Netgate 6100 too slow to route 6gbps internet??

MarinSNB

So then, out of curiosity, since TNSR doesn’t have any firewall capabilities, do you then hook up another pfsense appliance to it if for firewall purposes? What would that setup look like? Thanks!

gabacho4

@marinsnb TNSR uses ACLs for firewalling. They work well and are stateful if you make the rule so. I think an enterprise would normally put something else in front but for pfsense you’d need to have some truly beefy hardware to get the 6 gig or greater NAT/firewall performance. For a home connection, OPs setup works just fine.

MarinSNB

@gabacho4 thanks so much!

Patch

@gabe-a said in Netgate 6100 too slow to route 6gbps internet??:

why isn't there one manual per product line?

Perhaps you are looking for this link
https://docs.netgate.com/manuals/tnsr/en/latest/tnsr-product-manual.pdf

Which is given at the early in the online documentation
https://docs.netgate.com/tnsr/en/latest/

stephenw10

There is a specific docs page for the 6100 with TNSR
https://docs.netgate.com/tnsr/en/latest/platforms/netgate-6100/index.html

But it is modular. The reinstall instructions link to the main page.

TNSR is not intended to be a replacement for pfSense. It's a commercial/enterprise router and the docs are written with that in mind. But there's always room for improvement.

@gabe-a said in Netgate 6100 too slow to route 6gbps internet??:

When comcast set up my gigabit pro (that's their new 6gbps fiber internet), they literally told me this: buy a netgate router, the one with 2 10gbps holes

That's very interesting. Did they actually recommend the 6100 directly?

Steve

gabacho4

@stephenw10 I’m not super surprised personally. How many other consumer accessible routers are out there with 10 gig ports on them? Unfortunately the tech didn’t really understand performance related factors. Just because you have 10 gig ports doesn’t mean you have 10 gig throughput with other features enabled. A lesson OP unfortunately had to learn on the tech’s behalf.

DefenderLLC

@gabacho4 said in Netgate 6100 too slow to route 6gbps internet??:

@stephenw10 I’m not super surprised personally. How many other consumer accessible routers are out there with 10 gig ports on them? Unfortunately the tech didn’t really understand performance related factors. Just because you have 10 gig ports doesn’t mean you have 10 gig throughput with other features enabled. A lesson OP unfortunately had to learn on the tech’s behalf.

At least the tech recommended the right brand. :)

stephenw10

Yes. It would be interesting to know where that recommendation came from. And if it was for the 6100 specifically or, say, the 1537 which would pass that with pfSense.

gabe-a

Trying to update (because the glitchy thing doesn't send the gateway IP during its DHCP broadcast, meaning I have to manually configure it on my hosts -- buggy system!!), and I saw the bug was fixed in the latest tnsr release.

But for some completely inane reason, the device that literally serves internet... doesn't get internet. I ping google.com and it says ping: google.com: Temporary failure in name resolution

It only works in the clixon_cli, but that's useless to me since I need to install OS updates.

Can't believe I'm asking this, but how can I literally enable internet connectivity... on the box that serves everything else internet connectivity? Like, why guys...

[edit] Oh but of course, it can't use the actual internet it routes (yes, that's sarcasm -- why the heck can't it?). It needs to be fed internet through a different hole, the one you used when you first set it up. Which of course can't be the actual fiber connection, but an ethernet connection routed from a different router. If I didn't have 2 separate connections in this house and an old router, I swear, this would literally be impossible. This is so awful, guys -- I don't understand how this system is great. So many opportunities to make it easy, but it's so restricted in so many inane ways, for no conceivable reason. Just need a router... period. I don't care about all these "extras" which just cause trouble and configuration nightmares.

gabe-a

@stephenw10 said in Netgate 6100 too slow to route 6gbps internet??:

Yes. It would be interesting to know where that recommendation came from. And if it was for the 6100 specifically or, say, the 1537 which would pass that with pfSense.

There's no conceivable way they'd recommend a rack-looking thing at a price point well over $1000 just to route my internet. I don't remember specifically and I don't think they said specifically besides the cheapest one with the 10G support, which is what I found (and it still wasn't cheap).

The problem is also that tnsr is marketed for 'home use'. Why do this if it's clearly not cut out for anything other than hours-long full-time-job-level config? The point of tech and software is automation, making things easier for people not harder. This does the opposite so fails at its fundamental mission.

Still in process of trying to update the router and I expect extreme breakage every step of the process, like every step before this. Expect me back here begging for troubleshooting help. BTW did you guys know tnsr literally doesn't support querying ifconfig to get what ports on this thing are connected? I had to try each port in the hopes of discovering the one that could receive internet. When I type ifconfig, it says to install net-tools. And when I try that it says it's not available. Like... there's a certain level of unpolished product where things go a little beyond "rough around the edges."

And having to bring down host interfaces, bring them back up, and then manually type "addroute" to the gateway IP... that's simply broken behavior on tnsr's part. If it serves DHCP, it should serve the gateway. The whole network is unreliable because the thing can't keep its connection up -- each time the DHCP lease renews, the gateway is magically lost on all the hosts and I had to set them up again. Hoping the upgrade will fix it. Seriously, has nobody tested the most fundamental feature of the router, the actual gateway? The instructions were buried so deep how to even set up a gateway, so it's no surprise its behavior is broken out of the [net]gate, but still... so much jank.

gabe-a

Of course, the update is broken too.

gabe@gabe10g:~$ sudo ./update-tnsr-newbase.sh 
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ InRelease
Err:6 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Release
  Could not load client certificate (/etc/pki/tls/tnsr/certs/tnsr-updates.crt, SslCert option) or key (/etc/pki/tls/tnsr/private/tnsr-updates.key, SslKey option): Error while reading file. [IP: 208.123.73.205 443]
Reading package lists... Done                              
E: The repository 'https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

So...jank...so...bad. I sound like a broken record, don't I? ;)

In fact, now just running

gabe@gabe10g:~$ sudo apt update
Ign:1 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Err:3 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Release
  Could not load client certificate (/etc/pki/tls/tnsr/certs/tnsr-updates.crt, SslCert option) or key (/etc/pki/tls/tnsr/private/tnsr-updates.key, SslKey option): Error wh
ile reading file. [IP: 208.123.73.205 443]
Hit:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:6 http://archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done
E: The repository 'https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Is also broken. So fragile. Literally followed the instructions word for word and they broke core ubuntu. Yep, tnsr is totally a finished product. /shot

Your amateur update script broke the whole distro. Shame on you -- do customers pay for this? There's no excuse for literally breaking a system with your script-kiddie tnsr trigger-happy overwriting of linux system files without knowing what you're doing.

I tried to circumvent the security issue by adding sudo apt update --allow-unauthenticated --allow-insecure-repositories but that still yields

Err:7 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Packages
  Could not load client certificate (/etc/pki/tls/tnsr/certs/tnsr-updates.crt, SslCert option) or key (/etc/pki/tls/tnsr/private/tnsr-updates.key, SslKey option): Error wh
ile reading file. [IP: 208.123.73.205 443]
Ign:8 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Translation-en_US
Ign:9 https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Translation-en
Reading package lists... Done
W: The repository 'https://tnsr-deb-hw.netgate.com/20.04/main/x86_64 ./ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://tnsr-deb-hw.netgate.com/20.04/main/x86_64/./Packages  Could not load client certificate (/etc/pki/tls/tnsr/certs/tnsr-updates.crt, SslCert optio
n) or key (/etc/pki/tls/tnsr/private/tnsr-updates.key, SslKey option): Error while reading file. [IP: 208.123.73.205 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.

So I guess your insecure broken system has permanently ruined updates for me, opening me up to OS-level insecurity. Great job.

gabe-a

@gabe-a A hint in the series of breakage:

when trying to install the certificate (why it can't do this automatically is again, horrible design):
Nov 2 02:42:23: Backend downcall: application invalid-value key tnsr-updates does not exist

Nobody ever gave me a certificate and I never had to mess with it before. Why is this crap all of a sudden coming up to cause problems? Why can't your software, for once, just actually work? There are so many bad practices here it's staggering.

Please tell me what I actually need to do to fix your 6100 running your 22.06 tnsr system and let it update properly. It should not be this hard. It should not be. This is truly, absolutely, incontrovertibly, bad software design. It simply is.

gabacho4

@gabe-a did you purchase a license? If you’re running the home+lab version:

How do I update my Home+Lab installation?

The Home+Lab version of TNSR can't be updated in-place. To upgrade to the newest version, simply order the new release and run a fresh installation. There is a documented path here to migrate most configuration settings from the prior installation.

For a more seamless software upgrade process we recommend you upgrade to TNSR with TAC Pro or TNSR with TAC Enterprise, which includes access to rolling updates and 24/7 expert TAC support.

Derelict

@gabe-a The private key must be installed before installing the matching certificate.

Follow these instructions to the letter:

https://docs.netgate.com/tnsr/en/latest/updating/index.html

Note that if you are running Home+Lab you are not entitled to an update certificate.

You can "purchase" ($0) Home+Lab again and you will be offered the 22.10 ISO file you can use to reinstall.

gabe-a

@derelict
"To the letter" is not valid with tnsr documentation because of the poor ordering of steps (see above) and unrealistic background expectations in a highly fragmented documentation corpus. About 1/3 of the steps of previous instructions were invalid for me or did not apply to my case, and many instructions were missing (e.g. static IP setup in ZTP, gateway setup, missing commands, etc).

@gabacho4 said in Netgate 6100 too slow to route 6gbps internet??:

The Home+Lab version of TNSR can't be updated in-place. To upgrade to the newest version, simply order the new release and run a fresh installation. There is a documented path here to migrate most configuration settings from the prior installation.

Some day in the near future, I hope you look back on statements like this in context of the decades of software best practices. I am baffled by the multiple layers of absurdity here (from the first sentence, to "simply," to "documented path"), as I know any comments I could make are in fact obvious to anyone with lived experience, academic interest, or even passing knowledge of the evolution of software expectations over the years, to say nothing of the simple state of the field (just google "updating my router" and keep the excuses coming for the hours-long multi-gigabyte serial port "reinstallations" for each upgrade, or the just-as-bad hour-long system update plus certificate purchase and installation plus hour-long ubuntu rebasing plus reconfiguration -- oh yes, I'm delighted to hear more about the simplicity and "migration" -- as if that should even be a thing in routers today, most of which update at the push of a button in under 60 seconds or even completely automatically without interaction).

For a more seamless software upgrade process we recommend you upgrade to TNSR with TAC Pro or TNSR with TAC Enterprise, which includes access to rolling updates and 24/7 expert TAC support.

Putting aside the hilarity over your use of the word "seamless" (as in, any implication that the ridiculous, long-winded, hours-long, hands-on "in place" update is by any modern software standard "seamless").... Oh but of course. Only paying customers (nearly $1000 a year) are granted the dubious privilege of keeping their router up to date with just as much manual intervention as a reinstall: downloading broken adapter scripts, updating the system twice with at least two reboots separated by hours each.... No, sorry. This advice is misleading and utter nonsese.

In all seriousness, I cannot believe there would be anyone, anywhere, for any reason, willing to pay for this software. It is ugly, broken, cumbersome, bloated (2.2GB????), restricted, and with documentation that fails to live up to the standards of medium-scale open-source projects let alone laughably priced "commercial software." You build on the bones of one of the most bloated linux distributions, simultaneously shirking and cowering from the open-source free software philosophies underpinning it, and perpetuate a broken market system of needlessly convoluted and poorly-documented software requiring full-time job expertise in a field that should not need it. Between Comcast selling services they don't provide the equipment or (proper) guidance on how to actually use, and their referred company (NetGate) resorting to misleading advertisements of performance that only the savviest and most eagle-eyed can reality-check in the small print (I have a reddit thread to back me up), and pushing what is quite likely the most laughably frankensteinian clash of design logic and software licensing ethos in one janky package that can't even self-update, I long for the days where this whole ugly experiment is but a dark mark on the pages of networking history, and the world has moved on to open standards (e.g. by forking an open-source routing solution to just add faster packet handling and your simplistic "traffic blocking" rules).

There is truly no excuse for this nonsense. I paid almost $800 for a router that seems unable to do half of what a $300 consumer router does (with wifi!), even with hundreds of times the steps and time wasted, along with the most painful and time-consuming setup and updating process imaginable... for a darn router. You can hide behind any excuses you want about "commercial vendors" or the need for "networking professionals" but it's obviously hot air -- a small business would be more than served with pfsense.

You have a golden opportunity to partner with Comcast and actually provide a (hopefuly vastly simplified) router+software for the new era of fiber optics. But you are obviously stuck catering to relics of the past (even speaking of ancient Cisco router command language like that's a good thing!) instead of catering to the future -- in design, principle, and the emerging fiber market. It's seemingly beyond your engineering team to produce an HTML page with a few dozen lines of PHP to scrape the fields and populate configuration options into the convoluted mess of text files tnsr calls config, so I don't have high hopes.

What a disgusting, misleading, time-wasting, exploitative, ridiculous process and product.

gabacho4

@gabe-a my man, what I posted was from the Netgate website itself, but it only applies to in place upgrades for TNSR itself. If you read the documentation that @Derelict provided, it shows you how to update the underlying linux distro. It's not particularly complicated.

I am going to be honest with you, I've set up and deployed TNSR on an SG5100 multiple times at this point and have not had the experience you are having. The documentation got me up and running and I've been satisfied with my experience and the product - and it's only gotten better over time. My config isn't insane, just some VLANS, some ACLs, some dst NAT rules, and an ipsec site to site, though I see that Wireguard is now supported for site to site and remote access, so I'll be playing with that here very soon. If TNSR isn't for you, I can respect that. No one said we all have to like or appreciate the same things. I do think you will be truly pressed to find any consumer-level gear that can perform at the scale you are looking at. And anything commercial is likely going to cost you much more if you can get your hands on it at all.

To be very frank, you made a purchase based on a Comcast tech's advice without seemingly truly understanding the performance of the software for the hardware that you purchased. I personally would have contacted Netgate to discuss your performance needs and allowed them to help you select the best hardware. I believe the next option up (1531 or something like that) has the power to provide the performance you want/need using the more simple or intuitive PfSense. Netgate posts pfSense performance numbers openly and fairly and frequently stresses that imix is the more realistic test for performance.

I don't know what more to say or do to help you as this has become more of a rage venting than an inquiry for configuration assistance. Happy to try to be of help if the conversation goes the latter direction again. I also believe you could reach out to Netgate for advice or possibly even some configuration assistance.

EDIT: please do realize that I am not associated with Netgate, don't collect a dime for making plugs or promoting their hardware or software. I am not even formally trained or certified as a sys admin or anything like that. 'm just a regular user with a curiosity for networking and a desire to learn always.