Extreme slowdown of download speed with Netgate SG-1000
-
I have bought an SG-1000 from the Norwegian reseller because I wanted something bulletproof to use instead of the router part of my fibre broadband modem, which has stalled on me twice in two months. Not acceptable, when the place is totally automated! Which is why I wanted to use that in bridge mode with another router, since a "source" (a guy I know from a forum who works there!) says that when the fibre router stops, it's the dhcp server that's the problem.
I have 300/300 Mbps connection, and I can measure that when I connect the cable to my old router, an Asus RT-66U, which I will still use for my internal network (I have one internal and one external network, for different uses, before the Netgate the fibre modem and later the Asus has been my external network). But hooking up the Netgate between the fibre modem and the Asus more than cuts the speed in two! I get 300/300+ (for some reason higher upload than download) with my Asus as the router connected as a router, but only 135-140/140-150 with the Netgate in, even if my computer's directly connected to that, without the Asus router in the loop. It's consistent down to five Mbps down and ten up, which makes me think there's an error in the configuration somewhere.
I have checked traffic shaping, but nothing is activated there. What else can this be? Both network interfaces shows 1000baseT <full-duplex>, but the CPU seems a bit high, with around 40 % when running speed tests. Still it's far from the ceiling. I have not changed anything from when I got it, except for setting a few devices with a static IP in the DHCP server, and forwarding all ports to a DMZ device (weird that there's not a simple DMZ setting somewhere in the system!), but I have deactivated that again, to make sure it wasn't the reason.
Can somebody please tell me what's happening here?
-
@mastiff
135-140 is about it for the SG-1000. I thought it was even a bit less so it sounds like you are getting everything you can from it. On the product page it says "Layer 3 forwarding performance using FreeBSD without a packet filter exceeds 400Mbps. Using pfSense with the default ruleset offers performance exceeding 100Mbps." You may have some options for a faster rate but generally this is meant to be low power compact device that is best for remote access applications. It can do more and can be an everyday device but really you might want to move up a bit in power if you want to see 300+ on your connection. -
Really? That is just dumb even selling the thing! The specs said it had gigabit network ports, and that made me believe that 300 Mbps was no problem at all! It never occured to me that it could be that slow! Any cheap router (yeah, the firewall is not as good, but still) can do a lot more. The RT-66U is five years old and has no problems wit hit! On the info page, this is the wording:
The Netgate SG-1000 microFirewall is a cost-effective, state-of-the-art, ARM-based, pfSense Security Gateway appliance. The SG-1000 comes with dual 1Gbps Ethernet ports, enabling maximum throughput exceeding 100Mbps[1].
I automatically read 1000 and did't think anything of it, boasting about 1Gbps ports should logically mean 1000Mpbs throughput. And yes, "exeeding 1000 Mpbs" is of course not what 1Gbps does, but it never occured to me that it could be such a snail. Everybody has a line that's faster than that 130 Mpbs. I feel really, really cheated here! I had a few others asking me about that unit, I gotta get back to that Norwegian forum and warn them to stay as far away from that toy as they can! (Yeah, I'm pretty pissed...) I'm also going to mail the reseller about returning it, since it didn't fill neither need nor expectations. If not I'll probably sell it on the Norwegian version of Craig's List. To me it's totally useless junk.
-
@mastiff said in Extreme slowdown of download speed with Netgate SG-1000:
Really? That is just dumb even selling the thing! The specs said it had gigabit network ports, and that made me believe that 300 Mbps was no problem at all! It never occured to me that it could be that slow! Any cheap router (yeah, the firewall is not as good, but still) can do a lot more. The RT-66U is five years old and has no problems wit hit! On the info page, this is the wording:
The Netgate SG-1000 microFirewall is a cost-effective, state-of-the-art, ARM-based, pfSense Security Gateway appliance. The SG-1000 comes with dual 1Gbps Ethernet ports, enabling maximum throughput exceeding 100Mbps[1].
I automatically read 1000 and did't think anything of it, boasting about 1Gbps ports should logically mean 1000Mpbs throughput. And yes, "exeeding 1000 Mpbs" is of course not what 1Gbps does, but it never occured to me that it could be such a snail. Everybody has a line that's faster than that 130 Mpbs. I feel really, really cheated here! I had a few others asking me about that unit, I gotta get back to that Norwegian forum and warn them to stay as far away from that toy as they can! (Yeah, I'm pretty pissed...) I'm also going to mail the reseller about returning it, since it didn't fill neither need nor expectations. If not I'll probably sell it on the Norwegian version of Craig's List. To me it's totally useless junk.
Gigabit ports means just as it says, it can exceed 100Mbps. If the ports were only 100Mb you would be limited to about 94ish. It can with the right setup exceed your current speed. You compared it to a consumer grade device that while is faster is not going to be acceptable in a corporate environment. What you bought is a compact commercial grade device that does fill a need and has support to back it up in addition to regular updates. Security in a small package. Talk to Netgate, see if they will work with you to swap maybe for the SG-3100. It will indeed route gigabit but read the details because it may not do it if you install a bunch of packages that require more power. Some just need more to run well. If your line is 300 then you would have no issues.
-
Thanks, but that's much more than double the price (especially when sendt to Norway). I was probably dumb thinking it was natural that a SOHO grade device would at least not be slower then a simple consumer grade thing. I don't use any packages, I only wanted the default firewall setup and routing, nothing more, and I never thought it would be a problem.
-
@mastiff said in Extreme slowdown of download speed with Netgate SG-1000:
Everybody has a line that’s faster than that 130 Mpbs
Oh must suck ;) heheh Not here in the US that is for sure..
The sg-1000 for sure has its market. That just doesn't seem to be yours.. While yes the sg-3100 is double the price. It still a very reason price for what the little box can do..
You need to stop comparing the price points of soho devices that they make by the millions, and do not support a year later because they want you to buy the next years model, etc. That do nothing but simple nat, and call it security.
If your talking company/work location.. Then size the appropriate hardware for what you need. The few hundred $ US for say a 3100, or even a 4860 at double that is peanuts for a company budget.. Have you priced out a cisco box that can do gig ;) Or even a 100mbps for that matter. We replaced a juniper here in branch office for 3100 because the juniper only had 10/100 interface and couldn't even do full speed of the cable connection we have for guest wireless access. About 120 down and 30 up..
I have a 4860 for my house connection. It rocks my 500/50 connection there without even breaking a sweat. Sure the 3100 wold of been fine but like more nics and play with some packages now and then. While is a bit high for many home budgets - its also not over the top.. Shoot how much do you pay for your shiny new iphone or android..
-
Well, in Norway 300/300 is probably in the lower end. Most fibre customers have the standard 500/500+TV package. I have a company consisting of one person, me. I translate, and it's not very highly paid, I'm afraid. But I need a stable line because of my home automation hobby, and because my alarm and similar stuff goes over the Internet. I had to drive two hours from my cabin to reset the fibre router/modem a few months ago, that's why I wanted something that didn't fall down. And again it really never occured to me that it could be that slow. As for phone I bought my Sony Xperia X Performance when it was a one year old model, and I have been using it for two years now. The previous phone I think I had four years... I really don't care much about phones, I prefered the O2 Atom series of Windows Mobile ten years ago... ;)
-
hehehe - my point to the phones was more how much your typical user pays for them... And needs the next new shiny one next year but then they balk at paying a few hundred for a quality product their their home/business internet runs on.
Shoot there are soho products that cost more than the the sg3100 that is for sure... And what do they do exactly? I would suggest you look at the 3100, it might be a bit more than you wanted to spend.. And it is a shame of the costs outside the US not being more reflected of exchange rates, etc. But that can be said for almost any electronics.. And many goods really..
You could look to DIY and bring your own hardware and just run pfsense on it... Many people like to do that, it might save you a few bucks... But I am not a fan of the china boxes to save a buck.. Rather support the company that is putting out such a fine product. So they can continue to do so - and I do believe they have some different models coming out that will cover the bases better from low to high, etc.
Sorry to hear your disappointed, but the specs are listed. And everyone is here ready to answer any questions before you purchased in the forums or even sales directly, etc.
To your gig comment.. The new PI3 B+ has gig interface - do you think it can do gig?? ;) No not even close... And that is just moving packets not firewall them and nat them and route them, etc. Gig interface just means more than 100 as mentioned already.
-
I did get the one about the phone, I only saw my chance to play the wise, old nerd who longs for the days of WinMo... ;) But I have contacted the Norwegian reseller. They have had very good service and been nice people so far, so maybe I can upgrade to an SG-3100. We'll see.
-
The nice guy at the Norwegian reseller is letting me replace the unit with the (did I mention quite a bit more expensive? ;) ) 3100. So I guess that should work.
-
So he is charging you the extra money, or giving you as even exchange for what you paid for the sg-1000?
-
I'm getting back the money for the 1000 and getting an OK deal on the 3100. So no even exchange. I would have demanded that if I had told them that I was going to use it for a 300/300 line and they didn't say anything, but I never mentioned that in my mails to them.
-
Up and running (the postal service must recently have fed the tortoises they use to carry their packages through Norway, because it came over night in a recular package). The unit works perfectly, no problem pulling 300/300 (and I have read that it actually can do gigabit fibre speed), so I'm good. :) I see that it has an optical input, so I have to find out if I can actually use that instead of the fibre modem that my ISP gave me. That would be slick!
-
@mastiff said in Extreme slowdown of download speed with Netgate SG-1000:
I see that it has an optical input,
Huh? The sg-3100 has no fiber input... Or sfp or sfp+ port to add one.
https://www.netgate.com/solutions/pfsense/sg-3100.htmlDid you get some other model? Or some other box running pfsense?
-
Embarassing... I didn't look at the damn port, I only saw that OPT designation. I guess it's optional wan or something!
-
Yes its another router interface... Can use it for another wan, or another lan side network..
The switch ports can be isolated as well via vlans so those could all be other networks on the lan side or wan connections. The only limitation is the switch uplink into the soc is only 2.5gbps
-
Btw I was looking for how to do DMZ the easiest way (I want all ports from WAN to be routed to a single IP on the LAN), and I stumbled over this (which ironically enough seems to use the OPT1 port...):
https://www.ceos3c.com/pfsense/how-to-create-a-dmz-with-pfsense-2-4-2/
Is this the simplest/only way to do this or is there a simpler solution?
Oh, btw, I would like the rest of the LAN from the Netgate to be accesible from the DMZ as well, there's stuff there that I have to maintain.
-
Oh, almost syncronized posting. Much like syncronized swimming, except for not using a swimsuit. At least, I don't wear one now, but of course I don't know what you're wearing! ;)
-
Not sure why anyone would ever want to do something like that... Just forward the ports you NEED.. But that link is just creating another network and calling it dmz.. You can call your other network segments whatever you want.
-
heheheheehhe - ROFL... dude that is funny ;) To be honest I am wearing a bath robe since its very early in the morning here 4:44 am...