Installing Sophos Firewall on a mini PC

Overview of Sophos Firewall features

Sophos Firewall is a full-featured network appliance in software form. It provides packet and stateful inspection, NAT, VPN (site-to-site and remote), intrusion prevention, web and application filtering, and SSL inspection. On a mini PC it runs as the gateway for a home network, replacing a cheap router with something I can control and audit. I focus on the features you will actually use: firewall rules, NAT, DHCP, DNS forwarding and a basic VPN.

A firewall sits between your devices and the internet. It stops unsolicited inbound traffic. It gives a simple way to enforce outbound rules when a device gets compromised. For a home network security posture, a configured firewall reduces attack surface and makes lateral movement harder. I recommend treating the mini PC as a dedicated gateway, not a multifunction box running random services.

Compared with consumer routers, Sophos Firewall offers clearer rule granularity and better logging. Compared with open-source projects like pfsense or OPNsense, Sophos gives an integrated, polished web UI and layered features out of the box. It is less hobbyist than pfsense and more appliance-like. Pick the tool that matches how much time you want to spend. I choose Sophos when I want a managed-feeling web UI but still full control.

Requirements for mini PC

Check CPU, RAM and storage before you begin. Aim for at least a dual-core CPU, 4 GB RAM as a minimum and a flash or SSD drive with 32 GB free. Intel or Intel-compatible network controllers give the fewest surprises. WiFi on the mini PC is fine for lab use, but use a separate access point for production. Ensure the mini PC has two NICs if you want physical separation of WAN and LAN, or plan to use VLANs.

Back up any existing data. Connect one NIC to the internet-facing port and another to a switch or a single client machine for the LAN. If the device supports boot order, set USB or external media first. Connect a keyboard and monitor for the initial installation, or ensure IPMI/serial access is ready if headless.

Download the appropriate Sophos Firewall ISO from Sophos’s official download page and read the release notes. Verify the ISO checksum when provided. On Linux run:

1. sha256sum sophos-firewall.iso
2. Compare the output with the vendor checksum.

If the checksum does not match, do not proceed.

Step 1: Creating a bootable USB drive

On Linux:

1. Identify the USB device with lsblk.
2. Run sudo dd if=/path/to/sophos-firewall.iso of=/dev/sdX bs=4M status=progress conv=fsync
3. Wait for the command to complete and run sync.

On Windows:

1. Open Rufus.
2. Select the ISO.
3. Choose MBR or GPT matching your mini PC firmware (BIOS/UEFI).
4. Click Start and accept the warnings.

Verification: re-insert the USB and check the files or run lsblk to confirm device size. The USB must boot on the mini PC.

Rollback note: creating the USB will overwrite the USB stick. It does not change the mini PC until you boot it.

Step 2: Installing Sophos Firewall on mini PC

1. Boot the mini PC from the USB.
2. At the installer prompt select Install and follow the text-based installer.
3. Assign the WAN and LAN interfaces when asked. If the installer asks for IP addressing, use DHCP on WAN unless you have a static public IP. Give the LAN a static private IP, for example 192.168.1.1/24.
4. Complete the install and remove the USB when instructed.

Rollback note: the installer will format the target drive. If you need the previous OS, stop and image the drive before installation.

Step 3: Initial configuration of the firewall

1. Connect a client to the LAN and set its gateway to the LAN IP you set during install.
2. Open a browser and navigate to https://192.168.1.1:4444. Accept the self-signed certificate for initial access.
3. The web admin will prompt for an admin account and password. Use the password created during the installer.
4. Run the setup wizard to set time, DNS and update sources. Enable automatic updates if you want the firewall to fetch definitions.

Step 4: Setting up firewall rules

I keep rules minimal and explicit. Example to allow LAN to internet:

1. In the web admin go to the Firewall section.
2. Create a new rule:
   • Name: LAN-to-WAN-Allow
   • Source zone: LAN
   • Source network: LAN net
   • Destination zone: WAN
   • Destination network: Any
   • Services: Any (restrict later)
   • Action: Allow
3. Put this rule near the top of the ruleset but below any blocking rules.

Verification: from a LAN host, run ping 8.8.8.8 and curl -I http://example.com. Expected output for ping: replies with TTL and time. For curl: HTTP/1.1 200 OK or a redirect.

Checks

Verifying installation success

Confirm the web admin is reachable and the system reports correct interfaces. On a LAN client:

1. ipconfig or ip a shows the client has an IP in the LAN subnet.
2. The browser connects to https:// on port 4444 and loads the dashboard.

If the dashboard shows critical services down, open the console session on the mini PC and check interface assignments again.

Testing network connectivity

Test DNS: nslookup or dig for a public host. Test HTTP: curl -I http://example.com. Test NAT: from the firewall, check the public IP is used for outbound connections.

Ensuring firewall rules are effective

Use the firewall’s live log or packet capture tool. Create a temporary rule denying a single client and attempt outbound traffic. The log should show blocked entries with source IP, destination and rule name.

Final takeaways

Use a dedicated LAN and WAN interface, back up the config before major changes, and test rules with logs and packet captures.

Follow the numbered installation steps and verify each stage before moving on.