SG-1000 microFirewall Optical Illusion

epek

To the discussion on the PI having it's Ethernet connected over USB. That's right. But think of the Banana Pi, where the Gigabit Ethernet is mounted likewise. The throughput will never reach even half of the link speed, but who cares… it's still more than enough for most setups and this way seems to be rather common on cheap hardware.

I'm still wondering, why the SG-1000 doesn't have wireless on board. The USB header may be a good idea, but an USB slot, mounted in upward direction could be used without opening the box. Putting anything with a radio inside the aluminium case would rather be a tribute to Mr. Farraday.

What's the target group for this device?

KOM

The pfSense Hangout from yesterday discussed this.  I hope JimP won't mind me sharing his list of use cases, as it may give people a better idea of what niches this unit fits.

SG-1000 Use Cases
● Small footprint / low space needs
● SOHO, Small Networks, Small Branch Office, Remote Employees
● Portable firewall, e.g. plug between laptop and untrusted network
● Managed Service Providers (MSP) endpoint in a client
● Internal firewall/router for network segments in a small/medium businesses
● Home Office / Remote User VPN
● IoT Security Endpoint – Segment IoT devices away from the rest of a network
● IPMI or other management port Firewall
● … anything else that might need a firewall at moderate throughput with a low power draw!

And it comes with a Gold sub which gives you access to the updated 600+ page manual as well as 20+ hour-long training videos (the pfSense monthly Hangouts) on all aspects of pfSense, all for $149.

epek

I cannot image the small footprint use case besides a wall plug or a cap rail. But it's definitely not designed for that.
Soho and Co: Througput?! Remote: Mobile Router+SG-1000?! Most mobile routers are LTE only nowadays w/o an ethernet plug. Likewise on the airports, hotels, …
MSP - ok. But interfaces with?
If ok. Throughput?
Home office/ru vpn ok. Same as MSP use case.
IoT devices ... aren't they trending towards wireless technologies, too?
For low power - if you need to extend the mini router with additional hardware, the savings on power consumption are to be neglected, IMHO.

Call me simple-minded, but I am still not convinced, what the typical target group could be...

jahonix

@epek:

if you need to extend the mini router with additional hardware

What?
It's supposed to be a 2 interface mini router. Period.
Extending with additional hardware is better suited in other devices. You'll get that once you overcome your "must be ARM/small/cheap" tunnel view.

jimp

Just because you can't think of it, doesn't mean it doesn't exist. There are probably hundreds of more potential uses we haven't even thought of, those were given as easy examples.

There are a lot of places in the world that don't even have access to enough bandwidth to justify high-end hardware (like giant rural areas in the US – even the average bandwidth available to anyone in the US is, on average, ~14Mbit/s), or applications that require the capabilities of a firewall like pfSense but have no specific bandwidth requirements. The SG-1000 will do >100Mbit/s which is more than enough for many environments.

If your head is in big cities/data centers then it's probably not thinking in the right areas (but it could work there, too, in the right niche). Not everyone is lucky enough to have to care about gigabit home or business Internet. Lots of small businesses around where I live are still on low-end DSL/cable connections that probably don't go over 10Mbit/s.

Think less about what someone might do with it in an urban settings and consider other places. A sat link in the middle of the desert, grandma's DSL line that you have to support, etc.

jimp

@jahonix:

@epek:

if you need to extend the mini router with additional hardware

What?
It's supposed to be a 2 interface mini router. Period.
Extending with additional hardware is better suited in other devices. You'll get that once you overcome your "must be ARM/small/cheap" tunnel view.

You could do wireless via the OTG port – this works (I have it going on one of my SG-1000s). An OTG cable going to a USB wireless dongle.

I don't have access to a 3G/4G device to try but that most likely works as well.

whosmatt

@epek:

To the discussion on the PI having it's Ethernet connected over USB. That's right. But think of the Banana Pi, where the Gigabit Ethernet is mounted likewise. The throughput will never reach even half of the link speed, but who cares… it's still more than enough for most setups and this way seems to be rather common on cheap hardware.

Yeah, you're right.  There seems to be a lot more choice these days in that space, including the new UP board x86 stuff.  Like I said, I'm still rocking a Sheevaplug dev kit.  It's considerably less powerful CPU-wise than any Pi (I mean, it's 8 years old or so now) but holds its own for me in my use case, mostly because it does have 1Gbps ethernet.

And I think the Pi gets by with USB based 100Mbps ethernet precisely because it's not designed for anything with high networking throughput (and i'm using "high" loosely here).  Sure it makes a great automation server, or a controller for a Unifi network, etc.  But not much in the way of a NAS or router/firewall.

whosmatt

@epek:

Soho and Co: Througput?!

Most small offices that I've seen have modest WAN connections that would seem a perfect use case for the SG-1000.  The home offices are a different story; residential cable internet is getting really fast on the downstream at least.

epek

@jahonix:

@epek:

if you need to extend the mini router with additional hardware

What?
It's supposed to be a 2 interface mini router. Period.
Extending with additional hardware is better suited in other devices. You'll get that once you overcome your "must be ARM/small/cheap" tunnel view.

That's not my intended use case. I want to have a cheap small ARM tunnel client that acts as Wireless AP, and is extensible too.

epek

@jimp:

Just because you can't think of it, doesn't mean it doesn't exist. There are probably hundreds of more potential uses we haven't even thought of, those were given as easy examples.

I guess, that you don't offer a product in order not sell it widely. There is a point in why raspberry pi and alike are that successful.

@jimp:

There are a lot of places in the world that don't even have access to enough bandwidth to justify high-end hardware (like giant rural areas in the US – even the average bandwidth available to anyone in the US is, on average, ~14Mbit/s), or applications that require the capabilities of a firewall like pfSense but have no specific bandwidth requirements. The SG-1000 will do >100Mbit/s which is more than enough for many environments.

As long as there are still dial-in access analog modems in use, a 150 Dollar device w/o a sound card for modem emulation, that doesn't matter either - even if you can't image that ;-).

Ok. But wireless still has to be extended externally? That makes it unsuitable for mobile use cases. Furthermore the two gigabit interfaces rather stand in contrast to energy efficiency unless used in 10 Mbit/s nominal link speed. Please explain.

@jimp:

If your head is in big cities/data centers then it's probably not thinking in the right areas (but it could work there, too, in the right niche). Not everyone is lucky enough to have to care about gigabit home or business Internet. Lots of small businesses around where I live are still on low-end DSL/cable connections that probably don't go over 10Mbit/s.

Sounds like rural Austria. ;-)
"Broadband" is widely considered to be LTE or LR-DSL with LTE supplemental, here.

@jimp:

Think less about what someone might do with it in an urban settings and consider other places. A sat link in the middle of the desert, grandma's DSL line that you have to support, etc.

A (non-commercial) sat link in the middle of the dessert does not require for Gigabit Ethernet speed. A commercial link would usually be set up on other enterprise class hardware. Use cases in the djungle wouldn't care for gigabit but energy efficient, solar energy enabled units, typically.

For grandma's DSL I'd personally prefer to have the modem chip builtin to the router. That's what I'd consider a niche: A modular router.
A SoC with kind of a serial bus, where you extend standardized modules by need.

SoC+DSL-module+WLAN/BT-Module+optical module+fe-ethernet module/ge-ethernet module+Solar PSU module … etc. All you'd need to scale was the PSU.

jimp

Your analysis still shows a very tunnel-vision-like view of your specific experience and preferences, and not the world as a whole as it really is. We'll have to agree to disagree, given your tone you're unlikely to be convinced of anything you don't already agree with here. We've got a significant number of preorders, the demand and market are definitely there. If you don't see its usefulness, it's probably not for you, but that doesn't mean others won't have numerous ways to use it to their benefit.

epek

Well to be honest, I was hoping for more ARM support and I am quite dissapointed.Coming from a freifunk derivate I obviously have dissenting expectations in regard to this.
Just some feedback in contrast to your suggested use cases:
POE?
Energy consumption versus independent power sources.
WLAN?
Scalability?

I'd rather see the SG-1000 as cloud computing unit, then a firewall. But then, the CPU clock is rather on the lower end of scale.

For future developments I personally would wish for a modular composition of hardware. This would allow such a device to grow with the needs. Eg add or remove an additional Ethernet module. Add on ore more wireless modules, add a dsl or lte module, replace the mainboard, add an SSD module, or insert a RNG module, add a battery module, add a solar charger module in between router an battery module. See it as 'Project Ara' for routers. I guess that could be really revolutionary. And now have that device running pfSense. Wow.

KOM

You're going to pay a premium for that flexibility that I'm not sure most people besides hobbyists would care about.

jimp

Or people looking to build a product of their own to sell using pfSense as a base after having us do all of the engineering and development work.

Guest

The SG-1000 probably caters for that need already… but 150$US might be out of many people's budget...

Many peoples where asking in the past for a small footprint and ARM CPU based device that
is sufficient enough to serve them as a raw home firewall, without additional installed packets
and that was because they haven´t the usual needed ~300 Euros till 400 Euros to build their
own pfSense firewall appliance. This might be sounding strange for many peoples but, now it
is not really needed to go and buy a Raspberry PI, since there are also smaller devices on sale
at the ADI or pfSense shop.

SG-1000
Real home users with the need of an pure firewall
SG-2200
SHOHO users without the need of the full UTM services and functions
ADI MinnowBoard 1
For anyone who owns a running network and needs only a cool Captive portal to integrate
ADI MinnowBoard 2
For all other network work or as a small device for admins to carry to all customers as a spare
device or for doing network tests.

I personally will find it more useful that the support fee or money will be staggered or scaling
and fit more to the client view or range. Let us say something like this;

• SG-1000 with $20 supporting fee
  No support call and no Gold membership
• MinnowBoard 1 with $50 supporting fee
• MinnowBoard 2 with $50 supporting fee
  One Support call and no Gold membership
• SG-2200 with $70 supporting fee
  2 Support calls and 6 month Gold membership
• All other SG and XG units with $99 supporting fee
  2 Support calls and 12 month Gold membership

Or people looking to build a product of their own to sell using pfSense as a base after
having us do all of the engineering and development work.

This can be also a real hidden chance for pfSense to get more supporting fee or money.
For sure the greatest supporter will be ADI and this might be sometimes not so really clear
to the customers and users that they are a running and commercial based company, but
there are also really nice billing options perhaps such MikroTik is using or others will be
able to offer. Or let us say the pfSense team is coding something like a SolidRun image
and all the money is going back to the ADI company, so you can also pay back and/or
support them.

You're going to pay a premium for that flexibility that I'm not sure most people besides hobbyists would care about.

ClearFog SolidRun Base Board pfSense image $20 each image or serial number
ClearFog SolidRun Pro Board pfSense image $30 each image or serial number
For each MikroElektronika click sensor a packet $3 or $5.
Boards & Sensors

Once coded sold million times! For sure more for the consumer area, but nice to have a
RFID sensor and only the admin with the right RFID card is able to login.

I guess, that you don't offer a product in order not sell it widely. There is a point in why raspberry pi and alike are that successful.

This might be but ADI is assembling hardware and sell this hardware commercial orientated
and this might be then a really problem for ADI first and then following pfSense. And together
with the Minnowboard (1 & 2) you will be able to have all options you need and the Raspberry
PI is offering too.

Ok. But wireless still has to be extended externally? That makes it unsuitable for mobile use cases.

Really? I don´t think it is not useable and/or able to realize. There are boxes out to do what
you want or need, GPS, WiFi and/or modem cards in the minPCIe format and on top with or
without a SIM slot. And this also world wide able to get the hands on!
Scandinavian region
mid Europe region
Japanese region
US region (outdoor usage)
US region (indoor)
Asian region

Furthermore the two gigabit interfaces rather stand in contrast to energy efficiency unless used in 10 Mbit/s nominal link speed. Please explain.

And who is then buying that SG-2220?

In my eyes then better getting hands on an ClearFog SolidRun image for $20/$30 and
if peoples want really to play with their board or pimp it up you could get click sensors
for both boards (Pro & Base) such as this ones. Also the SOM can be chosen by the customers
that is holding the CPU (SoC) and RAM or WiFi option!

sremick

If this has decent OpenVPN support I'm all over this. I was saving up for an SG-2200 but if this fits the bill I might up my pfSense timeline.

My environment is a 50MBit/s DSL connection with the need for usually just 1 (but maybe 2-3 in the future) VPN connections.

Guest

@sremick:

If this has decent OpenVPN support I'm all over this. I was saving up for an SG-2200 but if this fits the bill I might up my pfSense timeline.

That could be easily done by the SG-1000

@sremick:

My environment is a 50MBit/s DSL connection with the need for usually just 1 (but maybe 2-3 in the future) VPN connections.

Then perhaps more the SG-2200 or SG-2400.

sremick

@BlueKobold:

@sremick:

If this has decent OpenVPN support I'm all over this. I was saving up for an SG-2200 but if this fits the bill I might up my pfSense timeline.

That could be easily done by the SG-1000

@sremick:

My environment is a 50MBit/s DSL connection with the need for usually just 1 (but maybe 2-3 in the future) VPN connections.

Then perhaps more the SG-2200 or SG-2400.

I'm sorry, I guess I'm unclear on what the deciding factor was. My DSL speed? The # of VPN connections? Can you elaborate? Thanks.

robi

Imagine pfSense running on this: https://www.gl-inet.com/mifi/
8)