Netgate Hardware Limitations

I am actively participating in a discussion in reddit, but I’d like to have a similar discussion here.

It seems the pfsense / netgate hardware is designed for basic firewalling / IPsec. They just don’t sell hardware that can handle IDS/IPS, PFblocker, and any other additional CPU intensive tasks that make a firewall of today.

I looked at buying an XG-1541, but its a 6 year old CPU, its noisy because its rack mounted, and these reasons are key as to why people go and buy third party hardware. I do not like the idea of virtualising firewalls either (adds complexity). I want to run on bare metal, on third party hardware, to fulfil the gap that netgate have with their hardware. They don’t sell high CPU benchmark box. I can get a 46,000+ CPU benchmark PC cheaper than the XG-1541 that is 9000+ CPU benchmark. I get many people don’t need that horsepower (and 46,000+ is overkill but to demonstrate on comparison of pricing) but for those who wish to use IDS/IPS, pfblocker and other packages, you must have a decent CPU with a CPU benchmark which is way, way over 2000+ that is in the newly released SG-6100. The SG-6100 is only suited for the who want to run firewall rules and the odd ipsec VPN (which are the exact measures they show on their website). They don’t show throughput with IDS/IPS enabled, nor pfblocker. I wonder why?

We still don’t know how pfsense+ is going to handle the above, which, to be honest, is driving me away from Netgate altogether as their transition to pfsense+ is half baked in the eyes of the public because we don’t know, it relies on old, slow CPUs that cannot do much (as you have to buy a netgate box to use pfsense+ today), and pfsense CE is all but dead going forward.

Their desire to commercialise and make money out of their work is perfectly legitimate. The way to go about it needs to be delicately managed. I for one will vote with my feet.

What do you think? Are Negate’s hardware solutions fit for purpose or just made for basic firewall functionality? If the answer is yes, how do we move forward with pfsense+?

People go with the more tried and tested CPU’s because reliability and stability. The pfblocker system does not take much power to run as it’s just some firewall rules and IDS/IPS is over rated as a security measure and much much harder to do a speed test on because it depends on so many factors.
Also, this video is from 2019 and due to encryption and other factors it’s only proving that IDS/IPS is less effective as one of your security layers.

1 Like

Thanks for your reply. I’ve actually viewed that video before.

A couple of things I disagree with you on.

First, is the efficacy of IDS/IPS. I think you are dumbing down just how effective it can be, if setup correctly. If, for example, you have a few ports open, even port 443, IPS can automatically drop packets before the session is initiated due to various factors (such as a known malicious packet form or from a known compromised IP address). Whilst I do agree with you that encryption complicates things, defence in depth would agree that the above example I just gave does indeed provide an additional layer of security before taking into account what I say below.

As for encryption, there are plenty of ways to SSL proxy and break the encryption, inspect it, and then re-encrypt. I get the industry is divided over doing that, but most organisations do it as it is necessary to protect their information assets.

So if we go back to my original point, I can’t see how Netgate’s hardware can handle the above use cases. I’m also not quite sure what your point is - is it that who cares about IDS/IPS because it doesn’t really do much so ergo who cares if negates CPU are old and non-performant for CPU intensive tasks? BTW, that isn’t a dig at you, I’m trying to understand what you are saying.

My second point I disagree with you on is your point that people like CPU’s that are old because they are tried and tested CPU’s. That to me is nonsensical as that tends to make an assumption that any new CPU or the evolution of CPU’s from six years ago are flawed or could be. CPU’s of today are much more sophisticated, have additional security features, and are capable of doing much more. I really don’t understand how a 6 year old CPU could be considered better under any sort of scoring methodology other than price (which isn’t a factor here because Netgate don’t sell a 6 year old CPU at the price of a 6 year old CPU).

Thanks again for replying and contributing to the discussion. I love watching your videos so have a great deal of respect for you. I write this to show I’m not trying to pick a fight, I’m wanting to have a discussion on this topic given its importance (especially given the pfsense CE / pfsense+ situation).

I should add another use case. 10Gbe. As you demonstrated on the 1537 that couldn’t even reach 10Gbe on a single thread given CPU limitations. I agree with you though that it can reach 10Gbe speeds if more than one thread is running, and that is more likely to be the use case for the firewall / router. I guess my main point is CPU performance should matter in a firewall if you have use cases other than basic firewall routing / IPSEC VPN, yet Netgate don’t sell them or sell them for gold bullion :slight_smile:

I would run IDS/IPS as a separate system such as the “Security Onion” or whatever your system of choice. Buy the subscription if you need to rum pf-Sense on “faster modern hardware.” I am running on an I3 and have no issues with pf-Blocker Intel NICs builtin NIC management, Old HP box. It’s about sizing the hardware for the the network use and users of the network.

Totally agree. Question is where does that leave you (us) when pfsense CE is parting ways with pfsense+? This is my point. We don’t know yet what third party hardware support they will provide for pfsense+ (in terms of even running the software), and if we are relegated to having to use Netgate hardware, my concern is that their hardware isn’t powerful enough to do all the things I want to do on the one box. So maybe the only option is to split out functions - not really wanting to fragment things though. I’d rather an integrated solution.

I do see your point but being open source it can be forked. As far as processor choice being based on BSD the code is optimized for for Intel. There is already a fork Open Sense that I do not like as well a few quirks and I don’t think pf-Blocker is supported. LTS Tom likes Untangle for certain cases but it is not open source.
I get the impression Netgate really doesn’t understand that the pf-Sense user base is to be found in the small end of the SMB market. If they are going to drop the CE then they need to take pricing into consideration.
Netgate’s reseller program sucks and I’ll leave things with that.

It seems the pfsense / netgate hardware is designed for basic firewalling / IPsec. They just don’t sell hardware that can handle IDS/IPS, PFblocker, and any other additional CPU intensive tasks that make a firewall of today.

Huh? We have a Netgate 5100 running firewall, pfBlocker, Snort, Suricata, and some custom code supporting about 20 users. Logs are fed to Splunk for analysis.

1 Like

Bet you see some interesting things with the Splunk analysis.

Only seeing some of the logs, so far. The pfBlocker and Snort logs don’t get sent to Splunk. Working on that. What we wanted to be able to see is the original request URL and then the denial, either from firewall rules, from pfBlocker, Snort, or Suricata, so we could better understand when we were blocking legitimate queries. We implemented this because we wanted to filter more outbound queries to avoid potentially risky domains. Content Delivery Networks make this really problematic, because when you do a reverse query you end up with “cannot resolve” or an address that is part of a CDN block and there’s no way to know who it actually is. We get a lot of this with Microsoft updates and telemetry. If we could match the query and the denial, we could let more traffic through with minimal compromise.

1 Like

Would like to know what you end up with, especially the Microsoft telemetry and the problematic updates.

Got a lot of work to do before we get a useful solution, but I will report back when we have something credible.

What speed is your internet running? Do you have any single thread packages such as OpenVPN?

100Mbps, no single thread; 4 physically separate networks

That’s why it works for your environment. It wouldn’t work in mine which is gigabit and 10Gbe.

Is their support plan valid if you use third party hardware?
Do you need their support? If not, then go with third party hardware.