Prepurchase Question
-
@spyderturbo007 2100 will not handle suricata with lots of rules at 400mbps.
The Sg—2100 is an extremely nice little box, but it does not have CPU enough to handle deeper inspections at broadband speeds.
The 3100 will handle it much better, but that box has other issues (being only a 32bit CPU and requiring different code).For proper suricata/snort look into 5100 or 6100
-
5100 or 6100
Not shure right no but for some reasons
Not a 3100... And a must have here is pfS plusFor home use I set up a custom hardware box
And run pfS CE -
@spyderturbo007 I haven't run a 2100 at that speed yet. The CPU isn't terribly fast...https://www.netgate.com/appliances shows VPN speeds of 118 and 68 Mbps but I'd expect that's more CPU intensive than Suricata. We've sold a lot of 3100s the past few years, but there are issues lately with its 32 bit ARM CPU. For instance Suricata v5 won't work because it is written in Rust and that language doesn't exist for that CPU, so it's stuck on Suricata 4. And Snort has some compiler memory optimization issues in its code specific to that CPU so Snort crashes.
We have a client with an older SG-2440 (Intel(R) Atom(TM) CPU C2358 @ 1.74GHz) and at around 350 Mbps download (speed tests) with Suricata it uses 95-100% CPU. Maybe you can find a CPU comparison.
For "get to know you" purposes for the software side of things you could use any old PC with two NICs and install pfSense. That doesn't help with your hardware question, of course.
-
@steveits said in Prepurchase Question:
... We've sold a lot of 3100s the past few years, but there are issues lately with its 32 bit ARM CPU. For instance Suricata v5 won't work because it is written in Rust and that language doesn't exist for that CPU, so it's stuck on Suricata 4. And Snort has some compiler memory optimization issues in its code specific to that CPU so Snort crashes.
Just FYI. The issues with Snort and Suricata on SG-3100 appliances have apparently been solved in the latest
2.6-DEVEL snapshotspfSense+ DEVEL snapshots. This includes the issue with Rust (so now Suricata 5 is available in 2.6-DEVEL), and the Snort Signal 10 faults. So look for those problems to be gone in the next pfSense+ release (no, I have no clue when that might be other than the initial plan was once per quarter).Edit: sorry, brain fart with the 2.6-DEVEL part with Suricata 5. ARM is only supported in pfSense+, so I should have said it's fixed in the upcoming edition of pfSense+. Ditto for Snort.
-
There are a bunch of improvements coming for arm7. Suricata 5 is in 21.09 already. More to come.
Steve
-
@bmeeks said in Prepurchase Question:
issues with Snort and Suricata on SG-3100 appliances have apparently been solved
Ooh, fantastic…yay all involved.
-
Thanks for all the replies. It sounds like if I want to use Suricata, I really need the 5100. I would have to decide if that's something I want to manage on an on going basis for people should I decide to move forward with the hardware after testing.
If it will at least run on the 2100, I could always use that for testing to save the $400 and then deploy the 5100 for clients.
I'm seeing people mention pfSense+. Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing? My understanding was that there were no reoccurring subscription fees like there is for Sonicwall and Barracuda?
Thanks again for the help!
-
Hi, for further info about plus and ce please read the netgate blog post about that topic, as far as I know plus is included on netgate hardware, and noni will not talk or consult about that move from netgate. Don't get me wrong but it's pretty frustrating and annoying.
If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc
Just my 2 cents
Br NP
-
@spyderturbo007 said in Prepurchase Question:
Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing?
Yes, all hardware we sell comes with Plus.
No, there is no additional fee or ongoing charge for that.Steve
-
@noplan said in Prepurchase Question:
If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc
Just my 2 cents
Br NP
I'm not going to be testing with clients, which is why I started this thread in the first place. I want to test the pfsense functionality before deciding if I want to offer it as a solution.
My point was that if the 2100 will at least handle both Suricata and pfblocker, then it will serve the purpose for testing and save me $400. I would obviously size the hardware to the clients when deploying the product. But for my testing purposes, I don't really care if I'm getting slower than normal bandwidth through the device.
@stephenw10 since it appears as though you work for Netgate, can you comment on the choice of hardware for testing? There seems to be some conflicting opinions on the 2100 and then 3100 appears to have underlying hardware incompatibility issues.
I don't want to drop the $700 on a test device if I don't have to. Thanks!
-
@spyderturbo007 said in Prepurchase Question:
if I want to use Suricata, I really need the 5100
We have set up Suricata on all the 3100s we put in at clients. To be clear Suricata v4 runs just fine on a 3100, and if 21.09 will allow the later versions of Suricata, and Snort, to work that eliminates much of my concern for the future.
pfSense Plus is currently only on Netgate hardware, like the previous Factory Edition. At the moment they're very similar, and honestly I couldn't tell you the differences other than it works on ARM hardware and AWS/Azure. They have said they intend to offer it for third party hardware at some point...that announcement said June, but it has stretched to sometime this year.
Also note the 6100 was recently released and is the same price as the 5100.
-
@spyderturbo007 said in Prepurchase Question:
I don't want to drop the $700 on a test device if I don't have to. Thanks!
If you are just testing having never used pfSense before the first thing I would do is spin up the CE ISO in a VM.
To test hardware on a 400Mbps connection both the SG-2100 and SG-3100 will pass that fine.
When you add Snort/Suricata into the mix it becomes much harder to give a definitive answer because it can vary wildly with the number of rulesets you have loaded and scanning mode config you're using.
The 2100 will pass 500-600Mbps of firewall and NAT. The SG-3100 will pass 850-940Mbps. Packet size, latency, line conditions dependent etc...
Running Snort/Suricata will reduce that.Steve
-
@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.
-
@kom said in Prepurchase Question:
@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.
Yeah I personally see a different story commin round the corner....
Let's see -
@noplan Their approach isn't really any different for other projects like TrueNAS, for example. Everyone can use most of it for free, but people who help support them get some extras.
-
Hey folks we are still talking about a 4GB RAM box. (Sg2100)
And don't get me wrong... usin pfB and suricata will get you soon into burning Swap
when u put the pedal to the metalPfb on 2.5.2 is consuming less RAM than on 2.4 with the same lists for starters
But both systems (suricata and pfb) on a 4GB RAM with a full grown and used LAN behind is a f@#&* pain on 4GB RAM
-
@bmeeks said in Prepurchase Question:
Suricata on SG-3100 appliances have apparently been solved
In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.
