It also must be said, if you've created no floating rules, if you've created no VPN servers, and you still have ONLY the two default WAN rules - block private networks and bogon networks, nothing is getting in to your pfsense system. Jeff

That seems a bit too much for a SG-1100 as on IPsec VPN it tops at 46mbps already according to Netgate. https://www.netgate.com/products/appliances/ In that case SG-3100 would make sense to me as well. Wireguard isn't supported (yet) on Pfsense - just so you know. OpenVPN is. The second appliance you provided will "work" and seems reasonably priced. But it says "1 Gbit on Pfsense" and nothing about VPN performance. Also, if anything goes wrong you're pretty much on your own. So unless you like fiddling around more than you already have to you might rather spend the extra cash for a Netgate device. I have this device as I had it laying around and although performance is good, it already overheated once in 3 months time.

As long as you are not looking to do traffic inspection with snort or suricata, the sg-1100 will handle your needs perfectly. I use the sg-1100 on my 500/500 fiber with all basic networking services and pfBlockerNG. No problems, and single session throughput is around 480mbps. I have about 30 devices on my network and 4 very active simultanious users. So the sg-1100 is perfect for your needs, wallet, size and power consumption.

@serbus It was a hardware failure in this case. The unit was RMAed.

How complicated is your pfsense setup? If it's simple - minimal rules, minimal static DHCP leases, schedules, aliases, etc., if it were me, I would just type everything in from scratch. How experienced with pfsense are you? If you want to a straight swap, you need to export your settings from the SG-2440, edit them in a text editor to match the layout of the SG-3100, then import into the new pfsense box. If you do that carefully, it should work just fine. Keep in mind, the innards of the SG-3100 are different than those of the SG-2440. There's a switch hiding in the 3100 that needs to be accounted for. It's not impossible, but I've read over and over about users that are new to that layout getting stumped on upgrading. Here's the guide on the switch ports: https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html Hope that helps. Jeff

Please create helpdesk ticket on https://go.netgate.com/

I'm an ID-IoT. I forgot to tag the system port 5 as well. It was a little non-obvious.

@Evanc9126 said in SG-5100 gigabit throughput with UTM packages?: @bmeeks Thanks for the detailed explanation. I do run multiple VMs all of which can connect online so I'd imagine the packet payload is pretty high. My current router is capable of 2 million pps so if the SG-5100 is comparable to that, then it may not be worth the upgrade. I might have to go a step further to Xeon D. Here is a link to the Netgate hardware comparison table. This shows (on page 2 of the PDF) all of the current Netgate hardware and what the throughput is for each model with a few different traffic types. The type that likely is most applicable to your case is the one called "IMIX", which is a combination of large and small packets intended to mimic what most production networks would typically see. https://info.netgate.com/hubfs/website-assets/netgate-hardware-comparison-doc.pdf.

I restored from a recovery image and it looks like it's reinstalling missing packages now, thanks for helping get me on the right path!

I'm using pfBlockerNG with DNSBL. The DNS only happens with power outage. There is no issue with DNS resolve with reboot. I've done several reboot with no issue with DNS.

@msf2000 said in SG-1100 NIC Offload - enable or disable?: checksum errors with Suricata With Suricata we always check "Disable hardware checksum offload" (System->Advanced->Networking) disable ALL stream-events.rules or it will block lots of traffic on false positives Otherwise we get the checksum errors also. https://forum.netgate.com/topic/122571/suricata-floods-the-log-with-invalid-checksum

Yeah. Packet capture on WAN for the gateway IP address and protocol ICMP. Ping the gateway address using Diagnostics > Ping. Stop the capture. Do you see the echo requests go out? Are they replied to? You can also examine the MAC addresses there to determine that the source address is your WAN address and the destination address is the MAC address for the gateway IP address from the ARP table. There really isn't any way that would not be the case but it is worth checking. Just set the level of detail to Full and hit view capture to see that. There is no need to capture again.

Ah, well you would be toward the top of the 3100s performance if you are hitting those speeds in normal use, especially if you are running any packages. If that is the case an SG-5100 would certainly be faster. Steve

@stephenw10 Thanks again - this was very helpfull. I see that netgate included a FreeBSD Handbook under the diagnostics tab...

Bad port on the AP? Is that logging any disconnects still?

Hi Paul, You should be able to able to do that as long as all the interface mismatches are corrected before you reboot. If anything is still mismatched it will stop at the interfaces assign prompt in the console. Did you have the console open? I would bet that's what happened. Steve

Ah, good. That had me questioning everything! But, yes, the driver can only actually accelerate AES-128-CBC. Steve