Menu
What's new
By:
Filters Better Search

Pros/Cons of preloaded Netgate appliance vs. installing on own hardware?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Miner

Regular Contributor
I’m specifically thinking Netgate models 2100 or 4100 vs. a Protectli FW4C.

The Netgate 4100 at $600 is at the very top of the range to spend.

Application will be to replace a Cisco RV345 which is used in a small home office/small business arrangement. At various times several people connect from the home office, more often two people connect, one SB owner and one WFH remote worker.

VPN-ing into the home office when traveling is a big factor.

Limited experience with Linux. I'm wondering if every time a new patch, release or update -- to the underlying OS, to pfSense, or to any package -- comes out how involved will it be to do the updates.
 
Miner said:
I’m specifically thinking Netgate models 2100 or 4100 vs. a Protectli FW4C.

The Netgate 4100 at $600 is at the very top of the range to spend.

Application will be to replace a Cisco RV345 which is used in a small home office/small business arrangement. At various times several people connect from the home office, more often two people connect, one SB owner and one WFH remote worker.

VPN-ing into the home office when traveling is a big factor.

Limited experience with Linux. I'm wondering if every time a new patch, release or update -- to the underlying OS, to pfSense, or to any package -- comes out how involved will it be to do the updates.
Click to expand...
@Tech9 is the one who can answer your Netgate questions. I know when I was running pfSense updates were easy and pretty much automatic if your settings allowed it.
 
Netgate appliances are expensive for home use. I would recommend cheaper mini-PC options instead. There are many available including with all 2.5GbE ports. I use Netgate appliances (6100) for business because I have no DIY options. The equipment has to be standard, serviceable and replaceable by the IT support people. I also use one at home (5100, now discontinued model), but just because the system was built with no cost limits few years back.

Netgate appliance advantage - tested and guaranteed to work with pfSense with less update issues expected.
 
For the top range pfSense appliances, Netgate charges tons of money for basically a Supermicro motherboard in a Supermicro housing. You can run pfSense reliable and stable on a decent board and CPU for a fraction of that cost.
 
True for home use, but hot needed and the CPU alone in your signature can draw more power than 4x Netgate 6100 units. You are going to pay the same price long term, but in electricity. Your hardware is good for a local ISP. You perhaps use under 10% of the capabilities. The rest is noise and heat.
 
Miner said:
I’m specifically thinking Netgate models 2100 or 4100
Click to expand...

The hardware is decent enough - a bit pricy, but there is value add compared to buying the boxes from the OEM (yes, Netgate did not make or design them, they are off the shelf and branded).

The 2100 is a bit underpowered compared to other ARM solutions (it's a dual-core A53, IIRC, it's the Marvell MV3720 (same as EspressoBin and GL-Inet's Brume gateway).

The 4100 is a decent unit, similar to the SG-2440 but with better connectivity - performance should be similar - WAN side, it can easily handle a 500Mbit pipe, but it might struggle a bit with a gigabit if one is NAT'ing.

Speaking of GL-Inet, might consider the MV2500/Brume2 (brume 1 was end of lifed because Marvell being Marvell, the 3720 was end of lifed when the business unit was sold to NXP)

www.gl-inet.com

GL-MT2500 / Brume 2

Brume 2 (GL-MT2500/GL-MT2500A) is an industrial security gateway for a network to run add-on programs and act as a VPN client or server before data is transmitted out of the network premise.
www.gl-inet.com www.gl-inet.com

OpenWRT, good performance...
 
I would look into a Firewalla Gold for your needs. Same price range as a Netgate 4100 and a lot easier to setup and manage. It also handles remote workers very easily.

I just mention it as an option. If you need business support then Netgate would be the preferred solution.
 
sfx2000 said:
it can easily handle a 500Mbit pipe, but it might struggle a bit with a gigabit if one is NAT'ing
Click to expand...

It can handle 2.3Gbps WAN-LAN according to tests (2.5GbE port speed). Dual core x86 CPU with 4GB RAM is good enough hardware.
 
Last edited:
Tech9 said:
It can handle 2.3Gbps WAN-LAN according to tests (2.5GbE port speed). Dual core x86 CPU with 4GB RAM is good enough hardware.
Click to expand...

No - imix firewall on the 4100 - best case is 1.4Gbps... and they don't disclose how they actually tested it.

ipSec 312Mbit/sec, so OpenVPN will be even slower - while it has AES-NI, at 1.8GHz, context switching will take time.

Seriously, it's a dual-core Atom running at 1.8GHz, it's fine for a 500Mbit symmetric connection, maybe even a 500/50 biased towards the downlink. Remember, there is no fastpath in pfSense when doing firewall work, and if it's PPPoE on the WAN side, that other core will not be of much assistance - because FreeBSD is still single threaded.

4100.png
 
Last edited:
Tech9 said:
True for home use, but hot needed and the CPU alone in your signature can draw more power than 4x Netgate 6100 units. You are going to pay the same price long term, but in electricity. Your hardware is good for a local ISP. You perhaps use under 10% of the capabilities. The rest is noise and heat.
Click to expand...

Well, that is a chicken and egg story, of course. It 'can' draw more power but since my router indeed runs on average at about 7% CPU load, it doesn't draw that kind of power at all. Bear in mind that this config including the SSD's was about 250 Euro. Even if my config draws a bit more power, that it is still a big gap to close in terms over kWh over-consumption compared to the Netgate.

And yes, my config may be a bit overkill for home-office use but i guess that is the price to pay for being an enthousiast and besides that, i never looked back since i threw out all the consumer-grade stuff an replaced it with decent hardware which makes my life a lot easier with all the network demands nowadays, streaming services, IoT and a gazillion of mobile devices at home which is basically priceless.
 
Last edited:
sfx2000 said:
Remember, there is no fastpath in pfSense when doing firewall work
Click to expand...

If it can do 1.4Gbps WAN-LAN - still Gigabit better than ARM based home routers with NAT acceleration disabled. It can also run more things with 4GB RAM available. I like GL-MT2500A (the one with aluminium case) device for <$100 though. Good replacement for Ubiquiti ER-X type routers.
 
Tech9 said:
If it can do 1.4Gbps WAN-LAN - still Gigabit better than ARM based home routers with NAT acceleration disabled. It can also run more things with 4GB RAM available. I like GL-MT2500A (the one with aluminium case) device for <$100 though. Good replacement for Ubiquiti ER-X type routers.
Click to expand...
Interesting, thanks for pointing out. Specs show low power consumption.
 
This product is perhaps much easier to setup than full blown OS like pfSense/OPNsense. Your Cisco RV345 router is pretty basic device (I had 3x in use less than a year ago) and not very hard to replace. TP-Link ER7206 may do it for about $150. Just look what's available in stand alone mode without Omada controller and if it fits your needs. The controller is extra $100. Netgate x86 appliances are faster, but run much more complicated software.
 
ddaenen1 said:
I read here hat this is no longer the case.
Click to expand...

psSense (and FreeBSD) is SMP/SMT friendly - it will consume all the cores that the host has. That being said - PPPoE/GRE only presents as a single flow to the NIC, hence it is single threaded at a CPU level.

Since that single PPPoE/GRE flow is single threaded, it is ultimately limited by the clock speed of the CPU - note I didn't say whether it is a big intel core, littile intel core, or an ARM - the limitation is the clock speed of the host CPU, as all it is doing is taking packets in on the NIC, and moving it upstream for L2/L3/L4 processing.

I do know a thing or two about router design and perfomance, having been there/done that on Linux, BSD, and VXWorks.
 
What's the expected WAN-LAN throughput on GL-MT2500 device with whatever QoS supported is enabled?
 
Tech9 said:
What's the expected WAN-LAN throughput on GL-MT2500 device with whatever QoS supported is enabled?
Click to expand...

Well, that's not as easy of an answer as folks would like...

First a little sidebar..

1Gbit connection gives 1.48Mpps line rate - so a full duplex connect means roughly 3Mpps... Since not all packets are the same size, when you look at a normalized distribution, you're actually looking at around 350Kpps one way, or a full duplex minimum throughput of 700 Kpps

That packet distribution being roughly:

PPS*( 7*40 + 4*576 + 1500 )/12*8 over IPv4

At the switching layer, ethernet frames..

PPS*(7*(40+14)+4*(576+14)+(1500+14))/ 12*8 over the switching fabric

And performance is non-linear, as smaller packets relative to larger packets, need more "work" - e.g. we talk about MaxMTS/MSS, but a majority of packets/frames are much smaller...

Which is why iPerf/Iperf3, Speedtest.net, and others - they represent a false picture of what the real "good put" is of a particular routers/firewall/edge gateway.

End sidebar...

Brume2 - It's an MT7981b based target, and while the WAN port is 2.5GB, the LAN port(s) are gigabit - so one has to start from there...

The MT7981b does support fastpath/hw acceleration, so 700 Kpps is definitely reachable full duplex - QoS in openwrt (brume2 is openwrt at it's core) needs HW accel turned off, so things do slow down a bit - however with CakeSQM, it's stll quite nice. It's a bit faster than Brume 1 (MV3720) as clock speed is 300Mhz higher (1.3 vs 1.0 on the 3720)...

500Mbit - definitely doable in the real world - gigabit, it'll likely struggle a bit depending on the benchmark in use.
 
sfx2000 said:
500Mbit - definitely doable in the real world
Click to expand...

I would expect something like 200-250Mbps based on ER-X performance with 0.9GHz CPU. It was sinking under 200Mbps with QoS enabled. Current flagship devices with 2.0GHz ARMv8 cores reach about 400Mbps with Cake. Previous gen ARMv7 1.4GHz cores could do about 300Mbps.

Still not bad for <$100 device and with user friendly UI. This thing, a switch, few APs - done. Better than most AIO on consumer market.
 
Food for thought...

www.servethehome.com

Crazy Small Router Firewall and Virtualization Node iKoolCore R1 Review 4x 2.5GbE

We test the crazy small 4x 2.5GbE iKoolCore R1 with VMware ESXi, Ubuntu, Proxmox VE, Windows, OPNsense, and pfSense.
www.servethehome.com www.servethehome.com

Or it's big brother...

www.servethehome.com

The R86S Revolution Low Power 2.5GbE and 10GbE Networking

We test the tiny R86S and see why this unit with 3x 2.5GbE, 2x 10GbE, and WiFi 6 will start a revolution in the home lab space
www.servethehome.com www.servethehome.com

pfSense/OpnSense or whatever...
 
I'm gonna lose this one somewhere during the setup... 😀

By the way, this GL-MT2500 thing at current $59 (plastic version) is good for AdGuard Home use only. It's much cheaper than Paspberry Pi.
 
You must log in or register to reply here.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 679 (members: 10, guests: 669)
Top