How To Use A QNAP NAS As A UTM

Photo of author

SNB CC Team

This article is sponsored by QNAP.


QNAP & Sophos UTM

Introduction

QNAP is big on Virtualization. So big in fact, that it is the only NAS vendor to make it easy to run multiple Virtual Machines (VMs) on a single NAS and centrally manage them via a user-friendly interface. QNAP’s Virtualization Station supports a wide range of Windows, Linux and UNIX-based VMs, including pre-configured virtual appliances from Bitnami and VMware. Virtualization Station provides access to remote desktops on each VM, takes VM snapshots and even connects USB devices to VMs.

One very useful thing this capability enables is enhancing the security of your network by adding a virtual Unified Threat Management (UTM) appliance, specifically Sophos’ free UTM Home Edition.

Sophos’ hardware requirements for the UTM are an Intel compatible 1.5 GHz CPU, 1 GB RAM and 20 GB of hard disk space. A QNAP TS-453 Pro [reviewed] with a quad-core Intel Celeron 2.0 GHz CPU, 8 GB of RAM and four Intel 10/100/1000 Ethernet ports is plenty powerful for this application.

It’s worth noting the Intel Baytrail processor used in the TS-453 Pro and other QNAP NASes provides higher performance with lower power consumption and more memory than competitor’s products.

Competitive comparison

Competitive comparison

The TS-453 Pro was configured so the UTM VM had two CPU
cores, 2 GB RAM, 80 GB disk
space and two Ethernet interfaces. Two of the NAS Ethernet ports are used for the UTM WAN and LAN connections. One of the TS-453 Pro’s Ethernet
interfaces is the UTM’s WAN interface, the other will be the UTM’s LAN interface.

The UTM would normally replace your current router. You can continue to use your current router’s wireless portion by converting it to an access point.

Creating The VM

To set up the VM, you’ll need to access the Network Settings, Create VM and Virtual Machine
edit Virtualization
Station menus. Start by downloading the software here.

UTM ISO file download

UTM ISO file download

You then configure the VM, Start it and let it install.

VM configuration for UTM

VM configuration for UTM

Once the VM installation completes, log into the Sophos UTM web GUI and follow the UTM setup wizard.

VM configuration for UTM

UTM install wizard summary

Since you’ll want to access both the virtual UTM and normal NAS features, you’ll need to make multiple connections between the NAS and your network as shown in the diagram below. Since the virtual UTM is now acting as your LAN’s router, it assigns all IP addresses, including those for normal NAS functions. In our configuration, the UTM admin interface is located at https://192.168.2.100:4444.

Connecting the NAS/UTM

Connecting the NAS/UTM
  • Ethernet 1 = NAS interface: Assign the NAS a static IP address in the 192.168.2.0/24 subnet or allow it to get it an address via DHCP from the UTM. You access NAS administration here, including Virtualization Station
  • Ethernet 2 = VM interface: Assign each VM a static IP address in the 192.168.2.0/24 subnet or allow them to get their IP address via DHCP from the UTM. This connection is needed only if you have other VMs running on the NAS.
  • Ethernet 3 = UTM WAN Interface: The UTM WAN interface will get a public IP address from your ISP via DHCP. If you have a static public IP, you can configure that IP in the UTM’s web menu.
  • Ethernet 4 = UTM LAN Interface = 192.168.2.100. The UTM’s admin interface is located at https://192.168.2.100:4444. The UTM’s DHCP server will assign IP addresses to the NAS on Ethernet 1 and VMs on Ethernet 2.

The whole process is shown in the gallery below.

Download software

http://download.astaro.com/UTM/v9/software_appliance/iso/

Setup account

Setup a free Sophos account and download a free license.

Dedicated Interface 1

This is the TS-453 Pro’s Ethernet 2 interface previously configured for VM use.

Dedicated Interface 2

The Ethernet 3 interface is used as the UTM’s WAN interface.

Dedicated Interface 3

The Ethernet 4 interface is used as the UTM’s LAN interface.

Specify VM resources

CPU, RAM, and Disk resources are configured for the UTM VM. The Ethernet 3 interface is the UTM VM’s WAN interface.

Add resources to VM

The Ethernet 4 interface is added as the UTM VM’s LAN interface.

Power On the UTM

Start up your new VM!

Linux installation screen

One of many automatic Linux installation screens.

UTM Login Screen

Log into the UTM VM at https://192.168.2.100:4444 to access the UTM’s menus.

Initial Wizard

At first login, choose which UTM options to enable.

Load a license file

Load the free license file for continued UTM functionality.

UTM Dashboard

This is a screenshot of the UTM dashboard showing features enabled and disabled.

In Use

With the UTM as the main network router there seemed to be a slight lag when initially loading a website. But subsequent loads of the same site came up without delay.

Throughput measurements using two Windows PCs and TotuSoft’s LAN Speed Test with a file size of 100 MB are summarized in Table 1. IPsec tunnel throughput was measured to a ZyWALL 110 router to terminate the tunnel.

Test Description Upload Download
UTM On 84.4 141.9
UTM Off 100.9 184.6
Site to site IPsec 29.1 31.3
Table 1: Virtual UTM throughput (Mbps)

The image gallery below shows throughput measurements, a screenshot of the IPsec tunnel and a website blocked by the UTM’s content filtering feature.

Download software

http://download.astaro.com/UTM/v9/software_appliance/iso/

Setup account

Setup a free Sophos account and download a free license.

Dedicated Interface 1

This is the TS-453 Pro’s Ethernet 2 interface previously configured for VM use.

Dedicated Interface 2

The Ethernet 3 interface is used as the UTM’s WAN interface.

Dedicated Interface 3

The Ethernet 4 interface is used as the UTM’s LAN interface.

Specify VM resources

CPU, RAM, and Disk resources are configured for the UTM VM. The Ethernet 3 interface is the UTM VM’s WAN interface.

Add resources to VM

The Ethernet 4 interface is added as the UTM VM’s LAN interface.

Power On the UTM

Start up your new VM!

Linux installation screen

One of many automatic Linux installation screens.

UTM Login Screen

Log into the UTM VM at https://192.168.2.100:4444 to access the UTM’s menus.

Initial Wizard

At first login, choose which UTM options to enable.

Load a license file

Load the free license file for continued UTM functionality.

UTM Dashboard

This is a screenshot of the UTM dashboard showing features enabled and disabled.

This final image gallery shows the TS-453 Pro’s CPU utilization, which peaked at 43% with simultaneous UTM traffic and a large filecopy.

Download software

http://download.astaro.com/UTM/v9/software_appliance/iso/

Setup account

Setup a free Sophos account and download a free license.

Dedicated Interface 1

This is the TS-453 Pro’s Ethernet 2 interface previously configured for VM use.

Dedicated Interface 2

The Ethernet 3 interface is used as the UTM’s WAN interface.

Dedicated Interface 3

The Ethernet 4 interface is used as the UTM’s LAN interface.

Specify VM resources

CPU, RAM, and Disk resources are configured for the UTM VM. The Ethernet 3 interface is the UTM VM’s WAN interface.

Add resources to VM

The Ethernet 4 interface is added as the UTM VM’s LAN interface.

Power On the UTM

Start up your new VM!

Linux installation screen

One of many automatic Linux installation screens.

UTM Login Screen

Log into the UTM VM at https://192.168.2.100:4444 to access the UTM’s menus.

Initial Wizard

At first login, choose which UTM options to enable.

Load a license file

Load the free license file for continued UTM functionality.

UTM Dashboard

This is a screenshot of the UTM dashboard showing features enabled and disabled.

Conclusion

While you can buy faster UTMs, they require purchasing a separate device and often have ongoing license subscription fees. The combination of QNAP’s Virtualization Station, quad-core TS-453 Pro and free Sophos UTM Home Edition combine to make a very viable and powerful alternative.

Related posts

An Intel Atom Will Serve You Right

We always like to hear about our readers' homebrew projects. Nick Scott wrote about the Atom-based server he built.

How To Make A Windows Time Machine Server: Part 2

Updated - In the second and final part of our series, we finish up the instructions for rolling your own Debian-based Time Machine backup virtual appliance.

How To: Hacking the Linksys NSLU2 – Part 5- Moving to Unslung

In Part 5 of his Hacking the Linksys NSLU2 series, Jim Buzbee introduces us to the Unslung firmware that is the next step in the evolution of this little box into a general-purpose Open Source application platform.