Netgate SG-1000 firewall - Can it follow me at 400 Mb/s ?
-
Hello, I purchased and first configured the SG-1000Netgate micro-firewall in august 2017.
At that time, I had a lot of troubles with my mere 2 Mb/s connection for home usage and further wanted to implement a guest network and an IoT VLAN, which was not easy at the time. The SG-1000 under OS 2.4 worked just fine for me. Mostly for the sake of simlpicity, I have always set up my SG-1000 as a double NAT connected on the LAN side of my ISP's-supplied internet box. For good network separation, I let my ISP's LAN be whatever it wanted (usually 192.168.1.xxx) and made the SG-1000"s I have never needed to configure my ISP's internet box except to the extent needed for the VLANS to be in the ranges 192.168.10y.xxx (VLAN 101, VLAN 102 and so on). That way and for the sole purpose of stripping it of its wi-fi, I essentially use my SG-1000 as my sole router. It connects to the ISP's internet box by DHCP and I give no further attention to my ISP"s box.
In 2017, my ISP was supplying me with 2Mb/s ADSL. Then the SG-100 worked flawlessly and with as little electricity consumption as I could dream of. By 2019 aAfter about two years and an investment by my ISP in my village, I got, without any additional concern, a VDSL capability of about 20 Mb/s and thus changed my ISP-supplied interne and simply plugged my SG-100 back in. It worked just fine again.
Recently, this year (2021) the fiber reached my village and I contracted for a 400 Mb/s capability, through their fiber network, which is capable of delivering up to 2Gb/s. I again did the same with my SG-1000. With the sole exception that follows, Everything worked fine, as predicted.However, the allowable internet bandwidth is now stable at about 150 Mb/s, which is somewhat below the achievable 400 Mb/s delivered by m ISP., after turning off my trafficshaper. I tested one by one the relevant network cables and components like switches: except for the sG-1000, they would all deliver 400 Mb/s internet.
I measure bandwidth with Speedtest, using an idle admin account on my mac and connecting the mac as close to the source as possible.
I seems to me the SG-1000 is the weak point in my home network, that it is the primary cause for the measured bandwidth reduction. Is that believable or should I perform additional tests and changes to the SG-1000 configuration in order for it to allow my new 400 Mb/s bandwidth ?
Thank you in advance for any advice.
-
@michel-angelo https://www.netgate.com/appliances shows the newer 1100 model in the Firewall (10K ACLs) section as "IMIX Traffic: 190 Mbps". Do you have any packages installed? What is the CPU usage during your download test?
We have a client with I believe it was an older 2440 with Suricata running, and after upgrading their Internet to "300 down" they hit 95-100% CPU usage because they're getting about 350 Mbps during the test. My point is speeds are going to be depending on a few things but definitely the hardware can be a limitation.
-
@steveits Packages installed ? NONE.
CPU usage: about 50% when not doing the test (and otherwise no activity) No change when the test begins and ends.
After the test has ended however, CPU Usage climbs from about 50% to 98% for 5 seconds, then it returns to its normal 50%.
At the end of the day, it seems to me the SG-1000 may well be the bandwidth limiting factor. Should this be the case, then I will not change anything as I do no need such a high bandwidth anyway.
Thank you for your kind assistance.
