Is the Netgate 6100 MAX going to be enough?
-
Hi Everyone,
I have finally hit my limit with the UDM base model that I have now. With only 2GB of RAM I am having to either reboot it or restart the network controller (which is just a container) at least once per week. I have a AT&T Fiber 1GB connection and am consistently getting 925Mbps up and down even with IPS enabled. The main issue for me is that I have quite a few VLANs and FW rules which this thing isn't really designed for past a certain point. Plus I can't do any policy-based routing without running a hacked script which has it's own limitations.
I am considering a move to a Netgate 6100 MAX, but I'm wondering if it has enough horsepower to do what I need it to do. I want to to run a network-wide VPN to PIA for the non-IoT devices while still retaining most of my 1GB bandwidth while also running Suricata, PFBlocker, and NtopNG at minimum.
In addition to that, we use MS Defender for Endpoint on our iOS devices which works with the Microsoft Tunnel Gateway service on Office 365. This provides on-device URL filtering while also supporting a VPN tunnel (Azure VM and S2S tunnel) back to the home network through a single app and VPN configuration profile. We are using this now so we can take advantage of our Pi-hole servers while being remote. I would like to replace Pi-hole with PFBlockerNG, but then add the ability to route that traffic through PIA on the outbound side for complete privacy and protection while on-the-go. This is simply not possible with UniFi today.
Is a 6100 MAX going to be enough to do all of that? I would be purchasing it with the rackmount kit, so it's foolish not to consider the 7100 base which is about the same combined price point. The 7100 MAX offers even more memory, but not sure if this will help with as few users as we have. Plus it uses the same aging processor. All suggestions are appreciated.
-
Do you actually need 1Gbps over OpenVPN? (assuming the provider can pass that)
-
@stephenw10 Close enough. It’s the processing power to do all of those things than concerns me. I forgot to mention at I am using all UniFi L3 switches and APs not that it matters for the purposes of this post.
-
1Gbps OpenVPN is the hardest part of those requirements by some margin. You need some significant CPU power to pass that and, because OpenVPN is single threaded, it individual core speed that counts.
-
@stephenw10 First off, thank you for the prompt responses. Secondly, you brought up some very valid points. I don’t really mind if the tunnel doesn’t do a full gig as much as I care about the unit being able to handle the full gig w/o the VPN in additional the other services I want to run on the FW as I will be exempting certain devices and VLANs.
Not that I will ever need it, but I can get 5GB Fiber now, so it would be nice to get a firewall that can handle that much traffic even w/o the VPN. Do you think the 6100 is enough to handle the rest (PFblocker, Ntop, and Suricata) or do I need something with a beefier CPU and RAM? Thanks again.
-
There are a lot of variables but....
I expect a 6100 to pass in the 3-4Gbps range for a basic firewall and NAT config. It will pass 1Gbps with packages running as long as you haven't enabled every single signature in Suricata.
It probably won't pass 1Gbps OpenVPN although the performance gains with DCO are significant. And if we are able to make that leverage QAT it will be up there.Steve
-
@stephenw10 Thank you for the info. Much appreciated.
-
@stephenw10 I just placed my order for the 6100 MAX. Thanks again for answering all of my questions.
-
@stephenw10 My plan is have my 6100 sit in front of my UDM-SE to provide DNS with pfBlocker and Suricata. I have a /29 block from my ISP, so I can just pass of those IPs down to the downstream UniFi network.
