Recommend quad-core router that can push gigabit speeds

should be straight forward

Not that I can remember... (This message will be posted through an SG 115w, and this is far from the only Sophos device I've installed OpenWrt on...) One strange issue I found: systems installed from SquashFS images sometimes (meaning, on some units but not others) fill most of the available RAM with buffering, so after a while, I decided that I'll just use ext4 images by default.

Keep in mind there are small variations in the hardware depending on the revision. If memory serves, Revisions 1 and 2 have ath9k-compatible Wi-Fi cards, while Revision 3 has an ath10k-compatible card and thus requires hostapd and ath10k-firmware-qca988x in addition to kmod-ath10k. Also, Revisions 1 and 2 have SATA SSDs; Revision 3 has a small-form-factor SSD (I can't remember which exactly), which is removable, but has tamper-evident sealing (very tastefully done as a cute little blob of white plastic).

I actually wrote an extended guide on installing OpenWrt on Sophos SG 105w, which is very similar to the SG 115w (SG 115w has a slightly beefier processor and 4 GB of RAM rather than 2):

[HOWTO] Installing OpenWrt on Sophos SG105w

If you decide to use it, keep in mind that the concluding part titled Optional Niceties may be a bit outdated. So check out my most recent endeavor on the topic of resizing partitions:

[HOWTO] Resizing root partition on x86 (March 2023 edition)

Sorry about the shameless self-promotion, but I just can't help being happy when something I did months ago can help someone here and now... :smile:


If it's never had anything but the OEM firmware on it, in order to boot from a USB stick you usually need to go into the BIOS, Advanced > USB Configuration > Disable "Port 60/64 emulation" and save. Other than that it's a vanilla Intel platform. (Edit: this might only be needed when booting a BSD-based OS like [pf/OPN]Sense from USB; it doesn't seem to be much reported as a problem when installing Linuxen like OpenWrt)

I've had to do this for pfSense (and only on SG 105/115, Revisions 1 and 2), but never for OpenWrt. I believe this is a workaround needed for BIOS version 2.16 and older. Revision 3 of both models has BIOS version 2.17 that can deal with the issue, whatever it is, on its own.

I believe (not sure if I am correct) that in version 12, FreeBSD dropped support for anything 32-bit, and it filtered downstream into pfSense 2.6 and OPNsense 22. Sophos SG 105/115, Revisions 1 and 2, meanwhile, have an IA32 BIOS, never mind the 64-bit processor. This is why "the senses" have issues with these models...

1 Like

These work astoundingly well for basic uplink, routing and firewall/NAT, though it does rule out any advanced network processing done outside netfilter (iptables/nftables) such as traffic shaping, because (A) the CPU's not all that hot and (B), many such features are incompatible with offloading.

I use an mt7621 (Linksys EA7500 v2) as an edge device to terminate PPPoE and take care of NAT, and have an x86_64 box (Sophos SG115 rev 3 running Alpine Linux, with OpenWRT, AdGuard Home and a few other things in LXD containers) for core routing, VLANs and other internal processing. (My reasons for this are a little complicated, basically multiple telecommute setups and occasionally some really eyewateringly complex VPN requirements.) It makes for a handy separation of concerns: basic internet connectivity is confined to a very simple, robust and lightweight device that does nothing else, while optional core routing and network processing capabilities on a more capable general-purpose machine with subsystems that can be brought up and down and reconfigured without disturbing anything else.

Another surprisingly good choice if you can find one right now is the Raspberry Pi 4 with one or two Realtek USB NICs. It's much, much better in practice than it sounds. Used one for about six months and was genuinely amazed at how well it worked. Rock solid and dirt cheap, but unfortunately all but unavailable at the moment. Though they expect stock levels to start returning to normal some time in Q2.


Wow... You can run all of this on an Atom processor with 4 GB RAM???

Sure, easily. Unlike virtualization, containers don't introduce any perceptible overhead. For comparison, the e3940 is maybe 30-50% more performant than the ubiquitious j1900 found in all those Protectli and Qotom boxes (and does it at lower wattage and clock,and supporting AESNI as of course you know). As described it's barely ticking over in 'top', plenty of gumption available for other things. Though I still prefer to terminate VPNs on other devices inside the network in order not to rob cycles from other uses.

Ah, that explains it! Thank you!

Sophos SG/XG Series Appliances
Technical Specifications

Those are mostly rev 2; the later rev. 3 models are starting to come onto the used market (read: ebay) and they've got much better specs. Here's the equivalent document for the rev. 3 models: It's a pretty obscure site, hopefully it won't vanish any time soon.

Sophos hardware specs are not hard to find.

SG series:
XG series:
XGS series:

From one of these, you can navigate to a page for a specific device, which will have a Specifications section and/or a link to a PDF spec sheet... The downside, if I can call it that, is that for any particular model, including those that are no longer in production, only the most recent revision is shown.

Just in case anybody is interested, here's a condensed EOL (end-of-life) calendar for Sophos SG and XG series (desktop models only, numbers refer to both wired models, such as 85, and their wireless counterparts, such as 85w):

  • The 85 and 105 models are EOL as of August 2022.
  • The 86, 106, 115, 125, and 135 models are slated for EOL at the end of March 2025. However, as of April 2022, they were out of production and sold on a "while supplies last" basis.

Long story short, Sophos is transitioning everybody to XGS series hardware, which is good news for us here in the OpenWrt land... :smile:

If only this were the case…
Finding the real hardware specs (CPU, storage, RAM) and not just the claimed capabilities with Sophos' firmware for a given h/w revision is far from trivial.

In many cases you will find it, somewhere, but it takes a lot of searching for each potential candidate. Even if 'all' of them 'should' be usable with OpenWrt, some are way more interesting (recent CPU, SSD) than others (CPU not fast enough for full speed with sqm, spinning HDD, c25xx series CPU, which will die prematurely due to silicon bugs, 2nd generation Atom (N450) which are just… no (too slow, too power hungry for what they bring to the table)).


The Sophos boxes seems like the perfect match for an upcoming project... good price, low power, industrial grade, and capable. Except for upgrading... the user would need to be able to upgrade without removing the SSD or transferring from USB.

Using squashfs-combined.img.gz would it sysupgrade in place?


Again, just in case someone's interested... :smile:

Spinning HDDs went away with the UTM series. All SG and XG desktop models have solid-state storage of some kind (haven't been inside the rack-mounted models, so can't tell what's there). The 85 and 86 models have eMMC storage (anywhere between 4 and 16 GB depending on model and revision). The 105/115/125/135 models (Rev 1 and 2) have 64 GB SATA SSDs (every unit I've seen to date had a Transcend SSD). Starting with 105/115/125/135 Rev 3, it's small-form-factor SSDs (I can't remember whether it's mSATA or m.2 though).

According to an internal internet pic of a SG125, it looks like an M.2 SATA 2242 slot on the 105/115/125/135 Rev 3 ...

Yep, that's the one. Note the above-mentioned tamper-evident sealing very tastefully done as a cute little blob of white plastic. :smile:

Also according to the doc posted above v3 also switched from Atom to ApolloLake

Apollo Lake is the generation ... the 105/115/125/135 Rev 3 are still out-of-order-execution Atom chips, the x5-E3930/x5-E3940/x7-E3950.

They seem like lovely pieces of hardware, but please don't expect more than they can deliver.

At least they shouldn't be subject to the previous-generation Atom hardware bug that might afflict the Rev 2 models.