Peebee Software Solutions

If you're looking for a solid, purpose-built firewall box for your homelab without spending a fortune, old Sophos appliances are an absolute ripper of a deal. These things were enterprise-grade gear not long ago, and now they're flooding eBay for next to nothing. Chuck pfSense on one and you've got yourself a proper firewall that sips power and runs dead quiet.

Why Old Sophos Appliances?

Sophos end-of-lifed a heap of their older XG and SG series appliances, which means businesses have been chucking them out left and right. That's great news for us homelab types, because these units were purpose-built to be firewalls. We're talking:

• Cheap as chips — You can snag one on eBay for around $30-80 AUD depending on the model
• Purpose-built firewall hardware — These aren't repurposed desktops, they were designed from the ground up for packet pushing
• Low power consumption — Idles at roughly 8-12W, so it costs almost nothing to run 24/7
• Multiple Intel NICs — Most models have 4 Intel gigabit ports with i211 controllers, which pfSense loves
• AES-NI support — Required for modern pfSense versions and gives you hardware-accelerated VPN
• Fanless or very quiet — Some models are completely fanless, others have a tiny fan that's barely audible

Common Models to Look For

The models you'll see pop up most often on the second-hand market are:

• Sophos XG 85 — Compact little unit, dual-core Atom, usually 2-4GB RAM
• Sophos XG 105 / XG 115 — Slightly beefier, quad-core Atom, 4GB+ RAM, very popular for pfSense builds
• Sophos SG 105 / SG 115 — The older UTM series, essentially the same hardware as the XG equivalents

All of these went end-of-life and started flooding the second-hand market for $30-80. The XG 105 and SG 105 are probably the sweet spot for most people — plenty of grunt for a home network or small office.

Hardware Specs Overview

Under the hood, these little boxes punch well above their weight for the price:

• CPU: Intel Atom processors (dual or quad-core, depending on model) with AES-NI
• RAM: 4GB+ DDR3, and most models let you upgrade to 8GB if you want headroom for packages like Suricata
• Storage: 64GB internal SSD — more than enough for pfSense and all its packages
• Network: 4x Intel gigabit Ethernet ports (i211 controllers) — rock solid driver support in FreeBSD/pfSense
• Connectivity: VGA output, USB ports, serial console header

What You'll Need

Before you get started, grab the following:

• A USB stick (1GB or larger, it'll get wiped)
• The pfSense CE ISO image — download it from the pfSense website (choose AMD64 architecture, USB Memstick Installer, VGA console)
• A tool to write the ISO to USB — Rufus on Windows or balenaEtcher on any platform
• A monitor with a VGA cable, or a serial console cable (USB to DB9) if your model doesn't have VGA
• A keyboard for the initial setup

Step-by-Step Installation

1. Write the pfSense ISO to USB

Download the pfSense CE installer image from the pfSense website. Fire up Rufus or balenaEtcher, select your USB stick, point it at the downloaded image, and hit write. Dead simple.

2. Connect everything up

Plug the USB stick into the Sophos appliance. Hook up a VGA monitor and keyboard. If your model only has a serial console header, you'll need a USB-to-serial cable and a terminal emulator like PuTTY set to 115200 baud.

3. Enter the BIOS

Power on the unit and mash DEL or F2 to get into the BIOS. The key varies by model but it's usually one of those two. Set the boot order so that USB is first.

4. Disable Port 60/64 Emulation (IMPORTANT!)

This one catches heaps of people out. While you're in the BIOS, find the setting for Port 60/64 Emulation and disable it. On SG 105, SG 115, XG 105, and XG 115 models, leaving this enabled causes pfSense to freeze during boot or randomly lock up afterwards. It's usually under the Advanced or Chipset settings. Seriously, don't skip this step — it'll save you hours of head-scratching.

5. Boot from USB

Save your BIOS settings and reboot. The Sophos should now boot from the USB stick and the pfSense installer will load up. You'll see the FreeBSD boot loader with the pfSense logo — let it do its thing.

6. Install pfSense

When the installer loads, select Install. Choose your filesystem — ZFS is the modern choice and handles power loss better, but UFS works fine too. Select the internal SSD as the target disk and let the installer do its thing. It only takes a couple of minutes.

7. Remove USB and reboot

Once the installer finishes, it'll prompt you to reboot. Pull the USB stick out and let the Sophos boot from its internal SSD.

8. Assign your interfaces

pfSense will boot up and ask you to assign WAN and LAN interfaces. It'll list the Intel NICs — typically igb0, igb1, igb2, igb3. Assign one as WAN and one as LAN. If you're not sure which physical port is which, you can use the auto-detect feature (plug a cable in and pfSense will tell you which interface saw the link).

9. Access the web GUI

Plug your computer into the LAN port, make sure your PC is set to DHCP, and open a browser to https://192.168.1.1. Default login is admin / pfsense. You're in!

Basic Setup

Once you're logged into the web GUI, the setup wizard will walk you through the essentials:

• Hostname and domain — Give your firewall a name, something like fw01.home.lan
• DNS servers — Use your preferred DNS (1.1.1.1, 8.8.8.8, or run your own with Unbound — pfSense has it built in)
• Timezone — Set it to your local timezone (Australia/Sydney, Australia/Melbourne, etc.)
• WAN configuration — Most people just set this to DHCP and let your ISP hand out an address. If you've got a static IP or PPPoE, configure that here
• LAN subnet — Default is 192.168.1.0/24, change it if you like. I usually go with something like 10.0.0.0/24 to avoid conflicts with other gear
• Admin password — Change the default password! Seriously, do this first thing

Why pfSense Is Brilliant

Once you've got pfSense up and running, the world is your oyster. This thing is absolutely loaded with features that would cost you serious coin on a commercial firewall:

• Firewall rules — Granular control over what goes where, with stateful packet inspection
• VLANs — Segment your network properly — separate VLANs for IoT gear, guest WiFi, servers, the lot
• VPN — Built-in OpenVPN and WireGuard support for remote access or site-to-site tunnels
• Traffic shaping — QoS to make sure your video calls don't stutter when someone's downloading a game update
• pfBlockerNG — Network-wide ad blocking and malicious domain filtering, like Pi-hole but built right into your firewall
• Suricata / Snort IDS/IPS — Intrusion detection and prevention, so you can keep an eye on dodgy traffic
• Dynamic DNS, DHCP server, NTP, Unbound DNS resolver — All the networking services you'd ever need, built right in

Power Consumption

One of the best things about these old Sophos boxes is how little power they use. Most models idle at around 8-12 watts. That's roughly the same as a couple of LED light bulbs. Running 24/7, you're looking at maybe $20-30 a year in electricity depending on your rates. Compare that to running a full tower PC as a firewall and the savings are massive.

Troubleshooting

If your particular model is having issues booting pfSense — freezing at the boot loader, kernel panics, or a blank screen — try adding the following to the boot loader:

kern.vty="sc"

You can set this during boot by pressing 3 at the pfSense boot menu to escape to the loader prompt, then typing the line above followed by boot. If that fixes it, make it permanent by adding the line to /boot/loader.conf.local once pfSense is installed.

Wrapping Up

For $30-80 and a bit of your time, you end up with a proper enterprise-class firewall running pfSense — low power, dead quiet, multiple Intel NICs, and enough grunt to handle a home network without breaking a sweat. It's honestly one of the best bang-for-buck homelab upgrades you can make. Grab one off eBay before they're all gone.

Useful links:

• pfSense CE Download
• pfSense Official Documentation
• pfSense Hardware Requirements