@TadN said in Can SG-3100 handle 800MB down / 20 up with CodelQ active to remove buffer bloat?:

I should not be seeing any buffer bloat even without pfsense?

Bufferbloat happens at the funnel. You plan on testing direct with the modem so test that also. Bufferbloat happens. DSLR seems to have started this knowledge of the subject without really explaining it.

Its actually logical that some bufferbloat will happen. If you dump 20 gallons of water into a five gallon funnel its going to take some time to get through. Fixing all the upstream issues will help but sooner or later you will see latency increase as your network tries to push and pull more data to the head end than your plan includes.

But devices in your path can create more than should occur. Modem first. Why? Its the first line between you and them. Modems should be (IMHO) just a bridge between you and them. ( I hate all in ones) and that bridge should work full speed doing what you pay them for. Problem then becomes whether or not your node is oversold or not. But I do believe in most areas that is becoming less of a problem these days.

If your modem is driven by a Puma6 chipset though.. I would not trust it. Neither does Intel at this point.

Glad it worked for you and the SG-5100 is online again. :-)

-Rico

@ebcdic my two devices are actually wifi AP's specifically Synology WiFi AP's linked in a Mesh, the vendor says i should turn off IPv6 if i dont want to see the messages...it does appear to be a bug

@trombone Understood.

VLANs are kinda stupid easy to learn and use. I'm kicking myself that I waited so long to try, and then eventually implement and use. The hardest part I found was keeping the terminology between the manufacturers of networking gear straight - one of them calls it trunks, the other one calls it tagged or untagged, another one calls it access, another one calls it something else, etc. Once you grasp those terms and how they're used, it makes good sense. Programming your managed switch is the other variable that was new to learn, but not too difficult.

This is a good basic explanation of the concepts:
https://www.computernetworkingnotes.com/ccna-study-guide/vlan-basic-concepts-explained-with-examples.html

Good luck!

Jeff

@Mark_07 Nice!

Jeff

open a ticket at https://go.netgate.com and ask for support
they usually respond hastily and they can help you out directly

@Tantamount Thank you for this. My SG-2440 couldn't update with the same error and your solution worked for me as well. I should add that after a reboot from UI, my device got a solid red status led. After power cycling it, it started working again with latest version!

To be clear; no you can't add another mSATA device. Only one slot supports SATA.

Steve

It also must be said, if you've created no floating rules, if you've created no VPN servers, and you still have ONLY the two default WAN rules - block private networks and bogon networks, nothing is getting in to your pfsense system.

Jeff

That seems a bit too much for a SG-1100 as on IPsec VPN it tops at 46mbps already according to Netgate.
https://www.netgate.com/products/appliances/

In that case SG-3100 would make sense to me as well.

Wireguard isn't supported (yet) on Pfsense - just so you know. OpenVPN is.

The second appliance you provided will "work" and seems reasonably priced. But it says "1 Gbit on Pfsense" and nothing about VPN performance. Also, if anything goes wrong you're pretty much on your own. So unless you like fiddling around more than you already have to you might rather spend the extra cash for a Netgate device.

I have this device as I had it laying around and although performance is good, it already overheated once in 3 months time.

As long as you are not looking to do traffic inspection with snort or suricata, the sg-1100 will handle your needs perfectly. I use the sg-1100 on my 500/500 fiber with all basic networking services and pfBlockerNG. No problems, and single session throughput is around 480mbps.
I have about 30 devices on my network and 4 very active simultanious users. So the sg-1100 is perfect for your needs, wallet, size and power consumption.

@serbus It was a hardware failure in this case. The unit was RMAed.

How complicated is your pfsense setup? If it's simple - minimal rules, minimal static DHCP leases, schedules, aliases, etc., if it were me, I would just type everything in from scratch.

How experienced with pfsense are you? If you want to a straight swap, you need to export your settings from the SG-2440, edit them in a text editor to match the layout of the SG-3100, then import into the new pfsense box. If you do that carefully, it should work just fine.

Keep in mind, the innards of the SG-3100 are different than those of the SG-2440. There's a switch hiding in the 3100 that needs to be accounted for. It's not impossible, but I've read over and over about users that are new to that layout getting stumped on upgrading.

Here's the guide on the switch ports:
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html

Hope that helps.

Jeff

Please create helpdesk ticket on https://go.netgate.com/

I'm an ID-IoT. I forgot to tag the system port 5 as well. It was a little non-obvious.

@Evanc9126 said in SG-5100 gigabit throughput with UTM packages?:

@bmeeks Thanks for the detailed explanation. I do run multiple VMs all of which can connect online so I'd imagine the packet payload is pretty high. My current router is capable of 2 million pps so if the SG-5100 is comparable to that, then it may not be worth the upgrade. I might have to go a step further to Xeon D.

Here is a link to the Netgate hardware comparison table. This shows (on page 2 of the PDF) all of the current Netgate hardware and what the throughput is for each model with a few different traffic types. The type that likely is most applicable to your case is the one called "IMIX", which is a combination of large and small packets intended to mimic what most production networks would typically see.

https://info.netgate.com/hubfs/website-assets/netgate-hardware-comparison-doc.pdf.

I restored from a recovery image and it looks like it's reinstalling missing packages now, thanks for helping get me on the right path!