Using a TS-451 as a NAS and a UTM gateway

[wchpitt]

So was looking at a replacement for my ReadyNAS Pro 6 and facing buying a new lic for my sonicwall for my home.
The whole TS-x51 and TS-x53 intrigued me.
There are probably about 12 different open source or freeware UTM gateways out there but it had to be simple, free and be able to leverage the new QNAP NAS's with virtualization to make a value prop for not doing separate devices.

Ultimately settled on the TS-451 from a pure price perspective thinking it "should be enough" to run as both a NAS and a UTM gateway...
So these are my initial impressions and destructions (sic) on how to get a Sophos UTM Gateway (home lic) up and running as a VM on a TS-451 and acting as a both our family NAS and UTM gateway to protect the kids and the rest of the home assets from brain cramps:

Ended up picking up a TS-451 for $499 and a 4GB mem module for $39
Drives in, up and running in 15m including the mem swap.
Go here and get your Sophos Home UTM lic: http://www.sophos.com/en-us/products/fr ... ition.aspx
Check email and download iso and check email for lic file (attached as txt to the email)

Create a Shared Folder called VMs
Download and copy Sophos UTM iso to VMs folder

In virtualization station:
Create VM
Create Custom VM
Name=Sophos-UTM
OS type=Linux
Core=1
Memory=2GB
Network=Dedicated 1 (Ethernet 2)
VNC Password=XXXX
CD Image=Sophos ISO file saved on NAS
HDD Image=New Image
Location=VMs
Name=Sophos-UTM
Size=100GB
<Create>

Select the new VM
Select Advanced
Expand Network
Select Add Device

Device Type=Network
Mode= Dedicated 1 (Ethernet 2)
MAC Address=<Generate>
Device Model=Virtual Gigabit Ethernet
<Add>

Once set up you can just Start the VM
Select Console and follow the DOS prompts
Make Sure you set the IP/Netmask and Gateway for your existing network or be prepared to do a physical connection on the default subnet (192.168.2.x) with the UTM GUI being at 192.168.2.100:4444

Running the UTM
AND
Running 3 RSYNC backups to the QNAP
AND
Still Syncing Drives in Raid5
AND
A single host passing traffic through the UTM

I have bumped my head on CPU a couple of times and gotten just above 80% memory utilization.

I will put the UTM in front of the whole household once the Initial RSYNC backups and Raid5 Sync finishes and report back.

Household=
5 Macs
3 Rokus
2 ATV
2 NAS
5 Phones
3 Tablets

PS: If I was making the buying decision today I probably would have spent the extra $150 for the TS-453-Pro just to have the extra Physical ethernet ports and the extra cores for the VM. Still TBD once things settle down on the 451 though.

[smlick]

I also use UTM9 at home and I'll like to use also on TS-451 but only one NIC is configurable!
With one card a firewall is not a firewall
How did you solved?
You used VLAN and only one NIC?
In this case you configured VLAN also in QNAP network setup?
There are other solution?

Regards
Alessio

[wchpitt]

I had addressed this in one of my posts in the SmallNetBuilder forums.
I made the Physical ETH0 the NAS Port with an IP of 192.168.68.100
I made the Physical ETH1 the LAN gateway Port with an IP of 192.168.2.1
A added a Virtual Ethernet Port to the VM and had it obtain an IP address VIA DHCP (From the Cable Modem)

ETH0 (NAS Port) Is plugged into a switch shared on my LAN (Switch LAN)
ETH1 (UTM and Virtual ETH) is plugged into a separate switch (Switch WAN)
I Plugged Cat5 from cable modem to Switch WAN so NAS ETH1 Virtual Interface could obtain an IP from the cable modem
I Plugged my Existing Routers WAN interface into the Switch WAN and assigned the Routers WAN interface a static IP of 192.168.2.2 with a gateway of .1 /24
I Plugged my Existing Routers LAN interface into the Switch LAN and have it do DCHP for the LAN Both Wired and Wireless on 192.168.68.1/24

I know the virtual interface and physical interface share the same physical network but they are separated by subnets and then separated by my router again. I suppose if one were so inclined you could set up separate VLANs as well or ditch my second router altogether. There are a couple of ways to skin this cat, but ultimately it is why I sent the 451 back and got a 653. Not I have physically disparate ports and can run RAID6 (I don't believe in Raid5 for anything beyond 2TB drives)
Hope this helps and give a poke about on smallnetbuilder.com to see other thoughts.

[antakar]

Hi wchpitt,

After your upgrade to the 653 model.

How do you find the performance with UTM running, running some servers on it and playing some 1080 videos at the same time?

Is it possible to use, in this configuration Sophos UTM as a VM, the Sophos UTM on Qnap as a fully fledged router?
In terms that lets say i have a ISP modem and router separately.
I would like to replace ISP's router with Sophos UTM in this scenario - will it work?

I am thinking of getting this model:
http://www.amazon.co.uk/QNAP-TS-453-Pow ... B00MB5Q588

And replacing my HTPC, Gateway and a router - this device seem to be perfect for all these scenarios.

Cheers

[Briain]

Hi

Just to test things, I briefly had it running (in fully transparent mode) as a VM on a TS-453 (so using 3 Ethernet ports; an input port, output port and control port) and it worked very well indeed. If I were to deploy it, I'd use it in NAT mode, but at the moment, I'm using my router's VoIP feature (it's a Draytek 2830Vn) and thus that's doing the NAT business. My original plan was to try using UTM on the WAN side of the Draytek, but I've not yet has time to set it all up (I'd need to think about ViOP and the likes) and at the moment, there are other complications with my network (I'm already double-NATing, for reasons I'll not go into, here).

Essentially though, the point of my post is to say yes, it does install (and run) very well as a VM on the TS-453.

Bri

[antakar]

When running a VM on the QNAP, is it possible to run a backup of the RUNNING VM, so any changes made within the running VM, like UTM, will be backed up along with the image of the system?
Also, can the Qnaps virtualisation file format be run on a VMware or VirtualBox without conversion?

I ask because if something would happen to the box, ill stay without NAS, HTPC, router and a gateway...

So at least i would like to have gateway running as a VM from my desktop, for an instance. So i could send the box for a repair and have the gateway with router still running.

[maphias]

Hi,

Bit of a n00b here, was hoping for some advice. I'm looking to setup the Sophos XG Home as a VM on my QNap in my home to filter content, etc and protect the kids. I need some direction on the WAN/LAN connectivity. I currently have a very simple setup, just a Apple Airport Extreme router into my Comcast modem. From there, the QNap device is patched into the ethernet port of the Apple Extreme and has been used as a NAS & Plex Server.

So presumably should I be using the Sophos XG as my NAT/router? I'd of course still like to maintain WiFi via the Airport station for our mobile devices. So, assuming my 4 ports in the QNap, should I link:

#1 - into Comcast Modem for WAN connectivity
#2 - into Airport station to act as LAN Switch & WLAN access point
#3?
#4?

Not sure where go really, hoping for some help. Thank you!

[wchpitt]

Maphias,
You are essentially correct. The Sophos XG Home would act as your Router/NAT/DHCP/Firewall with Port#1 connected to the cable modem as the WAN (Public) interface and your Airport connected to Port#2 would be setup as an Access Point and pass the DHCP information to clients from the Sophos UTM VM running on the NAS.
If you have more than 4 wired devices I would suggest you add a switch prior to the AP.
Cable Modem --> Port#1 - TS451 - Port#2 --> 5 or 8 Port GigE switch --> Airport Extreme in AP mode

[maphias]

Thank you, wchpitt...makes perfect sense. Do you have any recommendations as to how to configure the NICs in Virtualization Station and how the virtual switches are to be configured? Right now I believe it's set to auto/default settings with a viritual switch in bridged mode attached to 1 physical NIC.

[depen]

@Briain Did you measure the throughput?