Increase the security of your home Network - a free home Licensed UTM gateway

[badass]

For those unfamiliar, a UTM Gateway stands for Unified Threat management and the devices are usually either incredibly expensive or incredibly complex and command line driven.
Antivirus on your PC alone isn't the protection it once was. Most A/V is at best around 95-99% effective at blocking threats. Or, put another way, between 1 in 20 and 1 in 100 infected webpages can get through.
Like most Web proxies/Web gateways/UTM gateways, Sophos UTM uses multiple A/V scanning engines and also has IDP - another layer of defence.
Sophos have bought The makers of the Astaro UTM gateway.
It's config is GUI based and the learning curve is good.
It has a specific free home license. https://www.sophos.com/en-us/product...e-edition.aspx

I've found one gotcha so far. You need to make sure that you have 2 interfaces on separate VLANs/Networks. I had to install another NIC in my server that connects only to my Plusnet router as for some reason the router would crash (It didn't with m0n0wall) if both interfaces were in different subnets but the same physical network.

[peterb]

Thank you, think I'll have a play with this, I have a spare machine lying around, looking for a use!

[badass]

Just found out, you can use it to completely replace your router if you're on FTTC/VDSL https://www.sophos.com/de-de/support...se/119003.aspx
I've already disabled the wireless on the rubbish plusnet router, now I can completely get rid of it!

[badass]

That took a while!
I'm on plusnet and getting this working with a VM was not fun, however I am not rubbish plusnet router free!

To be able to connect your VM based UTM directly to the BT router, you need at least 2 NICs on your VM host.
1 NIC on the VSwitch with the rest of your VM's.
1 NIC on a VSwitch with the VLAN set to All (4095)
Have the second NIC in this Port group (I called mine broadband)

On the UTM:
Go to interfaces and routing and click interfaces. Click edit by the External WAN link

Type: DSL(PPPoE)
Hardware (the NIC used for the WAN Link
VDSL UNTICKED yes - the "Fibre" connection does use VDSL but with it set to VDSL it forces you to set a VLAN tag. You only set the VLAN tag to 101 if you are connecting directly to the phone/VDSL line. The BT Modem/Bridge/NTE strips the VLAN tag before passing traffic through.
IPv4 default GW ticked
username and password as per your broadband connection. Usually the same one you use to log onto the plusnet site.
Under advanced:
MTU - 1492 (default)
default route metric 20 (this number in most cases will have no effect)
daily reconnect 01:00
reconnect delay: 5 seconds
Asymetric: ticked
Displayed max out (your upstream speed)
Displayed max in (your downstream speed)

The same settings above should work on a physical machine - I used PCIe passthrough and tested them successfully.

If anyone has any questions - post in this thread. I'll see if I can help.

[badass]

I've noticed that the iPlayer app on my TV can't fast forward/rewind but everything was fine with m0n0wall. The web filtering is interfering.
I've tried getting various checks skipped on the target sites but it still didn't work.

The fix: (not ideal but not too bad)

Set the host to bypass the transparent filter. This means no intelligence is applied to scanning traffic the TV requests. Just Stateful Packet Inspection.
Go to web filtering, filtering options, click the misc tab, add the host's IP address to the Skip transparent mode source hosts/networks and apply.
Next, create a NAT Masquerading rule. Go to network protection - NAT and click + new masquerading rule.
The source network can be the TV's IP address or the entire network if you like. I set it to the TV's IP address. Interface was set to External (WAN) and address to primary address.

[peterb]

Just got round to freeing up a disk for use with a mini itx machine that is currently gathering dust (it was a hacking tosh) so I must get this running. The mobo has two network ports IIRC, so that should be fine.

I am using a Drayteks router which is pretty good in its own right, but this will be an interesting project.