3100 will reach "End of Life" in 5 days
-
What I'm unclear on is if this really means that security updates are really ceasing. Previous notifications from netgate I interpreted to say that updates weren't guaranteed but are likely. If we're really no longer receiving support then it's an immediate need to replace for me.
-
The 23.09 release will include support for the 3100 yet since it's based on FreeBSD 14 which still has 32-bit ARM support, but it may be the last release. Hard to predict if we may need a 23.09.x point release for example which could still target the 3100.
We do usually put out patches for PHP/shell script type issues via the system patches package for some previous releases but we don't have a set schedule for those types of fixes.
FreeBSD is dropping 32-bit ARM support upstream in FreeBSD 15 so not a lot we can do there, the 3100 is Netgate's last 32-bit ARM system.
-
As @bmeeks implies, while FreeBSD is supporting 32-bit for the core of FreeBSD, getting some packages to build for 32-bit in increasingly difficult.
In particular, Suricata wants to leverage Rust and getting Rust supportable on 32-bit platforms is challenging.
In any case, the messaging was inadequately reviewed, and I can only offer my apology for same.
@uzumaki my son was running a 3100 on a Centurylink PPPoE encapsulated 1g/1g connection, and I could only get throughput to about 860mbps. I moved him to a 4100 (mostly because neither the 3100 or 2100 have available wall mount hardware) and now it's as fast as I can imagine wanting it to be.
Copy-pasta from an internal (so not marketing cleaned-up) benchmarking matrix. All figures are iperf3, single-stream, and in gbps.
Cut off at 4100 because I don't want to expose new products here.
FWD ACL NAT
SG-1100 0.86 0.82 0.78
SG-2100 0.95 0.90 0.80
SG-3100 0.92 0.88 0.84
NG-4100 2.37 2.37 1.73As you can see, except for NAT, the 2100 is slightly faster than the 3100.
I don't have time to go find the source of your numbers, but someone internally said that you're pulling the 3100 figure from one comparison chart, and the 2100 from a different version of the same documentation.
-
@jwt I’m sorry but there is something wrong with those numbers. To be able to push almost 900mbits on a 2100 will require a VERY VERY specific set of circustances - not anything I have ever seen. Real life single stream session tops out at about 640mbit on every 2100 I have tried. The 3100 is quite a lot faster in real life (close to 1 Gbit) in my experience.
-
@jwt Sorry if I am mistaken, the only place I could find 3100 numbers were on the netgate Amazon product page. The 2100 numbers are from netgate.com.
-
@keyser the circumstances are literally iperf3 through the box.
-
@uzumaki likely one of the two is "old" then. I'll have someone in marketing find it and clean it up. thanks.!
-
@jwt Those were IMIX numbers in case you’re mistaking them for iperf3.
-
@uzumaki for reference for that comparison/difference, per https://shop.netgate.com/products/2100-base-pfsense :
Firewall (10k ACLs)
IPERF3 Traffic: 964 Mbps
IMIX Traffic: 249 MbpsAlso just for reference the 3100 was around $50 more expensive than the 2100, MSRP, IIRC, with half the RAM.
I mean I get it, because we have one and have eight-ish clients with one. But, the world moved on from 32 bit a while ago. We just moved a client last week who went from cable to gigabit fiber and I suggested they get a 4100 for the new office...they did not and kept the 3100. Just have to eval each situation I'd say...the ones that use VPN and/or 500+ Mbps and/or Suricata may be a better fit for the 4100. At least the 3100s will not just stop working.
In general I'd say Netgate has done a pretty good job keeping up older hardware...the SG-1000 for instance was "EOL" in 2019 but had updates through v22.05.
-
How easy is it to transition from a 3100 to a 4100? I'm assuming you can just save your configuration and then use the .xml file to load the old settings onto the new device?
And one more question about the 4100. It looks like it has four 2.5 Gbps LAN ports, but the WAN port is only 1 Gbps. So even if I had a 2 Gbps feed coming from my ISP, the devices on my network would still only see about half that speed. Is this correct?
-
@gweempose said in 3100 will reach "End of Life" in 5 days:
How easy is it to transition from a 3100 to a 4100? I'm assuming you can just save your configuration and then use the .xml file to load the old settings onto the new device?
Since the 3100 has switched ports it can be a little trickier but TAC can convert the config for you, then all you'd have to do is import the adjusted config.
And one more question about the 4100. It looks like it has four 2.5 Gbps LAN ports, but the WAN port is only 1 Gbps. So even if I had a 2 Gbps feed coming from my ISP, the devices on my network would still only see about half that speed. Is this correct?
The labels on the ports are just labels reflecting the default assignments, you can reassign them any way you like. You can use any of the 2.5G "LAN" ports as WANs, you just need to change the interface assignments/config to match what you want.
-
@gweempose you can use any interface for wan. Just because port is "label" wan on the case doesn't mean you can't setup any other port as wan if you want.
I do believe there is some more too moving to 4100 from 3100.. The 3100 had switch ports, the 4100 has 6 discrete interfaces. So it would be a bit more than just import config - since the interfaces wouldn't be able to match up.
I do believe TAC would help you..
edit: hahah Jim beat me too it ;)
-
@johnpoz said in 3100 will reach "End of Life" in 5 days:
Until it actually dies, or they no longer provide updates too it, I have no plans on replacing it ;)
I've got a SG-2440 that is in the same boat. I do have it sitting as a spare right now, but it still runs strong.
-
-
@gweempose said in 3100 will reach "End of Life" in 5 days:
Forgive my ignorance, but what is TAC?
Netgate’s support. Go.netgate.com. To be clear if you’re moving to a Netgate appliance it’s a free support ticket for them to convert the config. Just have to say what interface goes where, VLANs, etc.
-
@jimp said in 3100 will reach "End of Life" in 5 days:
The labels on the ports are just labels reflecting the default assignments, you can reassign them any way you like. You can use any of the 2.5G "LAN" ports as WANs, you just need to change the interface assignments/config to match what you want.
Ah. That makes sense. I'm currently only using two ports on my 3100. My cable modem goes into the WAN port, and then one of the LAN ports goes to a 2.5 Gbps network switch. So I guess on the 4100 I would make one of the four 2.5 Gbps ports the WAN port, and make one of the other 2.5 Gbps ports the LAN port. I would then have a full 2.5 Gbps capable network. Is this correct?
-
@jimp said in 3100 will reach "End of Life" in 5 days:
The 23.09 release will include support for the 3100 yet since it's based on FreeBSD 14 which still has 32-bit ARM support, but it may be the last release. Hard to predict if we may need a 23.09.x point release for example which could still target the 3100.
We do usually put out patches for PHP/shell script type issues via the system patches package for some previous releases but we don't have a set schedule for those types of fixes.
FreeBSD is dropping 32-bit ARM support upstream in FreeBSD 15 so not a lot we can do there, the 3100 is Netgate's last 32-bit ARM system.
Thank you for the clarification. In recognition of this update, when is a realistic last responsible moment to target to retiring the 3100 with the understanding the security updates are critical for any device that remains in production? For personal deployments, the replacement is not inexpensive.
-
@gweempose said in 3100 will reach "End of Life" in 5 days:
I would then have a full 2.5 Gbps capable network. Is this correct
As far as the connections yes. The store shows for the 4100:
Firewall(10k ACLs)
IPERF3 Traffic: 4.09 Gbps
IMIX Traffic: 1.40 GbpsUsually I find speed tests are about halfway in between those numbers (speaking in general) so you should be OK but remember Suricata or other packages that interfere with or inspect packages will take CPU time and hence could slow things a bit once you get to the limit of your 2.5 Mbps Internet connection.
@netplumbers said in 3100 will reach "End of Life" in 5 days:
when is a realistic last responsible moment to target to retiring the 3100 with the understanding the security updates are critical
I'm not with Netgate but not every pfSense release has security fixes, so I don't know there is a direct answer to your question. Sometimes, they have backported PHP-code security patches via the System Patches packages, for instance I think they did that for 2.6 after 23.01 released but before 2.7 was out. You may just have to review release notes for future versions.
-
@jimp
Are there any drop in replacements for 3100 in the making?
E.g. 3164 with a 64 bit CPU? :) -
@netplumbers said in 3100 will reach "End of Life" in 5 days:
when is a realistic last responsible moment to target to retiring the 3100
Yes, it's hard to put a fixed date on that but I run a 3100 here and am looking at replacing it when the next release happens which should be 24.03. Before then if there's an issue that requires a point release we can rebuild against the current branch. As mentioned we usually back port patches for some time so really it would be acceptable to run a 3100 until a vulnerability is discovered after 24.03 is released that cannot be patched at runtime IMO.
Steve