4100/6100 Base or Max

Cabledude

@stephenw10 Hi Steve yes I understand that, however this setup is as basic as can be: AdsBasic DNSBL and PRI1 IP lists. The CPU usage is considerable and the CPU graph goes completely flat after shutting down pfblocker. For this reason I am hesitant to get the 2100 as the CPU is the same as the 1100 CPU.

I will try to switch to python mode and see if that makes a substantial difference.

dennypage

@Cabledude said in 4100/6100 Base or Max:

this setup is as basic as can be: AdsBasic DNSBL and PRI1 IP lists

Just for reference, the PRI1 IP list is currently 93,947 entries, and the AdsBasic list is a whopping 202,613 entries.

FYI, All the Steven Black lists are pretty large... You might want to consider switching from AdsBasic to Ads. The Ads list is only 9,621 entries, but it hits all the high points.

Edit: EasyList Privacy is another good list at 50,231 entries.

stephenw10

Obviously it will only be additional load when traffic is passing and opening new states. Or when it has to reload the ruleset or update the lists.

If it's just idling without any traffic that shouldn't show any significant extra load.

Gertjan

@Cabledude

To remove the 'pfBlockerng' load :

( A DNSBL example - I don't use any IP list)

because : most, if not all, of the work of pfBlockerng is : collecting / scanning the log files, and making nice charts, graphs etc.
But, after some testing and observing, and you're sure it works, why not silence all this stuff ?

I'm using a 4100 MAX - it's doing 'close to nothing' when I look at the CPU stats :

or these stats. Check also the 'DNS stats'.

Cabledude

@Gertjan
Have you ever measured your 4100’s power draw from the wall socket?

Cabledude

@Gertjan said in 4100/6100 Base or Max:

NLLab, the authors of Unbound, said themselves : "use Python mode, that's why we've included it".

So I switched to Python mode.

I started with the smaller Ads list but I added the IP PRI1 list and the worst of the GeoIP lists just to see what that would do to CPU:

This is the graph now:

Which is to say there is less CPU activity than when using unbound mode.

Just to add I started with the EasyList but that feed stubbornly won’t load.

[Edit: my bad. EasyList running fine now]

dennypage

@Cabledude You can see the CPU much better if you turn off "processes" (click on the green circle).

Cabledude

@dennypage that is pretty neat, never knew about that, thanks!

Cabledude

@Gertjan
So here is my CPU graph after switching to python mode, ditching AdsBasic and tweaking the feeds:

Here are my current feeds:

So my feeds list now consists of the entire PRI1 list, a custom ingress list for my home NAS email server (not in use atm), about 6 GeoIP countries and the EasyList.

At this point the CPU load is below 5% average which seems very doable, so I'm swinging back to the 2100 which appears to be quite adequate for this load.

RobbieTT

When you buy a 'base' rather than a Max it is a trivial task to add a suitable SSD. It would take a number of lifetimes to exceed the physical write life of my NVMe.

You know, I don't think I ever set Python mode... I will have to check and adjust if required.

️

Cabledude

@JonathanLee and to all in this topic:

I decided to give the SG-2100 a chance, mostly based on @JonathanLee 's recommendation and personal experience.
I went with the SSD model.
When I ordered Netgate just released the new SG-2100 with 128GB SSD and my unit in fact came with the larger drive.

No issues so far and idling away at < 3% user util. RAM used 14% of 3388GB.

My ISP upped the cable internet to 400 down / 50 up (from 200/40). Speed tests don't make the SG-2100 sweat.

Power draw 5W steady, peaking to 6W incidentally, on a cheap smart plug in Home Assistant.

I have two weeks to evaluate and if I should prefer the 4100 I can return the 2100 under €25 restocking fee. So far no reason to.

Thanks,

Stef93

@RobbieTT Hello, did you buy the ssd separately? I still couldn’t find a suitable, reliable company. Now I regret that I took it without ssd(. So far I’m only using suricata, I took netgate 6100 base

RobbieTT

@Stef93

There are lots of SSD options out there (B & M) key, ideally without a DRAM cache. I have Intel Optane in mine - in terms of latency and small read/writes it is way faster than the router could use and has a write-lifetime that will exceed my life remaining!

You don't need a large drive, I ran mine with a 16GB Optane (~ £10) for a bit before using a 64GB (~£50) one:

alt text

The 32GB Optane is probably the sweet-spot for pfSense use with Suricata (~£24) when purchased new. I just use used the drive sizes I had kicking around. For non-optane SSD I would go for a 128GB or 256GB drive to get a reasonable lifetime out of it.

️

Stef93

@RobbieTT said in 4100/6100 Base or Max:

@Stef93

There are lots of SSD options out there (B & M) key, ideally without a DRAM cache. I have Intel Optane in mine - in terms of latency and small read/writes it is way faster than the router could use and has a write-lifetime that will exceed my life remaining!

You don't need a large drive, I ran mine with a 16GB Optane (~ £10) for a bit before using a 64GB (~£50) one:

The 32GB Optane is probably the sweet-spot for pfSense use with Suricata (~£24) when purchased new. I just use used the drive sizes I had kicking around. For non-optane SSD I would go for a 128GB drive to get a reasonable lifetime out of it.

️

I live in a city where I haven’t found a single ssd pcie key b+m, there is no talk of other parameters. The only available option is yours, MEMPEK1J064GA. I always use suricata actively. ntopng, squid+squidguard, I rarely use it, I may run haproxy in the future.

RobbieTT

@Stef93 I cannot remember the last time I used a physical store for HDDs or SSDs. Probably not helped by the fact that my 'city' hasn't been the capital of England for a little over a 1000 years!

️

Gertjan

@RobbieTT

Winchester ? ( ! )

RobbieTT

@Gertjan said in 4100/6100 Base or Max:

@RobbieTT

Winchester ? ( ! )

No, that was about 150 years earlier and Alfred was only the King of Wessex, rather than of England. Not a bad effort from a non-Englishman though.

That said, around that time Britain included a good chunk of modern-day France.

️

Cabledude

@RobbieTT said in 4100/6100 Base or Max:

@Gertjan said in 4100/6100 Base or Max:

@RobbieTT

Winchester ? ( ! )

No, that was about 150 years earlier and Alfred was only the King of Wessex, rather than of England. Not a bad effort from a non-Englishman though.

That said, around that time Britain included a good chunk of modern-day France.

️

I would have guessed Winchester as well, which as I understand transformed into the capital of the whole of England, under the House of Wessex, some time after Alfred's passing. But if not Winchester, could it be Westminster?

RobbieTT

@Cabledude
Think of the king that actually managed some peace, despite it all being recently glued together. Oh and demonstrated his limitations to his subjects by demonstrating that he could not hold back the tide. Also the one where history rearranged his name to avoid the 'c' word...

Cabledude

@JonathanLee said in 4100/6100 Base or Max:

@Cabledude It is great the only time I see it MAX out on it is on system start up, reboots. Snort rebuilds take up some CPU and ram when that occurs too.

It is impressive to see this processor run with some good code like pfSense.

@JonathanLee I went with the SG-2100. The performance in terms of WAN throughput and routing is adequate but invoking the dashboard can take a lot of seconds:

3.5 seconds with "System Information" widget only
every additional widget makes dash load time increase by about a second
My usual dashboard widget layout takes 11 seconds to load. This is with SI, Disks, pfBlockerNG, Gateways, Interfaces, Services Status, ZFS and Traffic Graphs.

For comparison: my friend's SG-4100 dashboard takes 2 seconds to load and he has the same widgets that I have.

Is my dashboard load time similar to yours? Could you please either confirm or share your unit's behaviour? I am wondering if I got a melon or if this is normal for this model.
If it is normal I don't consider it to be a huge problem.

Thanks a lot in advance!