Prepurchase Question

bmeeks

@steveits said in Prepurchase Question:

... We've sold a lot of 3100s the past few years, but there are issues lately with its 32 bit ARM CPU. For instance Suricata v5 won't work because it is written in Rust and that language doesn't exist for that CPU, so it's stuck on Suricata 4. And Snort has some compiler memory optimization issues in its code specific to that CPU so Snort crashes.

Just FYI. The issues with Snort and Suricata on SG-3100 appliances have apparently been solved in the latest 2.6-DEVEL snapshots pfSense+ DEVEL snapshots. This includes the issue with Rust (so now Suricata 5 is available in 2.6-DEVEL), and the Snort Signal 10 faults. So look for those problems to be gone in the next pfSense+ release (no, I have no clue when that might be other than the initial plan was once per quarter).

Edit: sorry, brain fart with the 2.6-DEVEL part with Suricata 5. ARM is only supported in pfSense+, so I should have said it's fixed in the upcoming edition of pfSense+. Ditto for Snort.

stephenw10

There are a bunch of improvements coming for arm7. Suricata 5 is in 21.09 already. More to come.

Steve

SteveITS

@bmeeks said in Prepurchase Question:

issues with Snort and Suricata on SG-3100 appliances have apparently been solved

Ooh, fantastic…yay all involved.

Spyderturbo007

Thanks for all the replies. It sounds like if I want to use Suricata, I really need the 5100. I would have to decide if that's something I want to manage on an on going basis for people should I decide to move forward with the hardware after testing.

If it will at least run on the 2100, I could always use that for testing to save the $400 and then deploy the 5100 for clients.

I'm seeing people mention pfSense+. Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing? My understanding was that there were no reoccurring subscription fees like there is for Sonicwall and Barracuda?

Thanks again for the help!

noplan

@spyderturbo007

Hi, for further info about plus and ce please read the netgate blog post about that topic, as far as I know plus is included on netgate hardware, and noni will not talk or consult about that move from netgate. Don't get me wrong but it's pretty frustrating and annoying.

If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc

Just my 2 cents

Br NP

stephenw10

@spyderturbo007 said in Prepurchase Question:

Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing?

Yes, all hardware we sell comes with Plus.
No, there is no additional fee or ongoing charge for that.

Steve

Spyderturbo007

@noplan said in Prepurchase Question:

If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc

Just my 2 cents

Br NP

I'm not going to be testing with clients, which is why I started this thread in the first place. I want to test the pfsense functionality before deciding if I want to offer it as a solution.

My point was that if the 2100 will at least handle both Suricata and pfblocker, then it will serve the purpose for testing and save me $400. I would obviously size the hardware to the clients when deploying the product. But for my testing purposes, I don't really care if I'm getting slower than normal bandwidth through the device.

@stephenw10 since it appears as though you work for Netgate, can you comment on the choice of hardware for testing? There seems to be some conflicting opinions on the 2100 and then 3100 appears to have underlying hardware incompatibility issues.

I don't want to drop the $700 on a test device if I don't have to. Thanks!

SteveITS

@spyderturbo007 said in Prepurchase Question:

if I want to use Suricata, I really need the 5100

We have set up Suricata on all the 3100s we put in at clients. To be clear Suricata v4 runs just fine on a 3100, and if 21.09 will allow the later versions of Suricata, and Snort, to work that eliminates much of my concern for the future.

pfSense Plus is currently only on Netgate hardware, like the previous Factory Edition. At the moment they're very similar, and honestly I couldn't tell you the differences other than it works on ARM hardware and AWS/Azure. They have said they intend to offer it for third party hardware at some point...that announcement said June, but it has stretched to sometime this year.

Also note the 6100 was recently released and is the same price as the 5100.

stephenw10

@spyderturbo007 said in Prepurchase Question:

I don't want to drop the $700 on a test device if I don't have to. Thanks!

If you are just testing having never used pfSense before the first thing I would do is spin up the CE ISO in a VM.

To test hardware on a 400Mbps connection both the SG-2100 and SG-3100 will pass that fine.
When you add Snort/Suricata into the mix it becomes much harder to give a definitive answer because it can vary wildly with the number of rulesets you have loaded and scanning mode config you're using.
The 2100 will pass 500-600Mbps of firewall and NAT. The SG-3100 will pass 850-940Mbps. Packet size, latency, line conditions dependent etc...
Running Snort/Suricata will reduce that.

Steve

KOM

@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.

noplan

@kom said in Prepurchase Question:

@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.

Yeah I personally see a different story commin round the corner....
Let's see

KOM

@noplan Their approach isn't really any different for other projects like TrueNAS, for example. Everyone can use most of it for free, but people who help support them get some extras.

noplan

Hey folks we are still talking about a 4GB RAM box. (Sg2100)
And don't get me wrong... usin pfB and suricata will get you soon into burning Swap
when u put the pedal to the metal

Pfb on 2.5.2 is consuming less RAM than on 2.4 with the same lists for starters

But both systems (suricata and pfb) on a 4GB RAM with a full grown and used LAN behind is a f@#&* pain on 4GB RAM

SteveITS

@bmeeks said in Prepurchase Question:

Suricata on SG-3100 appliances have apparently been solved

In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.