SG-1100 right for me?

Rico

I love the SG-1100, but with 500 Mbps and Snort/Suricata you need more horsepower.

-Rico

pulsartiger

@Rico said in SG-1100 right for me?:

I love the SG-1100, but with 500 Mbps and Snort/Suricata you need more horsepower.

-Rico

Thanks for the reply. So do you recommend going up to a SG-3100?

I am also looking at maybe an HP T620 Plus or T730. Those seem to a nice form factor and have the horsepower.

DaddyGo

@pulsartiger said in SG-1100 right for me?:

recommend going up to a SG-3100?

Snort / Suricata requires a minimum of 4GB of RAM (this is the experience), so it's more like the SG-5100
(in addition, the previous two are ARM-based)

bmeeks

I agree with @DaddyGo that the SG-5100 is more appropriate: both because of the extra RAM and because of the amd64 (Intel) platform.

I am biased towards Intel-equivalent hardware because its internal architecture is more forgiving of poorly written C programs that misuse certain memory pointer casts. The how and why gets pretty deep, but search for "unaligned or non-aligned memory access" to get a Google education. Snort and Suricata are both current examples of C programs that misbehave to various extents on ARM hardware, but run fine on Intel/AMD hardware.

SteveITS

re: AES-NI, 2.5 isn't requiring it anymore. https://www.netgate.com/blog/more-on-aes-ni.html
I am not sure either the 1100 or 3100 support it in hardware yet, though? (https://forum.netgate.com/post/866709)
The 3100 also is 32 bit so it can't run the latest Suricata v5, just the older v4 package.

bmeeks

@teamits said in SG-1100 right for me?:

The 3100 also is 32 bit so it can't run the latest Suricata v5, just the older v4 package.

True, but the reason it can't run the new Suricata v5.x version is because of its ARM CPU platform and the lack of Rust language support on that platform. Not just because of the 32-bit architecture. The upstream Suricata development team decided to make Rust mandatory in the 5.x and later Suricata versions.

SteveITS

@bmeeks Ah. I'd read your comments about Rust but evidently I misunderstood. I see https://forum.netgate.com/topic/152085/suricata4-4-1-7_2-for-sg-1000-and-sg-3100-netgate-appliances leaves out the 1100, but https://forum.netgate.com/topic/149490/suricata-v4-1-6_1-package-update-release-notes mentions it.
(PS - thanks for your work maintaining it!!)

bmeeks

@teamits said in SG-1100 right for me?:

@bmeeks Ah. I'd read your comments about Rust but evidently I misunderstood. I see https://forum.netgate.com/topic/152085/suricata4-4-1-7_2-for-sg-1000-and-sg-3100-netgate-appliances leaves out the 1100, but https://forum.netgate.com/topic/149490/suricata-v4-1-6_1-package-update-release-notes mentions it.
(PS - thanks for your work maintaining it!!)

The SG-1000 and SG-3100 appliances have 32-bit armv6 and armv7 processors, respectively. Currently packages for these processors are cross-compiled under an ARM hardware emulator, and that emulator environment does not support building the Rust programming language. And thus without Rust, Suricata 5.x can't be built either in that environment. There is a Rust build for aarch64 hardware (like the SG-1100). So Suricata 5.x is available there.

So users wtih 32-bit ARM hardware are going to be stuck with Suricata 4.x, and so will not have some of the App Layer processing and EVE logging options available in the 5.x tree because those options are coded in Rust. This is also a pain for me as I have to maintain two completely different Suricata code trees: one with Rust support and the options provided by Rust; and one without Rust support and minus the Rust-provided options.

pulsartiger

Thanks for the replys everyone. After reading some more about Snort and Suricata, it seems like this is not very realistic to run on a home network. That said, would the SG-1100 be a good choice?

keyser

@pulsartiger said in SG-1100 right for me?:

Thanks for the replys everyone. After reading some more about Snort and Suricata, it seems like this is not very realistic to run on a home network. That said, would the SG-1100 be a good choice?

The SG-1100 is a very nice little FW for simple homeuse. The keyword here is “Simple”. I have one on a 500/500 Fiber, and that’s actually slightly more than the SG-1100 can handle without any general traffic monitoring/inspection packages installed. I have PfBlockerNG installed and it works beatutifully - but it’s only a DNS inspection tool. It can handle about 450Mbps in my experience in this setup.

The second I install anything that does deeper inspection - even just statistics gathering like NtopNG or darkstats - performance tanks rather heavily. Snort and Suricata completely kills it - it’s not even remotely capable of handling that on a 500Mbps line - I doubt more than 50Mbps is realistic with those kind of packages.

For those you still need the Intel powered boxes - like the SG-5100 or more.

NOCling

I try Snort on my SG-1100 to play with, my 400 Cable go down to 300-350.
Its very nice for only 3.5W Power Consumption.
But at Home, i don't need Snort or Suricata, pfBlocker, trafic total and it's ok.

keyser

@NOCling

I seriously doubt you have any real rules enabled in snort if you can get 350Mbit through.
If I just install the package (no real rules enabled, I get about 350mbit as well . That seems to be the limit (penalty) for engaging a sink in the network stack - Darkstat or ntopNG engaged causes the same limit to apply.

But if you enable proper inspection rules in snort performance tanks completely on the SG-1100

akuma1x

@pulsartiger If I were you, and you plan on upgrading your ISP connection in the future, I would get one of the thin-clients like you mentioned - HP T620 Plus or the T730 with 8GB of RAM. Add in one of the Intel-based network expansion cards, and those will give you LOTS more wiggle room and be more future-proof.

Jeff

DaddyGo

@pulsartiger said in SG-1100 right for me?:

Ive read in various places that 2.5 release will require AES-NI.

Official informations are here:
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html
https://www.netgate.com/blog/more-on-aes-ni.html

@pulsartiger "That said, would the SG-1100 be a good choice?"

For your future plans, I think more horsepower is needed, as @Rico suggested... =SG-5100

I, if I were in your place, I would build my own pfSense box (pcEngines APU, used thin client, used branded server from Dell, IBM, Supermicro for VM environment, etc.) with this also learns some hardware skills...