be an issue without modding. Check this out: www.reddit.com/r/homelab/comments/133volt/catalyst_2960x_sfp_sound_control/
@Jims-Garage thanks Jim that is a deal breaker for me at this time. Never thought of it.
@@Vaillant44 Check out the Mikrotik ones. Could be what you're looking for.
Hi Jims. Thanks for Tutorial. It's very good.
I have question: is Sophos xg Home Edition free or only free for 30 days?
and which is better Sophos xg home or OPNsense to use?
which is easier?
Thanks.
Sophos XG is free with the limits of 4 cores and 6GB of ram (more than enough for home use). Better is completely subjective, Sophos XG is easier IMO (that's why I use it).
super. befor, I try to use pfsense (hp T620 plus with 2. Rj45) , than opnsense (hp T620 plus with 2. Rj45)
Now I think, i try to use sophos xg home. (i can't install sophos on hp T620 plus).
It's also for produtiv sophos on VM to install and to use? or is better to install on Hardware?
@@khanhthedag7269 do either, you're unlikely to notice a difference. I run it virtually, many advantages imo.
to firmware upgrade, i must have valid subcription support. why? i have to buy something for use home edition? @@Jims-Garage
quick question can i do this with out a switch? or is it needed i just ordered a quad nic but i dont have a switch or can i use this one? to still set this up TP-Link TL-SG108 8 Port Gigabit Unmanaged Ethernet Network Switch my friend has this 1 and said i can have it so im curious
You can use without a switch, you'll just be limited to the number of ports on the nic assigned to the firewall (in your case 1 nic port for wan, 3 for Lan). That switch is also fine to expand the Lan port and give you 8 additional ports (doesn't support vlan though).
@@Jims-Garage hmm ya I want to do vlans damn so I might just wait to start this till I get a switch as well this is the one I was thinking on getting trendnet teg-3102ws would you say this is a decent one?
@@InsaiyanTech yes, looks like a good entry switch. 2.5Gb, 10Gb and managed 👍
@@Jims-Garage perfect I’m just trying to keep the budget as low as possible but be able to attempt everything you can do in the series so far definitly be fun watching and just learning new things and a new hobby honestly
Sophos XG Home can use up to 6GB of ram
4 cores and 6 GB, did I say something wrong? In my experience 4GB is perfectly fine.
@@Jims-Garage 4GB is fine but you said it can only use 4GB but it can use up to 6GB for the Home version.
@@travis_smartley oops, good spot. You are right and I did know that. Pressure must have got to me, ha. At least you can easily change for your VM.
Really love your tutorials, but does this mean the firewall is another PC?
Also, can I just use my windows PC as the firewall? Or do I need to reformat it to another OS?
My Current Setup
Modem > Cisco Switch > Servers and Devices
I only have 1 Server node with 2 NICs, can it act as the firewall as well?
Do I need to reconfigure the setup to be
Modem > Server(Firewall) > Cisco Switch > Devices
I got all my devices for free from school because I wanted to learn, but am sort of a novice when it comes to configuring.
Is the server still safe even tho it also acts as the firewall in this case?
Thanks
Posted an edit to the comment.
You need another PC. You can either run it bare metal or virtualised (like I do).
@@TTV-VoidGG pretty much yes across the board there. I have a dedicated Proxmox machine that hosts all of my virtual machines. One of those virtual machines is the firewall. The firewall has 2 dedicated NICs (1 for wan and 1 for LAN), it has a 3rd for all the VMs to share).
This setup is fine for a homelab and will mean all traffic goes through the firewall before hitting your network.
@@Jims-Garage I see! Cool! Thanks man, so that means I just need an additional NIC to act as a third in this case.
@@Jims-Garage so this means, even if I only have the Server with a VM running the firewall and 3 Nics, the solution is possible. How do I point for example kubernetes to pass through the firewall if they're in the same Node?
HOW DAAARE YOU STEAL THAT CARRRR