Migrating from Sophos UTM

[jeffshead]

Any former Sophos UTM Home users on here, that utilized most of its features including the WAF and email proxies? I'm looking for a UTM replacement since EOL has been announced but I haven't been able to answer some questions for myself. I'm a home/lab user, not a network engineer and the Sophos XG interface is just confusing the heck out of me. Not sure if I should take the time to learn it or move to OPNsense.

First off, can OPNsense replace most of the UTM's key functions? I'm assuming I'll have to NAT email traffic to a stand-alone email proxy (e.g. Proxmox Mail Gateway), behind OPNsense. It looks like it does, however, have a WAF in NAXSI. I use a Window's server for DHCP and DNS but I am very interested in the ad and GEO blocking of OPNsense.

How does one go about setting up and migrating to another router/firewall while keeping the old one in place? I can't figure out if/how you can run both at the same time. I have a few public static IP's and my Sophos box is connected directly to the ONT. I do not have an ISP router so there is only one Ethernet port available and the static, public IP's have been manually added to the Sophos box. In this situation, what's the best way to run both routers, during migration? Should I put a small switch between the ONT and the Sophos box so that I can connect both the Sophos and OPNsense boxes to the ONT and move one of the static IP's from the Sophos box to the OPNsense box? Or would it be better to connect the OPNsense box to the Sophos box and try to "route" traffic through it to the OPNsense box?

I'm thinking it would be easier for me to understand the similarities/differences of each product by running both, live at the same time so that I can compare how each handles Internet traffic. Of course, the OPNsense box would not have anything of importance behind it until I feel comfortable with it.

Another thing I can't get my head around is DPI and how it relates to inbound traffic. Inbound being Internet HTTPS traffic (port 443) coming in through the OPNsense reverse-proxy with SSL termination (WAF), then going to servers behind the router (port 80). Is Zenarmor and DPI really needed or does Suricata provide enough protection for web apps running behind it since SSL is terminated in OPNsense?