Migrating from Sophos UTM Home Use License

Since the UTM is reaching EOL, I’m looking for a replacement but I haven’t found anything that is a direct replacement, that I can afford. This is for personal/home lab use but I do host quite a few things behind the device so I need the WAF, VPN, anti-virus, IPS, SMTP proxy, web protection etc. I’ve been utilizing most of the features of the UTM.

There must be some people on this forum that are very familiar with the Sophos UTM. Please tell me, can I replace the Sophos UTM’s functionality with pfSense, OPNsense or Untangle? I saw a post by Tom where he stated he usually pushes people towards Untangle when they need content filtering and WAF but Untangle doesn’t seem to have a reverse-proxy WAF. Outbound content filtering is not a huge concern for me as long as I can use URL lists and feeds but inbound inspection is very important to me.

It was several years back when I set everything up. Back then, not every connection was encrypted but now, all of my stuff uses HTTPS. The UTM’s IPS (Snort) catches a lot of things even with HTTPS traffic. This is what’s confusing me the most. I’ve read a lot of posts that state that IPS only works as man-in-the-middle and that you have to install a cert on all of the clients. I never installed any certs on the workstations or servers behind the UTM but I still see plenty of Snort blocked activity and false-positives in the WAF log so it must be working with HTTPS traffic, right? I’m referring to external traffic (443) coming into the UTM->WAF->internal webserver (80 or 443). The UTM’s WAF (reverse-proxy) handles the certs and port forwarding. So, is the UTM doing the man-in-the-middle thing by hosting the certs, accepting the HTTPS traffic and forwarding it to the internal web servers? Can I get the same functionality with *Sense or Untangle, with HTTPS traffic?

Contrary to what some may think, I have been searching my butt off trying to answer my own questions but I’m still confused. It looks like I may be able to cobble together all of the pieces with *Sense but it looks like a hot mess to me.

In Sophos UTM’s WAF, you can disable different Snort rules and add exceptions for each web app behind the UTM even if they are on the same interface. Based on the info I’ve obtained so far, it appears that pfSense only goes down to interface level. What about Untangle?

I would appreciate any advice including best practices if that means moving some of the functionality away from the firewall if it can be done reasonably well with open source in conjunction with *Sense or Untangle.

No experience of Sophos UTM, but if home environment Sophos XG Home?

Failing that pfsense/Opnsense.

What do you want from a requirement / product features?

For home/lab use, there’s nothing out there that comes close to the feature richness of the Sophos UTM with its ease of use; unless you want to pay big bucks. You just don’t know what you’ve been missing if you’ve never given it a deep dive but there’s no point in doing so now since an EOL date has been announced. I’ve used it for over 10 years (home license) and it’s really sad to see Sophos abandon its mature product in favor of the CyberRoam crap that they are calling XG. They have been making improvements to XG over the course of many years but it still lags far behind the UTM in many ways and it’s not nearly as user friendly. Enough of the ranting.

I listed in my OP some of the features I need. I run different web apps/web servers, file sharing servers, email servers etc behind the Sophos UTM and most are open to the Internet. The Sophos UTM has a WAF (reverse-proxy) that handles anti-virus, SSL certs (Let’s Encrypt, self-signed and commercial) and uses Snort for IPS and it works wonderfully.

It also handles anti-virus, spam filtering, DKIM etc for the email server. Seriously, the Sophos UTM is a beast, it works very well and it is very secure. It does web and application filtering very nicely and it is very granular. These are just some of the features.

I use a Windows domain controller for DNS and DHCP for a “dual-brain” approach so that I can serve the same web apps to internal and external users. The Sophos UTM does the forward DNS lookups. I let the Sophos UTM’s WAF handle the SSL certs for the external-inbound traffic, only (external interface to private IP’s). Then the Sophos UTM WAF port forwards the traffic (by sub-domain) to each server (port 443 to 80 or 443 to 443). Some of my domains/sub-domains are on different servers.

For internal traffic, I have a NGINX reverse-proxy that handles SSL certs for private IP’s to private IP’s traffic. I have some web apps that require TLS connections and are accessible only internally and via VPN. The NGINX reverse-proxy uses DNS challenges so that I do not have to open any ports for the Let’s Encrypt renewals. I use Let’s Encrypt for all internal traffic. Since the certs auto renew, there’s really nothing to manage. With this “dual-brain” setup, all LE certs (for both external and internal traffic) auto renew. I use Let’s Encrypt for most things along with commercial certs for some external traffic, where needed.

I’m trying to find a replacement but there doesn’t appear to be anything that comes close, that I can afford. I guess the only option I have is to re-engineer my entire network and try to cobble together add-ons to make one of the *sense firewalls replace as many of the Sophos features as possible.

Maybe Untangle is a viable option, now. I’d be willing to pay the $150 a year if it can accomplish all of what *sense does but with much greater ease. I last installed it back in 2013 for a comparison with the Sophos UTM but back then it was like comparing an AMC Gremlin to a Bentley in my estimation. Maybe I’m wrong and I’m just not understanding the whole “NGFW” thing. Are reverse-proxy WAF’s in a gateway device a thing of the past? I see Untangle offers HTTPS decryption but most people say don’t do it. So how do you make Snort/Suricata useful when most all traffic is encrypted with SSL certs nowadays?

I have enough networking knowledge to make me dangerous so I’m open to any sound advice from experts including a complete re-engineering of my entire network if need be. Just respond as if I’m an eight-year-old so that I can understand