Netgate 4100 or 6100?

Gertjan

What is "2 small lists" ?
I've :

Since "week 31" I'm using a SG 4100 MAX. Here are the memory stats - and all the other stats.

True, I won't be able to add millions of DNSBL.
Also true : I don't mind ;)

NE_77

@gertjan The two lists total to about 900,000 entries.

bbaalen

I've been running the 4100 base on a 1000/1000 wan with PfblockerNG-devel and during speedtests the peaks are around 60% cpu usage, memory usage isn't much either even though i use several RAM hungry settings.

I have 2 client openvpn connections on which i do all my DNS traffic, and have 1 of my appletv's routed through a US vpn. 1 OpenVPN server, i connect with it whenever i am outside my home or office and 2 ipsec tunnels to our offices. I am trying out suricata on it as well but haven't done enough with it yet to say for sure, but i think if you want to use this, then you need a 6100. All the other stuff runs fine.

There seems to be a bug or some inefficiency in the pfblockerng-devel though, modified the script to have it work fast all the time, probably wrecked something while doing this, not too sure about that, didn't really dive into it yet but it would take up 40 to 60 percent of the cpu without any traffic and then i just tried taking out some stuff of the script and putting stuff back one by one until the problem came back and everything runs fine now.

SteveITS

@bbaalen said in Netgate 4100 or 6100?:

40 to 60 percent of the cpu without any traffic

If you're on 22.05, did you see https://redmine.pfsense.org/issues/13154?

Edit /usr/local/pkg/pfblockerng/pfblockerng.inc and on line 4139 change
$r = explode(')', $result, 2);
to
$r = explode(' ', $result, 2);
(that's a space)

bbaalen

@steveits Hi Steve, yes i did see that, but i thought it was already fixed in the release i was using. I'll go check to make sure. I've pasted the part of the script i modified here by the way;

https://pastebin.com/3k4Wy5Y3

To be on topic again, so this, at least for me, made it useable on the 4100.
We usually put a 7100 in projects, but i think for most home networks, even large ones, the 4100 is more than capable.

keyser

@steveits said in Netgate 4100 or 6100?:

@bbaalen said in Netgate 4100 or 6100?:

40 to 60 percent of the cpu without any traffic

If you're on 22.05, did you see https://redmine.pfsense.org/issues/13154?

Edit /usr/local/pkg/pfblockerng/pfblockerng.inc and on line 4139 change
$r = explode(')', $result, 2);
to
$r = explode(' ', $result, 2);
(that's a space)

Not trying to derail this discussion, but a quick question: I'm using pfBlockerNG-Devel (unpatched) on 22.05 on a SG-2100 and SG-6100, but I have not seen this CPU usage issue.
There must be some pfBlockerNG configuration you need to have in order for this issue to show itself?

SteveITS

@bbaalen said in Netgate 4100 or 6100?:

it was already fixed in the release i was using

It's not, actually. :-/ 3.1.0_4 is the one with the bug, and it wasn't a problem until 22.05 changed the logging, I think it was. There hasn't been an update since 3.1.0_4.

@NE_77 I would personally not be concerned with 35% RAM usage. We don't have any devices at client sites that have needed lots of RAM, though to be sure we're not usually using DNSBL. I do at home for ad blocking, on a 2100, and RAM usage is 11% of 4 GB. RAM usage will depend largely on what lists are used. I've seen people post they are using "just one list" and it turns out it has several million entries or some such.

bbaalen

@keyser i've tried several of the options on reddit, this forum, re-installed, run it just with default settings etc etc, nothing really seemed to be doing the trick. I first thought, maybe it's got something to do with slow write/read speeds of the eMMC memory or something. But everything seems fine. Maybe the processor doesn't like the way the process is suspended with the php sleep or something. I just saw alot of cpu usage for no reason and the process that was consuming the most cpu time was the pfblocker.inc with the filterlog parameter command. So this led me to that function i put in pastebin, just ran some tests with some of the code commented out and that's how i ended up with the code there, put in some buffer for the file writing, not sure if it makes any difference when it is appending, but with eMMC i try to do as little writes as possible and also i always try to watch the resource handles.

SteveITS

@keyser said in Netgate 4100 or 6100?:

There must be some pfBlockerNG configuration you need to have in order for this issue to show itself?

Don't know, I have just put in the patch, and we haven't updated many yet. Are you using DNSBL?

keyser

@steveits said in Netgate 4100 or 6100?:

@keyser said in Netgate 4100 or 6100?:

There must be some pfBlockerNG configuration you need to have in order for this issue to show itself?

Don't know, I have just put in the patch, and we haven't updated many yet. Are you using DNSBL?

Yeah, using both IP lists and DNSBL lists fairly extensively. But perhaps it’s related to the logging setup of pfBlocker? I Have disabled/minimized some of the logging options to retain eMMC/SSD lifespan.

stephenw10

Yeah, I never managed to find exactly what's required to trigger that. I've seen it on some installs and not others with no obvious significant config differences. It could be a timing issue with varying hardware types. It's very obvious when you do hit it though!

Steve

NE_77

Once the hardware is EOL, will I still be able to apply updates from Netgate or is the device basically stuck at it's current software version?

SteveITS

@ne_77 Updates will be available until they cannot work, as I recall Netgate saying. So expect many years of updates after end of sale. I am personally not aware of any models being cut off from updates. We have clients with some fairly old models.

stephenw10

Yup, we only stop building updates when it becomes impractical to do so. So there no 32bit x86 builds any longer for example. Sorry m1n1wall users.
We are still producing images and pkgs for the SG-1000 though and that was EoL some time ago:
https://www.netgate.com/support/product-lifecycle

Steve