I am debating SG-2100 vs SG-3100 vs SG-5100. My purposes are the following:
200 mbit/s FTTH, possibly expanding to 500 mbit/s
Gbit VLAN routing
OpenVPN s2s (future requirement, it’s in the works)
Remote login to my network (Synology)
Suricata
pfBlocker
up to 50 clients
VoIP ATA for my 2 analog phones
Logging traffic, NTOPNG DPI analysis
Maybe: run my own web server, now that FttH allow for high upload speeds
I may wish to engage in future projects so I want my device to be able to handle the above tasks easily. It would be a waste of money to splash out say 400 for an SG-3100 only to find out I need to replace it two years on. Some place here I read the 3100 isn’t the best for a full blown Suricata deployment.
Well you can compare the models but somehow those Netgate devices seem pricey for what you get. $700 for a home router wow! Personally I like the look of protectli devices though I have a similar cheap Chinese box.
However, given your scenario I would buy a cheap lenovo desktop off ebay and throw in a quad port card and test it out. You can then always re-purpose the box to run vms.
@neogrid:
My rationale for going with a dedicated device is to avoid extra hours of work fiddling with update issues. When I count $50 for every hour saved, I am willing to spend a little more.
@LTS_Tom: This is for home use. the 5100 is substantially more expensive ($300) than the 3100. Do I really need that? Will the 3100 run at least an average Suricata + average load NTOPNG? We are talking about 15 clients on average, 30 tops.
Yeah pays your money takes your pick, after a year I found that my requirements grew from my original starting point.
Have the feeling pfsense installs on fairly standard equipment without issues.
Think I can make myself 50$, keep a backup of the pfsense ISO, when they release a new version they pull the old release, so good luck with trying to roll back if there is a balls up upgrading !!
I have had issues running Suricata and SNoRT on my sg-3100. Random reboots with no explanation. Brought it up to Netgate and they told me it could be an issue with the ARM processor. They recommended I go to the SG5100.
This strikes me as odd, as there are many reports of SG-3100’s purring along happily using Suricata. Recommending to upgrade to a way pricier device? What did you do, if I may ask?
Thanks,
Pete
Well, i spoke with Tom here on the forums and I advised him on what I was going to be doing with the sg3100. I wasn’t planning on running any servers behind it and I really just wanted to block ADs and do some GEoIP blocking. We determined I only needed to run pfBlockerNG-dev. It’s been ‘purring along’ with just that package installed. I thought my Suricata/Snort configurations were wrong, but I followed Tom’s guides and still had issues.
Hmmmm…so much for the “pfSense is tested on dedicated hardware and should run smoothly without major issues” concept. I did come across one other issue concerning Suricata on the SG-3100, so you appear not to be alone. Thanks for sharing!
Pete
The load Suricata puts on a system is a combination of the number of rules you have enabled combined with the number of streams it has to inspect. Connection speed is less relevant and the number of streams will vary greatly with workload. For example my laptop can create a lot of streams by connection to many web sites and online services, or if I do a full tunnel VPN it will only create one stream for Suricata to inspect. This is why most of the time the use case matters more than the bandwidth.
Have you worked with pfsense before? If not I’d buy a cheap HP T620 or T630 and set up router on a stick, or buy a more expensive T620 Plus with a quad port NIC and give it a test.
You can do 2 NIC connections on the T620 and T630, but you need to get one with the fiber optic option. If you are lucky, you might find one for around $40usd. You can also try a USB NIC, but I’d label this “for testing only”, tried it, lived with it for a while, gave up and bought what I needed to do the job correctly. The T620 Plus is normally going for around $160usd including the 4 port Intel NIC card and normally including shipping. I’m not pushing my T620 Plus very hard, so no sure if it will handle everything you want, but it gets you going. Serve The Home has some articles on their website about buying Tiny/Micro systems ( Tiny, mini, micro series) and setting them up for pfsense or Plex, might be worth a look. You can get some Intel i5 processor machines for a few hundred usd that would probably handle what you want to do.
That said, the SG-5100 should do it, and it seems the prices have come down since the last time I looked at their products. I remember the SG-7100 being more money than the current price, I was pushing to get one of those a few years ago, but no budget and cannibalized a different server for the job after working out an alternate plan.
Hi Greg, thanks a bunch for your elaborate reply and info, highly appreciated! My consideration for going netgate is that I can afford to spend the money and I really want something reliable that will nicely and quietly swallow any pfSense update netgate pushes without issues for years to come. I know that at this point I’m a fairly bit deeper down the rabbit hole in networking and routers than fits my track record, but there may come a day when I just want the stuff to work.
Also, in our cabinet I only have space for a small form factor device. It’s already getting crowded in there with 25+ Ethernet cables connecting the entire home and two switches to tie them all together.
Also, me and my family rely on our home network a lot: me and my wife both work from home (even before the corona pandemic) and we need stable connections.
So although I hear a lot of good stories about diy or other brand pfSense boxes, I think I will just get a netgate box, being very aware that I’m spending at least double of what I could pay otherwise.
Not sure what your knowledge level is but I wouldn’t underestimate how long it takes to get familiar with pfsense, while I don’t have a netgate device I do not believe they come configured (as such) compared to say an Asus consumer router.
You can easily install pfsense on a vm and inspect it, that’s what you’ll have to configure. You can then determine if it will just work !!
Thanks for the warning. I will not deny I still have a lot to learn. But I have a reasonable amount of experience doing VLANs in UniFi, setting up firewall rules and such. Before taking out my USG I had a fully functioning home network with 7 VLANs and all segregation was flawless, just like I want it to be.
Now that I have replaced the USG with the tiny SG-1100, I managed to configure the pfSense unit to have the same VLANs and I adjust settings in the UniFi controller to pass those VLANs to the UniFi stack.
Then I followed some tutorials to make the SG-1100 also replace our FttH router, so it is now connected directly to the NTU and processing internet and IPTV streams.
That is basically as far as I came and as far as I really need to go to serve my family with a solid home network.
I installed pfBlockerNG, which doesn’t require any knowledge yet but I still need to configure it. I may install suricata as soon as I open any ports for VPNs or remote access to my Synology.
Any additional settings like VPNs and such I will need to learn, but I’m quite confident I will be able to do that.
@neogrid: I apologise, I didn’t mention in this topic that I already went the VM route to explore pfSense: I installed the software in a hypervisor vmware image, actually made it route and played with the settings. Then I rented an SG-1100 to explore further, because in the VM image I could not get VLAN tags to work on the interfaces.
The SG-1100 performs quite well actually with only pfBlocker installed.
ah ok if you are familiar with pfsense then you are probably halfway to your decision, in your shoes I’d get the 5100 it’s big bucks but it’s all in one box.
Yeah that is what I will probably do. Better to be on the safe side even if I don’t use it to its full potential than to buy cheaper only to regret it some day. Money spent now is gone and the thought of it will soon be on its way to oblivion, while bottlenecks will keep nagging every day…
Essential with spending this kind of cash is whether or not I believe pfSense is the router concept for me. And I strongly believe this is the case
Exactly, and you pointed this out to me when I was considering using Snort or Suricata. I would think for home use, the SG3100 has it’s merits, but if you are going to use it like a ‘business protection device’ you would want to go up one model to the SG5100.
Have you considered something like the Protectli Vault? If you don’t care about the warranty or extra support you can buy directly from the Yanling Official Store in China (AliExpress) and save some money. About a month ago I bought their 6 port version with the i5 7200 cpu and have been very pleased with it.
I am running ESXI 6.7 with a pfSense VM and one Win10 VM to run my HomeSeer (home automation software) on it. Plenty of room for expansion
It is for home use. But the SG-1100 almost can’t keep up the steam for some odd reason. No NTOP, no Suricata, no pfblocker, just VLANs.
Edit: this has been solved. Apparently the dashboard draws a lot of CPU power. When I open the dashboard on 2 computers, the CPU usage indicator can ramp up to over 80%, while otherwise the system traffic is very low. No dashboards, no CPU usage.
Interestingly the Status/Monitoring log doesn’t appear to count the resources needed for the dashboard. See this post I started on the netgate forum.
