Help choosing right Netgate device

ppmax

Hello--

I have a home built pfsense router that has been serving me virtually trouble free for...10+ years? It's got an Intel(R) Atom(TM) CPU D2500 @ 1.86GHz and 4GB ram.

I've got 1 WAN in (gigabit Comcast) and 1 LAN out...which feeds a TPLink 24 port gigabit switch. I have 2 WAPs around the house and total DNS lease count is about ~100 devices. According the Pfsense dashboard, Im using 20-50% CPU nominally. At full tilt (600Mbit/sec from speedtest) CPU gets north of 50% sustained. I run openVPN client and a server now and then. No VLANs. I've got pfBlocker and all the squid stuff to block adware and all the other crap.

Recently it has been crashing 1x/week and I'm seeing lots of disk issues when running fsck after the device takes a dump. So it appears I've got some serious disk and/or HW issues materializing.

I'm looking at the 1100, 2100, and 3100. I'm looking for an informed opinion about which model I should get...any takers? :)

Lastly, im running pfsense 2.3.4-p1 (32bit). Will I be able to export my config and then restore that on a new device without too much trouble?

Thanks again for any advice anyone may wish to share.

EDIT:
I should add that I've read about 5 similar forum topics related to this matter

FSC830

At least the SG-3100 is EOL and not available any longer.
At netgate.com you will find an overview about the actual appliances and the specs.

Regards

Edit: For the config migration I would ask TAC support for assistance.

SteveITS

@ppmax Per my notes the 2100 should be good for about 600 Mbps without IDS or packet inspection (or VPN, etc.). So you'd probably be looking at the 4100. The 3100 is not being sold as FSC830 noted (from a while ago, maybe a couple years?) but if you can find one it would be faster than the 2100.

re: config, generally those can be restored forward to later versions but 2.3 is quite old. As noted Netgate will help convert the config for free, going to any of their hardware that has an onboard switch.

swemattias

@ppmax I switched to the 2100 when my VM with pfSense didn't wanna play nice anymore. Never been happier with that switch. The 2100 yawns with my 500/500 WAN.

ppmax

@fsc830 and @SteveITS and @swemattias: Thank you for your replies--very much appreciated.

I contacted Netgate sales and apparently the 1100 and 2100 are backordered but may be avail in the next couple weeks. They have 4100's in stock but the model with M.2 SSD is more than I want to spend...but my hand may be forced if the router gets into an unrecoverable state lol.

Like my home-grown rig, I've seen many others running mini-itx devices made by Jetway and other vendors...at this point im just looking for something I can spin up relatively quickly and wont give me any additional gray hair. Recently, I've had a number of disk and hardware failures within various devices serving important functions around my home...and am growing weary of fixing things so I want my next router to to be as reliable as can be ;)

@swemattias: out of curiosity do you disable logging to disk on your 2100? How long have you had it? It's great to hear you are happy with it...that was my first choice until hearing it was backordered.

Thanks again!

SteveITS

@ppmax I also have a 2100 at home, but I don't have a gigabit connection. For our clients, we generally turn off logging of blocks from the default rule which cuts down a lot of log noise. The 2100 has 4 GB RAM and with that amount of RAM we usually enable a RAM disk as well.

You mentioned Squid, that's on the list of "SSD recommended" because a lot of disk writes to eMMC storage will wear that out. Do you use Squid's caching? (I've not used Squid)

The 1100 is only one switch with VLANs so the max throughput there would be under 470 I'd expect (940/2). Did Netgate say the 2100 would do gigabit?

Unfortunately they've had supply issues pretty often during COVID. IIRC that was one reason the 3100 was abruptly discontinued.

ppmax

@steveits thanks for your comments.

Yes I use squid caching...good point about the SSD vs. eMMC. I'm also thinking of removing a bunch of packages from my configuration to simplify my life :)

Do you use pfsense CE or plus on your home 2100?

SteveITS

@ppmax The 2100 can’t use CE because it’s an ARM CPU. I don’t recall if it had Factory Edition or Plus when I got it. Probably Plus?

keyser

Netgate appliances comes with pfSense+ from the factory, and you have pfSense+ for life with/on the device.

If you can find the $$$, I would go with the SG-4100 any day. It does have quite a lot more CPU “ummphh”, with makes it more responsive, and it will have your back if you ever go beyond 500mbps (which the SG-2100 cannot handle).

mrsunfire

@ppmax For 1 gig go for the 4100 at least. I'm at a 6100 with multi WAN 1 gig and while using Suricata that unit hits 100% CPU.