Extreme slowdown of download speed with Netgate SG-1000



  • I have bought an SG-1000 from the Norwegian reseller because I wanted something bulletproof to use instead of the router part of my fibre broadband modem, which has stalled on me twice in two months. Not acceptable, when the place is totally automated! Which is why I wanted to use that in bridge mode with another router, since a "source" (a guy I know from a forum who works there!) says that when the fibre router stops, it's the dhcp server that's the problem.

    I have 300/300 Mbps connection, and I can measure that when I connect the cable to my old router, an Asus RT-66U, which I will still use for my internal network (I have one internal and one external network, for different uses, before the Netgate the fibre modem and later the Asus has been my external network). But hooking up the Netgate between the fibre modem and the Asus more than cuts the speed in two! I get 300/300+ (for some reason higher upload than download) with my Asus as the router connected as a router, but only 135-140/140-150 with the Netgate in, even if my computer's directly connected to that, without the Asus router in the loop. It's consistent down to five Mbps down and ten up, which makes me think there's an error in the configuration somewhere.

    I have checked traffic shaping, but nothing is activated there. What else can this be? Both network interfaces shows 1000baseT <full-duplex>, but the CPU seems a bit high, with around 40 % when running speed tests. Still it's far from the ceiling. I have not changed anything from when I got it, except for setting a few devices with a static IP in the DHCP server, and forwarding all ports to a DMZ device (weird that there's not a simple DMZ setting somewhere in the system!), but I have deactivated that again, to make sure it wasn't the reason.

    Can somebody please tell me what's happening here?



  • @mastiff
    135-140 is about it for the SG-1000. I thought it was even a bit less so it sounds like you are getting everything you can from it. On the product page it says "Layer 3 forwarding performance using FreeBSD without a packet filter exceeds 400Mbps. Using pfSense with the default ruleset offers performance exceeding 100Mbps." You may have some options for a faster rate but generally this is meant to be low power compact device that is best for remote access applications. It can do more and can be an everyday device but really you might want to move up a bit in power if you want to see 300+ on your connection.



  • Really? That is just dumb even selling the thing! The specs said it had gigabit network ports, and that made me believe that 300 Mbps was no problem at all! It never occured to me that it could be that slow! Any cheap router (yeah, the firewall is not as good, but still) can do a lot more. The RT-66U is five years old and has no problems wit hit! On the info page, this is the wording:

    The Netgate® SG-1000 microFirewall is a cost-effective, state-of-the-art, ARM®-based, pfSense® Security Gateway appliance. The SG-1000 comes with dual 1Gbps Ethernet ports, enabling maximum throughput exceeding 100Mbps[1].

    I automatically read 1000 and did't think anything of it, boasting about 1Gbps ports should logically mean 1000Mpbs throughput. And yes, "exeeding 1000 Mpbs" is of course not what 1Gbps does, but it never occured to me that it could be such a snail. Everybody has a line that's faster than that 130 Mpbs. I feel really, really cheated here! I had a few others asking me about that unit, I gotta get back to that Norwegian forum and warn them to stay as far away from that toy as they can! (Yeah, I'm pretty pissed...) I'm also going to mail the reseller about returning it, since it didn't fill neither need nor expectations. If not I'll probably sell it on the Norwegian version of Craig's List. To me it's totally useless junk.



  • @mastiff said in Extreme slowdown of download speed with Netgate SG-1000:

    Really? That is just dumb even selling the thing! The specs said it had gigabit network ports, and that made me believe that 300 Mbps was no problem at all! It never occured to me that it could be that slow! Any cheap router (yeah, the firewall is not as good, but still) can do a lot more. The RT-66U is five years old and has no problems wit hit! On the info page, this is the wording:

    The Netgate® SG-1000 microFirewall is a cost-effective, state-of-the-art, ARM®-based, pfSense® Security Gateway appliance. The SG-1000 comes with dual 1Gbps Ethernet ports, enabling maximum throughput exceeding 100Mbps[1].

    I automatically read 1000 and did't think anything of it, boasting about 1Gbps ports should logically mean 1000Mpbs throughput. And yes, "exeeding 1000 Mpbs" is of course not what 1Gbps does, but it never occured to me that it could be such a snail. Everybody has a line that's faster than that 130 Mpbs. I feel really, really cheated here! I had a few others asking me about that unit, I gotta get back to that Norwegian forum and warn them to stay as far away from that toy as they can! (Yeah, I'm pretty pissed...) I'm also going to mail the reseller about returning it, since it didn't fill neither need nor expectations. If not I'll probably sell it on the Norwegian version of Craig's List. To me it's totally useless junk.

    Gigabit ports means just as it says, it can exceed 100Mbps. If the ports were only 100Mb you would be limited to about 94ish. It can with the right setup exceed your current speed. You compared it to a consumer grade device that while is faster is not going to be acceptable in a corporate environment. What you bought is a compact commercial grade device that does fill a need and has support to back it up in addition to regular updates. Security in a small package. Talk to Netgate, see if they will work with you to swap maybe for the SG-3100. It will indeed route gigabit but read the details because it may not do it if you install a bunch of packages that require more power. Some just need more to run well. If your line is 300 then you would have no issues.



  • Thanks, but that's much more than double the price (especially when sendt to Norway). I was probably dumb thinking it was natural that a SOHO grade device would at least not be slower then a simple consumer grade thing. I don't use any packages, I only wanted the default firewall setup and routing, nothing more, and I never thought it would be a problem.


  • Rebel Alliance Global Moderator

    @mastiff said in Extreme slowdown of download speed with Netgate SG-1000:

    Everybody has a line that’s faster than that 130 Mpbs

    Oh must suck ;) heheh Not here in the US that is for sure..

    The sg-1000 for sure has its market. That just doesn't seem to be yours.. While yes the sg-3100 is double the price. It still a very reason price for what the little box can do..

    You need to stop comparing the price points of soho devices that they make by the millions, and do not support a year later because they want you to buy the next years model, etc. That do nothing but simple nat, and call it security.

    If your talking company/work location.. Then size the appropriate hardware for what you need. The few hundred $ US for say a 3100, or even a 4860 at double that is peanuts for a company budget.. Have you priced out a cisco box that can do gig ;) Or even a 100mbps for that matter. We replaced a juniper here in branch office for 3100 because the juniper only had 10/100 interface and couldn't even do full speed of the cable connection we have for guest wireless access. About 120 down and 30 up..

    I have a 4860 for my house connection. It rocks my 500/50 connection there without even breaking a sweat. Sure the 3100 wold of been fine but like more nics and play with some packages now and then. While is a bit high for many home budgets - its also not over the top.. Shoot how much do you pay for your shiny new iphone or android..



  • Well, in Norway 300/300 is probably in the lower end. Most fibre customers have the standard 500/500+TV package. I have a company consisting of one person, me. I translate, and it's not very highly paid, I'm afraid. But I need a stable line because of my home automation hobby, and because my alarm and similar stuff goes over the Internet. I had to drive two hours from my cabin to reset the fibre router/modem a few months ago, that's why I wanted something that didn't fall down. And again it really never occured to me that it could be that slow. As for phone I bought my Sony Xperia X Performance when it was a one year old model, and I have been using it for two years now. The previous phone I think I had four years... I really don't care much about phones, I prefered the O2 Atom series of Windows Mobile ten years ago... ;)


  • Rebel Alliance Global Moderator

    hehehe - my point to the phones was more how much your typical user pays for them... And needs the next new shiny one next year but then they balk at paying a few hundred for a quality product their their home/business internet runs on.

    Shoot there are soho products that cost more than the the sg3100 that is for sure... And what do they do exactly? I would suggest you look at the 3100, it might be a bit more than you wanted to spend.. And it is a shame of the costs outside the US not being more reflected of exchange rates, etc. But that can be said for almost any electronics.. And many goods really..

    You could look to DIY and bring your own hardware and just run pfsense on it... Many people like to do that, it might save you a few bucks... But I am not a fan of the china boxes to save a buck.. Rather support the company that is putting out such a fine product. So they can continue to do so - and I do believe they have some different models coming out that will cover the bases better from low to high, etc.

    Sorry to hear your disappointed, but the specs are listed. And everyone is here ready to answer any questions before you purchased in the forums or even sales directly, etc.

    To your gig comment.. The new PI3 B+ has gig interface - do you think it can do gig?? ;) No not even close... And that is just moving packets not firewall them and nat them and route them, etc. Gig interface just means more than 100 as mentioned already.



  • I did get the one about the phone, I only saw my chance to play the wise, old nerd who longs for the days of WinMo... ;) But I have contacted the Norwegian reseller. They have had very good service and been nice people so far, so maybe I can upgrade to an SG-3100. We'll see.



  • The nice guy at the Norwegian reseller is letting me replace the unit with the (did I mention quite a bit more expensive? ;) ) 3100. So I guess that should work.


  • Rebel Alliance Global Moderator

    So he is charging you the extra money, or giving you as even exchange for what you paid for the sg-1000?



  • I'm getting back the money for the 1000 and getting an OK deal on the 3100. So no even exchange. I would have demanded that if I had told them that I was going to use it for a 300/300 line and they didn't say anything, but I never mentioned that in my mails to them.



  • Up and running (the postal service must recently have fed the tortoises they use to carry their packages through Norway, because it came over night in a recular package). The unit works perfectly, no problem pulling 300/300 (and I have read that it actually can do gigabit fibre speed), so I'm good. :) I see that it has an optical input, so I have to find out if I can actually use that instead of the fibre modem that my ISP gave me. That would be slick!


  • Rebel Alliance Global Moderator

    @mastiff said in Extreme slowdown of download speed with Netgate SG-1000:

    I see that it has an optical input,

    Huh? The sg-3100 has no fiber input... Or sfp or sfp+ port to add one.
    https://www.netgate.com/solutions/pfsense/sg-3100.html

    Did you get some other model? Or some other box running pfsense?



  • Embarassing... I didn't look at the damn port, I only saw that OPT designation. I guess it's optional wan or something! 😂


  • Rebel Alliance Global Moderator

    Yes its another router interface... Can use it for another wan, or another lan side network..

    The switch ports can be isolated as well via vlans so those could all be other networks on the lan side or wan connections. The only limitation is the switch uplink into the soc is only 2.5gbps



  • Btw I was looking for how to do DMZ the easiest way (I want all ports from WAN to be routed to a single IP on the LAN), and I stumbled over this (which ironically enough seems to use the OPT1 port...):

    https://www.ceos3c.com/pfsense/how-to-create-a-dmz-with-pfsense-2-4-2/

    Is this the simplest/only way to do this or is there a simpler solution?

    Oh, btw, I would like the rest of the LAN from the Netgate to be accesible from the DMZ as well, there's stuff there that I have to maintain.



  • Oh, almost syncronized posting. Much like syncronized swimming, except for not using a swimsuit. At least, I don't wear one now, but of course I don't know what you're wearing! ;)


  • Rebel Alliance Global Moderator

    Not sure why anyone would ever want to do something like that... Just forward the ports you NEED.. But that link is just creating another network and calling it dmz.. You can call your other network segments whatever you want.


  • Rebel Alliance Global Moderator

    heheheheehhe - ROFL... dude that is funny ;) To be honest I am wearing a bath robe since its very early in the morning here 4:44 am...



  • Well, then I wasn't all off... ;) But the reason is that I do home automation and I have 30-40 different ports that goes to different parts of the system, and I change them every now and then too. :) And at the same time it keeps the rest of the system totally safe, because all attacks will go to the same place. So what would be the easiest way to forward everything?


  • Rebel Alliance Global Moderator

    Yes I would suggest you put your Iot devices, home automation stuff into their own segment... And sure call it dmz... I have a segment called that.. Its where my ntp server sits since it serves up traffic ntp to the public ntp pool.. So I have 123 forwarded to it.

    And this segment has no access into my other lan segments. I then have a segment that my amazon alexas are in, nest, harmony.. But there are no inbound ports to them.. But they are limited access into my other network segments..

    If you need 30 or 40 ports then forward those 30 or 40 ports. But to be honest if your forwarding ports into your network to do home automation - your doing it wrong.. Your home automation should go outbound to creates its connection. You shouldn't need to do inbound..



  • This is my cabin, and I have 10 cameras (some internal security, some to keep an eye on the garden and some to watch the view when I'm not there). Three receivers with different ports for control. Then there's separate systems for NodeRED, Home Assistant and EventGhost and 15 different ports for different segments of the webserver for Girder (so I can log in to control AV in a particular room, for a group of rooms or the whole cabin). Everything is set up like this so I don't even have to go on the cabin's wifi, I can control it just as well from 4G. That's why I use so many ports. But I don't think it will work to use a separate segment because I need to be able to connect to stuff on the main segment too from the automation server, because I have some things there that are accessible only from inside the network. So using a separate segment is really not that good for me. Is there really no simple way to forward everything to one IP?



  • Oh, and I change them from time to time because I give guests access to AV for their room, and when the guest leaves, I change the port for that room, so they don't wake up the next guest in the middle of the night with Highway to Hell! ;)


  • Rebel Alliance Global Moderator

    Why would you not just vpn if you need to access multiple devices and multiple ports?

    That doesn't sound like 1 IP, so how would you do it a forward or even a "dmz host" as you call it to that... Sure you can forward ALL the ports to an IP... But you can not forward all the ports to multiple IPs... You can forward port X to IPA and Y to IPB but those are different rules.

    Why would your devices not be able to be on different network segments. Only thing that needs to be on the same layer 2 is shitty soho devices that use some L2 discovery protocol to find what they are looking for. As long as the application or device allows you to set an IP, and use IP or fqdn to get to whatever it is it needs to talk to. Then they can be on the internet, or different network segment.

    You can then limit access to specific ports and protocols on the firewall between your segments.

    Butt if your controlling this remote to your cabin, accessing your camera's etc.. Then you should VPN into this cabin and access it whatever it is you need to access without any need to port forward anything.

    So your guests to control something while they are there - go out to the internet and back in. Or do you have wifi at this cabin they connect to?



  • This isn't multiple IP's. They are all running on the same virtual machine (except for Node-RED and Hass, wich runs on a Rasberry PI, but they don't change their ports, and they go through the home automation VM with MQTT). And I don't want to be rude, but I don't really need these suggestions and questions, I only need a simple answer to the simple question of how I route all ports to one IP, if you have that answer. I have been running a system like this for several years without problems, before I came to the first device I've had that does not have a dedicated DMZ.


  • Rebel Alliance Global Moderator

    Create a port forward and forward the range you want 1 to 65k if you want all the ports... Its that simple..

    https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

    or just do a 1:1 Nat..
    https://www.netgate.com/docs/pfsense/nat/1-1-nat.html



  • Thanks! :)



  • @mastiff @johnpoz
    I really need to learn more about my device so I can move my IOT devices into their own network. I use Philips Hue, Ecobee, Lutron, Nest...I still want to see the devices inside the Home app with a device that belongs on the main network. Just don’t know how yet so eveything is on the one network currently. Works great but not secure.


  • Rebel Alliance Global Moderator

    I see my devices on my phone..

    0_1529158506870_lutron.png

    Here are 2 things that use lutron, and I have both nest thermo and protect.. These devices create outbound connections and you control them from their connection to the internet. They do not use local connectivity.

    I can not speak to philips or ecobee but anything that requires you to allow unsolicited inbound traffic would be a problem if you ask me..

    These devices of mine are NOT on the same network my phone is on.. My phone uses a eap-tls wifi network, that is isolated to only my trusted devices. My phone, my wifes phone, our laptops, tablet, etc. Other devices are on different wifi vlans.



  • @johnpoz
    My main issue is lack of knowledge. I admit that and I’m working on it and will commit to learning what I need so I can segment the devices. I forgot really that most of my devices are accessed via their service and not directly. Their local IP is just so they have a path to the internet in order to call home. I can do this.


  • Rebel Alliance Global Moderator

    Here to help so fire up your own threads with any sort of specific questions you have. Its best if your ? is specific to how to do X.. Or if a general question then put in the general section and say you have this and that, and what to accomplish X giving as much detail of the this and that as possible.

    Then can discuss the best way to skin the cat to get you to your goal.

    There really should be zero issues in isolating your iot devices on to their own segment. Problem with moving things to their own segment happen when whatever application or whatever you use to interact with them expect them to be on your typical home flat network everything on the same layer 2 and they use layer 2 discovery to find and talk to whatever else your wanting to do... Most smart home devices are not like that - and just want to get to the internet...

    Where you might have problems is music related stuff, dlna stuff like a player and your plex server, etc. I have my plex box on different network than my roku player, etc.. But I allow roku device to talk to plex on 32400 so there is no issue.. They play everything direct and don't go through internet to stream stuff.

    Yes it can be a bit of a learning curve - lots of help here.. Just ask!



  • Hey, Johnpoz? I started to think here. I have been doing networks for 20+ years, but only for myself (and friends and family), and I have never done anything which sounds like you are suggesting a bit up for the Opt1 plug. So let me get this straight: I have two separate networks, one private and one for somebody who rents 2/3 of my house. I'm 52, and my wife's 51, and our kids have moved out. So we only needed the small appartment in the house and prefer to let the main part of the house pay our mortgage. ;) What I have now is like this:

    0_1529350825244_ae93b1f8-5419-4650-bfe1-74d5a9c53af8-bilde.png

    I hope that's understandable. I have used it this way so that I can go out from my router to mangage the renter's router, smart tv and stuff (which belongs to me, I rent it out with everything, and rent it to tourists in the summer) on the 10.0.0.x segment (the things are open for WAN managment, with extremely strong passwords). Would it be possible for me to use the Opt 1 for my own network, so I could drop the virtual machine firewall and have my 10.10.10.x segment there but STILL be able to log on to the 10.0.0.x segment from my opt 1 10.10.10.x segment? Please don't ask me to draw a flow chart, I'm hopeless with that stuff! 😂

    EDIT: Idiotic system on this board, I had to make a screenshot into a picture, it insisted on splitting what I had into different bits of code! Se picture at the bottom. Seems like the same system that the Home Assistant board is using, and I really, really, really hate it! ;)


  • Rebel Alliance Global Moderator

    Trying to make sense of that somewhat of a diagram?

    You can create as many networks/vlans you want on the sg3100. Be using the opt1 as native or with vlans on it and then your 4 ports can all be broken up into individual networks.

    Seems like your wanting to break up say a 10.10.10 network in ranges. But keep in mind you have all of rfc1918 space to deal with.... So keep your networks simple if you want to use 10.10.10, ok then create your other networks 10.10.11/24, 10.10.12/24 or 192.168.1/24 and 192.168.2/24

    You can then isolate or control access in and out of these different networks via firewall rules on pfsense.

    What switches do you have if anything? Do they support vlans? Can you not draw up how you have stuff connected currently? Here is a site you could use to do a network diagram.

    https://www.draw.io/



  • Sorry I've been slow, but I've been fighting with my other system (I have one at my cabin and one at my house). In the house I have an Atom based pfSense, and I can't get it to port forward everything there! I have set up the NAT rule: 0_1529699047790_a106093c-1df6-4a57-a002-24ed7f831bc7-bilde.png

    And the firewall rule should be there too:

    0_1529699137574_7af3fbef-32f4-4d62-ad7a-631bbe7be7aa-bilde.png

    So shouldn't this have sendt eveything to 10.10.10.10? As it is nothing's going there. :(



  • I have tried 1:1 NAT too, but I guess I'm not doing that correctly either: 0_1529701560241_4be66b7d-5c4c-44e8-81c5-b550b23acaf7-bilde.png

    The .4 address is the WAN address of the system. I tried with .1 which is the adress of my modem (I haven't had a chance to bridge that yet), but it didn't change anything.


  • Rebel Alliance Global Moderator

    If your external address is rfc1918.. Means you have a nat in front - so you would have to forward it there first. Also out of the box pfsense blocks rfc1918 on its wan. So you would have to turn that off.



  • Thanks! That gave me the idea that solved it. I checked the broadband modem/router that was going to send it on to the pfSense, and it turned out that the damn thing had lost the DMZ settings when I changed the static IP from the old Asus router to the pfSense box (I had DMZ setup for the 10.0.0.4 IP address, but something must have happened, because that was wiped out)! So I spent the minutes it took and set the modem to bridge mode. That should prevent that ever happening again.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy