Netgate 6100 too slow to route 6gbps internet??
-
@gabe-a I think you’re not accounting for the firewall and NAT and other services that a switch isn’t running or providing. Those will all unfortunately take a bite out of the speeds it can handle in a laboratory type environment.
For the speeds you’re talking about, I’d highly recommend considering TNSR (you can get it for free for home/lab use and it will run on your 6100). You are essentially guaranteed to get very near your full speed using TNSR. It doesn’t have all the features of PfSense though, but then again, it wasn’t meant to. I’d love to see a follow on from you about your TNSR experience.
-
Just to bolster what you’ve been told, if you look at the IMIX results posted on the Netgate site, those more closely represent what you’re seeing.
https://www.netgate.com/pfsense-plus-software/how-to-buy
The TNSR results are nearly 5 times better for the results when using a firewall/ACL
https://www.netgate.com/tnsr-software/how-to-buy
-
@gabacho4
Is there a way to update it through "normal" channels (e.g. the same way it updates its own pfsense software, with a click of a button on the main screen in a browser)?
The only access I see to tsnr currently is in a very cumbersome (and huge!) 2.2GB ISO file with directions to use serial cables or vga (I have HDMI and displayport...and the router has neither port. Or a VGA port. Or what I always thought was a "serial" port... like those printers from the 90s?!).There are a huge litany of instructions that seem to span all sorts of models and assume expert knowledge on the part of the person setting it up. I mean, burning the ISO is complex enough (with multiple tools from Rufus to Windows image writer offering radically different settings, MBR/GPT partition schemes, etc)...
Step 2. Plug your screen into your modem. Just...wow.
(Yes, there is no VGA port -- that would have been too easy, right?)But wait -- there is documentation for this router specifically, right?
A separate adapter is required to make a connection between a computer and the firewall using the RJ45 serial port. This can be a direct RJ45-to-USB serial adapter or a standard USB-to-serial adapter and an RJ45-to-DB9 adapter or cable. It is also possible to utilize client hardware serial ports and compatible cables, but these ports are rare on modern hardware. These are standard components, inexpensive and readily available from most retail outlets that sell computer cables.
Called my local best buy. Response? "A what? Never heard of anyone having those and doubt we have had anything like that for years. Might want to update your computer network to something with modern connectivity standards. Or try online."
Online: this thing?
I hope you can appreciate that if it's not even clear what cable to plug into this thing or how to even start an installation, this seems to me very much like asking someone who just moved into their first single-family home (and never picked up a shovel!) to "oh go ahead and rebuild the foundation of your home, ensuring compliance and compatibility of all tools and process as you go." It took awhile to figure out how to set it up with the "idiot proof" pfsense interface (and I still don't have ipv6 working!).
In terms of slightly easier alternatives, how to disable the firewall via the web interface?
-
@gabe-a Yes, with your current experience on networking, TNSR is not for you. It does not have a GUI, and needs to be managed by Command Line Interface only.
But are you sure not using a Firewall is a good idea when you are looking into adding the Internet connection to your network for general use? Having the line direct attached to a host with a software firewall is one thing (and manageble securitywise). Adding it as router for a network is something intirely different - and has wastly different requirements.
If you can answer and understand these questions, then perhaps disabling the firewall is an option. If not, I cannot recommend you go any further with that idea - it’s going to either not work or end very badly:
1: Do you have public IP’s for all devices?
2: Are you behind a carrier grade NAT
3: Do you have a firewall installed and managed on all devices individually?Don’t go for security by obscurity (thinking NAT alone makes it secure - spoiler alert: it does not).
-
@keyser
Thanks. Although no stranger to the commandline, I'm definitely starting from near zero when it comes to networking/hardware things.The only things I'm planning to connect to the 6gbps network are Linux workstations. There's also a "free" 1gbps ethernet service (on a different static xfinity IP) also included that I'm using for them now and any "household" things (TVs, laptops, wifi, etc), routed through a totally separate $300 router that works very well. (In fact that router has 2.5gbps ports that really do function at their advertised speeds, making it almost equivalent to this Netgate router in performance despite being a third of the price!).
Regardless, I can confidently answer that the Linux boxes can indeed be configured with software firewalls before connecting. In fact I've been using the direct SFP connection from the aria switch -> juniper switch -> PC already and reaching very close to 6gbps in normal internet use. (The same PC is also independently connected to the 2.5gbps network but completely disregards the 1gbps internet stream they all use, and they also cannot connect to the internet through the one PC that is connected directly to the 6gbps -- they all share the inferior 1gbit behind a normal consumer router + firewall).
Public IPs -- my ISP just gives me one single static IP address that's public facing. I have no choice but to get a router to split internet delivered via that IP address across the other machines via localnet (otherwise I'd have been happy with a passive switch...but a switch can't give out separate local IP addresses that can independently send/receive traffic. Hence, a switch is not a router).
NAT -- no, I really have no idea what a NAT is, but with the limited aid of wikipedia I see that it's likely I can answer yes to your question, as the static IP I'm assigned comes directly from washington over fiber optic and gets transformed through 2 separate boxes, the aria and the juniper mentioned previously. What pops out the end is a glorious 6gbps signal whose IP address does not look like it's filtered through middleware as it literally from the city that serves the fiber network, not from some local sub-NAT redistribution point (hey, sorry if I'm mixing up terms or concepts, but you get what I mean...I hope?).
-
The 6100 has two console ports, an RJ-45 port, as commonly found on switches and routers, but also a USB port that you can connect to any host that has a USB port. It is supplied with a cable for connecting to USB-A. You can also connect to USB-C using an adapter or a USB-C to USB-micro-B cable.
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-6100/connect-to-console.htmlSteve
-
@stephenw10
Well that helps. Although I'm not a fan of how the documentation is modular to the point of actually being less helpful (why isn't there one manual per product line? It's not like there are tons of product lines here).- Downloaded the ISO (you'll have to request this in the netgate shop)
- Burnt it using balenaEtcher to a usb stick
- Plugged the USB stick into the router
- Plugged the micro-USB into the router, big end into my computer
- Ran
sudo screen /dev/ttyUSB0 115200
- Pressed enter again to get stuff to actually appear (otherwise screen shows a blank screen...bad)
- Ran reboot
- On reboot, pressed F2
- Selected the second option in the boot menu (grub something)
- Followed along here from step 7: https://docs.netgate.com/tnsr/en/latest/installation/index.html
- Got stuck at step 19's note (the instructions simply don't work):
user:~$ sudo -u tnsr clixon_cli tnsr# nacm group admin CLI syntax error: "nacm group admin": Unknown command
CLI syntax error: "nacm group admin": Unknown command
Fail. I think these instructions need an update, as the entire set up to 10 aren't included anywhere and you can't expect people to just "know" them. And the hopelessly spread-around [dis]information on nacm is atrocious, and clearly does not work. Do I or do I not need to run that failed command? If so, how? This doesn't bode well for actually setting up interfaces later...
-
@gabe-a said in Netgate 6100 too slow to route 6gbps internet??:
Pressed enter again to get stuff to actually appear (otherwise screen shows a blank screen...bad)
Yes, this is to be expected. The OS has no way to know if you are connected to the serial port or not. It's inherent in the nature of a serial connection.
@gabe-a said in Netgate 6100 too slow to route 6gbps internet??:
user:~$ sudo -u tnsr clixon_cli
tnsr# nacm group admin
CLI syntax error: "nacm group admin": Unknown commandCLI syntax error: "nacm group admin": Unknown command
I believe that the command you are trying to execute (nacm group admin) requires that you enter config mode first. At the tnsr# prompt enter "configure" before proceeding.
This section may be of use to you: Zero-to-Ping: Getting Started.
If you've managed network equipment such as a Cisco router before, these commands are all pretty intuitive. If you haven't, there's a learning curve.
-
11 (repeated). Multiple pages later, an explanation for #19 is given. Yes, unbelievably even the linked page on nacm introduction and subsequent examples fails to convey the fundamentals of usage See that weird parenthesis? The one that says "(config)" in it? Well it turns out you have to type the word "configuration" once you've done
sudo -u tnsr clixon_cli
. I know. I know... so many huge gaps. You have to read chapters ahead and go back again to actually follow the instructions.dataplane dpdk dev 0000:03:00.0 network name WAN
dataplane dpdk dev 0000:03:00.1 network name LAN
configure terminal
Follow the ACL instructions here: https://docs.netgate.com/tnsr/en/latest/ztp/index.html
QUESTION: why? Why do we need ACL? What happens if we don't use it? Does it slow things down? Will the following steps work without it?- Actually do the IP setup for your internet. Use 2 addresses after the static IP that comcast gives you (that's because they give you the switch's IP, and then the gateway is that plus one, and then the actual IP address is 1 after that. So if it ends in .21, you have to use .23. I know, also not documented by xfinity. Anyway:
tnsr# configure terminal tnsr(config)# interface WAN tnsr(config-interface)# ip address XX.XXX.XX.XX/30 tnsr(config-interface)# ipv6 address 2001:XXX:XXX::2/48 tnsr(config-interface)# enable tnsr(config-interface)# exit tnsr(config)# interface LAN tnsr(config-interface)# ip address 10.2.0.1/24 tnsr(config-interface)# ipv6 address 2001:db8:1::1/64 tnsr(config-interface)# enable tnsr(config-interface)# exit
Yes, carpel tunnel after all this repetitive copying/pasting/typing is a real risk. This is really, truly cumbersome and terrible.
16. NAT setup. Same question -- why? What? And how come we have to set this up? In pfsense I didn't have to touch this? Does this slow things down? What if I want to do simple port forwarding later?user tnsr(config)# nat global-options nat44 forwarding true user tnsr(config)# nat global-options nat44 endpoint-dependent true user tnsr(config)# nat global-options nat44 enabled true user tnsr(config)# nat pool interface WAN user tnsr(config)# interface WAN user tnsr(config-interface)# ip nat outside user tnsr(config-interface)# exit user tnsr(config)# interface LAN user tnsr(config-interface)# ip nat inside user tnsr(config-interface)# exit user tnsr(config)# dhcp4 server user tnsr(config-kea-dhcp4)# description LAN DHCP Server user tnsr(config-kea-dhcp4)# interface listen LAN user tnsr(config-kea-dhcp4)# lease lfc-interval 3600 user tnsr(config-kea-dhcp4)# subnet 10.2.0.1/24 user tnsr(config-kea-subnet4)# pool 10.2.0.100-10.2.0.245 user tnsr(config-kea-subnet4-pool)# exit user tnsr(config-kea-subnet4)# interface LAN user tnsr(config-kea-subnet4)# option domain-name-servers user tnsr(config-kea-subnet4-opt)# data 10.2.0.1 user tnsr(config-kea-subnet4-opt)# exit user tnsr(config-kea-subnet4)# option routers user tnsr(config-kea-subnet4-opt)# data 10.2.0.1 user tnsr(config-kea-subnet4-opt)# exit user tnsr(config-kea-subnet4)# exit user tnsr(config-kea-dhcp4)# exit user tnsr(config)# dhcp4 enable user tnsr(config)# unbound server user tnsr(config-unbound)# interface 127.0.0.1 user tnsr(config-unbound)# interface 10.2.0.1 user tnsr(config-unbound)# access-control 10.2.0.1/24 allow user tnsr(config-unbound)# forward-zone . user tnsr(config-unbound-fwd-zone)# nameserver address 8.8.8.8 user tnsr(config-unbound-fwd-zone)# nameserver address 8.8.4.4 user tnsr(config-unbound-fwd-zone)# exit user tnsr(config-unbound)# exit user tnsr(config)# unbound enable user tnsr(config)# system dns-resolver dataplane user tnsr(config-dns-resolver)# server localhost 127.0.0.1 user tnsr(config-dns-resolver)# exit user tnsr(config)# system dns-resolver host user tnsr(config-dns-resolver)# server g1 8.8.8.8 user tnsr(config-dns-resolver)# server g2 8.8.4.4 user tnsr(config-dns-resolver)# exit user tnsr(config)# configuration copy running startup user tnsr(config)# configuration save running backup.xml
-
@dennypage
Things that are "inherent in the nature of X", where X is absolutely intimitely essential to following the directions... should be explicitly said in the directions.
Nobody I've ever seen in my whole life has ever touched a serial connection. That's 90s tech. Why would you assume this is common knowledge? It's not on wikipedia, it's not anywhere I searched. I tried to restart my system multiple times before pounding my keyboard in frustration before stuff popped up.Why isn't "configure" in the logical order of the setup document? Again, gaps.
I'm trying to work through this. I have no idea what examples are applicable to my use case and what aren't.
I'm -- literally -- trying to set up something that takes 30 seconds in any other respectable router. Just want to enter my static IP (that's how comcast gives them for gigabit pro), the gateway, the subnet, and then plug a switch into the other hole to get my internet & networking.
Why the literally hundreds of lines of inscrutable text? Why is this considered the replacement for pfsense? Why can't the pfsense interface just hook into this nasty thing and do this for us?
-
@gabe-a
Okay, sorry for the double post, and I just had a realization. It just ocurred to me you're probably wondering (in shock and horror) why this rando came on getting frustrated about setting up your "business firewall" and what could have possessed such a purchase in the first place.Let me take a step back for context. When comcast set up my gigabit pro (that's their new 6gbps fiber internet), they literally told me this: buy a netgate router, the one with 2 10gbps holes, plug this cable into one of the holes (the internet), and plug your 10G switch (it's a trendnet ultra-cheap) into the other. Boom -- 10 gigabit ethernet network plus 6gbps internet, easy as can be. Just like all the other consumer routers for normal cable internet. And since almost all desktops/workstations these days have 10gbe ports, well... seemed like a no-brainer.
This is THE router recommended for THE fiber optic 10gbe connection in the united states, to my knowledge. I am extremely vocal so I immediately came on here to complain and try to make it work, but I'm sure others have not and are suffering or canceling.
If it wasn't clear before, I'm really not liking this tnsr business. Really user-unfriendly way to get internet out of a router. Who the heck has experience managing "Cisco routers" among those who just want fast xfinity at home? Not I!
-
@gabe-a You have been given access to a 6G internet service at a good price.
Do you actually need or would notice fully WAN speed in practice?
The reason I ask is that speed is not widely available to consumers so not broadly supported with consumer gear.
If you instead just use what readily works (such as pfsense) you may find that is all you need at the moment.PS
I agree a pfsense front end to tnsr back end would be awesome. -
user tnsr(config)# route table ipv4-VRF:0 user tnsr(config-route-table)# route 0.0.0.0/0 user tnsr(config-rttbl4-next-hop)# next-hop 0 via XX.XXX.XX.23 user tnsr(config-rttbl4-next-hop)# exit user tnsr(config-route-table)# exit
Forgot the above. Wow, this documentation is really, really poor, I'm so very sorry to say. It's so poor because it's fragmented and nonsensical.
The above was required to simply add a gateway. Yes, really!
I'm exhausted and drained.
It works now. https://www.speedtest.net/result/13827218769
Properly serving the network over DHCP. Now I have to test if the workstations can see each other (seeing the internet is only half the battle). Still also have to figure out port forwarding. Probably some setting in the NAT thingy. -
@patch That's actually a good question. Yes, I routinely download and upload to AWS, very large datasets of multiple terabytes each. Sometimes I need to pull in dozens of these on my RAID of m2 SSDs and distribute across my workstations. Each workstation has >=1TB of RAM and 56 to 128 cores for parallel processing. Network I/O (internal and to the net) was the bottleneck.
I know what you're thinking: still excessive.
But here's the catch. It was either this (6gbps) or 200mbps over aging coaxial. And the price difference is non-trivial here! I just want to get what I paid for (out of the router and out of the service).
Service was easy (although a few construction crews tore up the basement and had to close the street and "splice" cable from far away, which was a huge inconvenience to my neighbors). This router was a real battle.
-
@gabe-a what are you upload speeds supposed to be. 6 gig down and 700 meg up is kinda weird imho but so is Comcast sometimes.
Couple thoughts for you, none of which are meant to be mean.
-
Having a 6 gig internet connection puts you in a different category of network needs for performance. You’ll never find a consumer device (at least now) capable of giving you those speeds. This means you will have to move toward more commercial-strength gear for routing. TNSR is in that class. There are other options that come to mind but they are also command line driven OR require you to pay insane subscription fees or fees to enable the full potential of your hardware. Switching, as you’ve seen, is much easier to do at speed because of ASICS and because a switch doing L2 switching requires far less power than the router which is doing L3 and other. If you were to buy a cheap switch that can also do L3 (or try to at least) you’d find that the switch would get clobbered.
-
As a result of said reality, the terminal with a serial connection is absolutely something normal and standard for configuring enterprise type gear. In fact, once you’ve gotten used to it, most people tend to prefer it because it’s faster and can give you more info than a GUI. It does come with a learning curve but gets familiar once you’ve used it a bit. Documentation is also your best friend.
-
I’ve been using TNSR for quite some time and didn’t find the documentation to be bad. Confusing if you’re not used to this type of setup? Sure. But their zero to ping worked outstandingly for me and I remember it being made very clear when you have to go into configure mode and all. You can also tell by the type of prompt you have in the cli. Anything that sets config parameters in TNSR requires configuration mode. Most things that touch on the host configuration and access to Linux internals is done via sudo from user mode.
-
I expect you didn’t think, or have any interest, in becoming a sys admin. Given the storage and device setup you have you are already far beyond the average user. All you were missing was a multi gig internet service with an enterprise router! I think you could come to love it, learn in the process, and fully utilize your service.
-
-
@gabacho4
Thanks, this is the furthest thing from mean I've ever seen. Supportive, encouraging, sensible maybe, but mean? Sorry, nope, not you.Speeds are supposed to be 6 up, 6 down, and they are. Upload speeds over 1gbps has known issues with speedtest.net + some of their test servers. Other servers show 2gig up, others more or less. It's not concerning because I actually scp'd some big files up there and they drive really close to 6gbps up so it's fine -- speedtest is just better recognized for download speeds (their mobile site doesn't even test upload). Same happens with direct connection to the PC (without a router).
I agree with most of these points and use the linux commandline quite a bit. The problem is more about the software not having sensible defaults and, failing that, presets/guides for simple configuration. The zero to ping instructions did not work for me because:
- Inadequate explanation of what was going on and what was truly optional (and why/how to skip them), including speed and security implications of each piece. At one point there is this big piece about setting up nameservers, after which there's a blurb saying "oh that was optional btw haha" or similar.
- They did not include info or links or instructions for setting up a static IP (I believe all fiber connections in the US currently provide one)
- They did not include setting up a gateway, which is required to route the traffic to the ISP
- The enumeration of the devices and ports is non-obvious. They aren't labeled the same thing they are in pfsense or on the actual device.
- Comcast literally recommended it. Maybe it was just that one tech, but that recommendation means something, and xfinity is indeed consumer facing, not business/enterprise, so expectations were set
- It's hard to imagine typing literally hundreds of lines is faster than 3 clicks and pasting in IP addresses. I agree commandline is faster for some things. But just pumping my internet from one hole to another, enabling sensible default routing and firewall rules? That should be trivial!
- Hard to understand why commercial-grade things would be more complicated. Don't the bigwigs like big shiny polished things? Simplicity being the ultimate sophistication and whatnot?
Thinking of making a shell script that automates this for people. Simple picture guide for the initial install, then a shell script you can literally paste into the terminal. It'll ask your IP, subnet, gateway. That's it. Plug in your internet on the left, switch on the right, and go. Y'know, like regular routers. :)
-
@gabe-a said in Netgate 6100 too slow to route 6gbps internet??:
Nobody I've ever seen in my whole life has ever touched a serial connection. That's 90s tech. Why would you assume this is common knowledge? It's not on wikipedia, it's not anywhere I searched.
It's common knowledge to an IT professional person that has experience with configuration of advanced networking hardware. This is the kind of background that someone configuring tnsr would normally have.
If you don't have this background, I would recommend staying with pfSense for the time being, even if it is a bit slower. It will save you a lot of frustration in the end.
-
@dennypage Given he has a 6G symmetric service which required building work to run, he is paying full rate for the service, he is regularly saturated that service, and now has it working. I would have thought tnsr was a good fit even if it means a painful learning curve or employing a consultant occasionally.
I don't know where Netgate wants to take the tnsr technology, however if they want wider market penetration, perhaps the pain described here could by used to reduce the pain for future customers.
-
@gabe-a I think it’s freaking awesome that you were able to take performance from 2 gig to 6 gig by switching software in your router. Dayum. Definitely understand some of your pain factor though a lot of it comes easier as you get more exposure. TNSR wasn’t meant to be a plug and play software option but perhaps there could be ways to make it more accessible. Netgate has been good about listening and responding to its users over the years that I’ve been using their hardware/software. I’m still geeking out over the very significant performance improvement.
-
So then, out of curiosity, since TNSR doesn’t have any firewall capabilities, do you then hook up another pfsense appliance to it if for firewall purposes? What would that setup look like? Thanks!