SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed

johnpoz

Just get a 7100 ;) Go big or go home! hehehe

Call the upgrade a xmas present to yourself.. If you have to justify the extra cost to the budget committee (significant other) hehehe

In fact I like it more than my USG 3P

Yeah its not even close.. While the usg3p isn't a bad little box.. At a good price point.. Its just doing anything is just so much harder than how easy it is in pfsense.. I ran one for a bit, couldn't get back to pfsense fast enough.. My sg4860 was on back order, and need something to handle a recent upgrade to 500/50 for internet..

It sat on the self for quite a bit, but my son recently bought a house... So got him a flexHD for AP and let him use my usg3p, he doesn't really do anything and only has 100/5 for internet.. So for that sort of setup its fine - and it reports into my controller so.. Can keep an eye on stuff for him..

I was in a toss up over the 3100 or the 4860.. I went really for the 4860 because of the discrete interfaces vs switch ports.. I do switching on my switch - I want my router to have interfaces ;)

Other than the extra horse power - the 5100 over the 3100 has interfaces vs switch ports, and can run TNSR if that is something you might want to play with.. I do believe the 5100 also supports QuickAssist and AES-NI, while I believe the 3100 is just AES-NI.. The 5100 also can upgrade the ram and storage I do believe as well.. All big pluses if you plan on keeping it around for a while.

Don't get me wrong the 3100 will prob be great setup for you - but hey why not treat your self to a better box -- if you can afford it..

If (knock on wood) my 4860 took a dump.. And I was in the market - it really would be a toss up between the 5100 and the 7100.. The ability to do some 10ge would be attractive..

Cabledude

@johnpoz hi john thanks for such an elaborate reply, straight from the enthusiast’s heart :-). First: yes I could afford even a 7100 in that I won’t starve, but we’re not millionaires so then I cannot buy this or that, iow it’s me that has to be convinced of a buy, the wife couldn’t care less about what I do with my money.

I thought the 3100 has three logical interfaces, just the lan is actually a 4p switch. Will tick the “logical interfaces” box well enough for me I suppose. Or did you mean something else, which I may be missing...

The sg-1100 has just one logical interface split across wan, lan and opt using VLANs 4090, 4091 and 4092. Not quite my cup of tea. But I got working as a FttH WAN split VLAN 4/6 by tying those two as tagged VLANs to the WAN interface.

By the way Like you I also do all of my switching outside the firewall, i.e. soon on a 10Gbe UniFi switch. The netgate just needs to perform gigabit L3 routing, I will keep the 10Gbe hungry devices (workstations and NAS for photo editing) in the same VLAN so layer 2 switching will take care of that.

Be aware that the 7100 also has the Soc internal “SG-1100 like” VLAN design to tie the lagg together and all LAN side VLANs need to get tied to the LAN ports in Interfaces/switch settings.

I’m not at all interested in TNSR.

So that leaves combining openvpn, suricata and ntopng. For our limited family use, based on your reply, I conclude the 3100 will do for my current use case.

Will chew on this for now. Price vs upgradability.

Would appreciate you clarifying the logical ports vs switch benefit of the 5100. Are you using many ports on your netgate box? I will typically only use WAN and LAN and maybe separate ports for IPTV.

Cheers,
Pete

Burner27

I have had issues running Suricata and SNoRT on my sg-3100. Random reboots with no explanation. Brought it up to Netgate and they told me it could be an issue with the ARM processor. They recommended I go to the SG5100.

iso667

Hi!

I am in a very similar situation. But I purchased the SG-2100.

I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.

I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.

I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?

I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.

Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.

There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)

I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?

The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.

Thanks!!

ISO

keyser

@Cabledude said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Okay Thanks a lot for taking the time to reply and for your recommendations. Looking at the unit prices I think I should lower my requirements a bit. As I didn’t know what to expect all items listed are at the max I think they could ever be. Spending 300 extra for the 5100 over the 3100 may not be justified.

So first: “up to 50 clients” is more than I probably need. When counting all phones, iPads, AppleTVs, synology, and macs I come to 20, so 25 total would be a better estimate. The children will be at school most of the day anyway.

Then 500mbit/s is more like a worst case scenario, we’ve had 60 down 10 up until last month and that proved mostly adequate. So let’s assume 200/200 will be what the netgate should be able to handle.

The s2s VPN will be to our parents home to be able to backup our data on a local NAS I m going to move to their home. They have a very low ISP plan, probably no more than 50/10.

Suricata i will want to run.

NTOPNG is more like a way to identify which data is sent from which devices, so I can check whether or not my IoT crap is phoning home and to keep an eye on system resources. I haven’t even played with NTOPNG yet and really didn’t know it could be such a resource eater.

So based on this, could I get by comfortably with the SG-3100?

Thanks!!
Pete

If the settings and needs you have are restrained to your explanation Here, i believe a sg-3100 Will suffice :-) I have No experience with suricata Being unstable on arm based devices

keyser

@iso667 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Hi!

I am in a very similar situation. But I purchased the SG-2100.

I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.

I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.

I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?

I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.

Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.

There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)

I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?

The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.

Thanks!!

ISO

The SG-2100 does not have a lot of CPU horsepower so forget using it for deeper traffic inspection. It’s a great litte device and Very userfriendly - it will also do lots of interesting things a little USG cannot (pfBlockerNG and so on). But it cannot offer what the USG can in terms of unified management, so that’s a good reason to stay with Unifi in your case.
Also: The SFP port is a Gbit Ethernet port, so unless your provider runs Ethernet over GPON your idea will not work. I have No idea if you can even get a GPON tranceiver that terminates Ethernet over GPON and works with Netgate devices.

stephenw10

ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.

I love to hear about it if anyone has.

Steve

iso667

I read this "extensive" post for this to work here in Spain. Finally a company called Carlitoxx-Pro started shipping a GPON to GigabitEthernet device. There is also a ZISA one that is sold online from China:

https://forum.mikrotik.com/viewtopic.php?t=116364

It is from Mikrotik, but all the electronics are inside the device so I think it should work while the SG-2100 provides power to the GPON.

I've seen that UniFi also sells a GPON to Gigabit adapter but I don't know if this one could work on a SG-2100:

https://dl.ubnt.com/ds/uf_gpon

If you look into the data sheet, there is a GPON for ONT side, not for OLT. But I don't know if this SFP could work against "non-unifi" OLT's.

But yes, I think it is "doable" :) for the moment I am using a UF Loco ONT and connect my SG-2100 straight to RJ-45 cable, but maybe in the future I'll try one of those.

BR!

ISO

keyser

@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.

I love to hear about it if anyone has.

Steve

I’m running a SG-2100 with a 1000Base-BX20 SFP in the SFP slot that connects my fiber to the home directly. As the tranciever indicates, my ISP uses single strand Gigabit Ethernet to the edge.

stephenw10

Nice!

I tested some BiDi modules here and they worked without issue.

Steve

wblanton

@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Nice!

I tested some BiDi modules here and they worked without issue.

Steve

Steve,

Do you know if the 1G BiDi will work with the XG-7100 1U? I've having some issues using the "generic" ones from FS.com. I've started another thread but haven't heard anything.

stephenw10

The one I have does:

[21.02.2-RELEASE][root@7100.stevew.lan]/root: ifconfig -vvvm ix1
ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: IX1
        options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0e:a5:92
        inet6 fe80::208:a2ff:fe0e:a592%ix1 prefixlen 64 scopeid 0x4
        inet 172.21.16.243 netmask 0xffffff00 broadcast 172.21.16.255
        media: Ethernet autoselect (Unknown <rxpause,txpause>)
        status: active
        supported media:
                media autoselect
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        plugged: SFP/SFP+/SFP28 1000BASE-LX (LC)
        vendor: OEM PN: SFP-GE-BX03-D SN: NV20200713025 DATE: 2020-07-14
        module temperature: 27.94 C Voltage: 3.31 Volts
        RX: 0.20 mW (-6.79 dBm) TX: 0.12 mW (-8.97 dBm)

        SFF8472 DUMP (0xA0 0..127 range):
        03 04 07 00 00 00 02 00 00 01 01 01 0D 00 03 1E 
        00 00 00 00 4F 45 4D 20 20 20 20 20 20 20 20 20 
        20 20 20 20 00 00 90 65 53 46 50 2D 47 45 2D 42 
        58 30 33 2D 44 20 20 20 41 20 20 20 06 0E 00 09 
        00 1A 00 00 4E 56 32 30 32 30 30 37 31 33 30 32 
        35 20 20 20 32 30 30 37 31 34 20 20 68 F0 01 0B 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

Though I was quite surprised about that. It doesn't report a link speed so cannot be set to 1G fixed which is often required for use like this.

Steve

wblanton

@stephenw10 Good to know it's possible! Have you been running this without any issue?

stephenw10

Not for any time. I just moved it from an SG-2100 to test. I saw no problems though and it also runs fine in the SG-2100, been running there for months.

Steve

msf2000

@cabledude
You may be able to do the SG-3100 but only if you offload Suricata and/or nTopNG to a separate machine. Otherwise, go with the 5100 as suggested earlier.

I speak from experience, as having tried it before. ;)

Biggy823

@msf2000 I too happen to be in the same boat. I have the SG-3100 and currently experiencing lock ups and random reboots. It just does not have the horse power needed to run these applications. I am now facing the hard choice that I am going to have to upgrade to the 5100. Don't make the same mistake that I did.

brians

@msf2000 SG-3100 is not good for me. I just installed one for customer and was trying to get decent IPSec speeds between installed 3100 at 200Mbps fibre site and 500Mbps fibre remote site using SG-5100. I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all. Older SG-2220 is way better around 400Mbps IPSec but it is limited to around only 700Mbps LAN routing so I could never hit full 940Mbps in Speedtest. I wish Netgate would come out with inexpensive line of routers using the Intel CPU with good IPSec encryption instead of these ARM processors. Maybe SG-3100 work good connecting IPSec to another SG-3100 and maybe when I have time I can test a 700Mbps site to a this 200Mbps site both using SG-3100

skogs

The biggest trouble with the hardware offerings is that there is a world of difference between an Atom cpu and a Xeon. Atom can hardly keep up with moderate home use; and there is literally nothing in the lineup for full wire speed home without going up to a much more enterprise capable Xeon. The 5100 is really the lowest priced NICE machine in the lineup that can pretend to keep up with crypto.

I think something with Ryzen V2000 series embedded processors would be much more appropriate for long term use. Engineering team...please hear my prayers...

NOCling

@brians said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all.

The Hardware Crypto offload in the SG-3100 supports AES_CBC do you use this?
I guess you have set up the IPsec with AEC_GCM and then, the SG-3100 have it run in slow software mode.

brians

@nocling

Yes I tried AES and SHA1 for encryption and did not get expected results.

Could be that the other end, SG-5100, is doing software crypto with these settings and is the bottleneck? I am thinking SG-3100 to SG-3100 may be a good test to do when I get the chance.