Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't make Netgate SG-1100 into Pure Router

    Official Netgate® Hardware
    2
    17
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      As I stated before, someone is performing IPv4 NAT. You state there is none but there obviously is, because 192.168.15.160 is not a routable address.

      What ISP is this?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • J
        joshua777
        last edited by joshua777

        1. As my previous post of the speed test indicates in the graphic, its Spectrum.
        2. The SAME speed test was run BEFORE inserting the firewall, and it read 36Mbits up and 85Mbits down. So I'm losing a LOT of bandwidth by using the SG-1100
        3. Changing the Server as indicated in the above speed test does not significantly change the result.
        4. I stated that the C7000 Cable modem WAS doing NAT but nothing about it was configurable through the user interface.
        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Right. I don't doubt that. But there is something else at play here. This is what I just got through an SG-1100 placed on the inside of my network. pf enabled, etc.

          0_1549848434293_Screen Shot 2019-02-10 at 5.23.48 PM.png

          That is a 300/30 WAN.

          So there is something else going on in your environment that is causing the slowdowns you are seeing. What that problem is will probably be pretty tricky to diagnose from remote. I would double-check everything you can, try different cables etc.

          You can ssh to the unit (or connect to the serial console), use menu option 8, and run this:

          pkg install py27-speedtest-cli

          Then:

          rehash

          Then:

          speedtest-cli

          Retrieving speedtest.net configuration...
Testing from Cox Communications (68.X.Y.Z)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by ServerPoint (Las Vegas, NV) [11.67 km]: 40.684 ms
Testing download speed................................................................................
Download: 286.01 Mbit/s
Testing upload speed................................................................................................
Upload: 29.99 Mbit/s

          That will allow you to test from the firewall itself to isolate if the issue is on the inside or not.

          Type exit to return to the console menu.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • J
            joshua777
            last edited by joshua777

            That's helpful.

            1. I logged in through the serial/USB port.
            2. Selected menu 8
            3. Installed speedtest package as indicated.
            4. Ran speed test with "speedtest-cli" with the following result:

            [2.4.4-RELEASE][root@SHOMEFW1]/root: speedtest-cli
            Retrieving speedtest.net configuration...
            Testing from Spectrum (xx.xx.xx.xx)...
            Retrieving speedtest.net server list...
            Selecting best server based on ping...
            Hosted by ScaleMatrix (San Diego, CA) [12.85 km]: 34.732 ms
            Testing download speed................................................................................
            Download: 160.12 Mbit/s
            Testing upload speed................................................................................................
            Upload: 9.36 Mbit/s
            [2.4.4-RELEASE][root@SHOMEFW1]/root:

            1. As far as your test above, that only tested the speed on the WAN side of the 1100 and bypassing the firewall function. Therefore, it only tells you what your wan throughput is and ignores the UTM speed of the firewall.

            2. My first test earlier above ran through the firewall from the LAN side and a Windows 10 Pro client. It reflects the UTM throughput, not the raw WAN throughput going to the ISP and bypassing the firewall.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I thought you said your WAN was 80Mbit/sec down. How did you get 160?

              The speedtest.net result I posted above was THROUGH the 1100, not FROM it.

              My results are actually slower from the firewall itself since the firewall CPU is running the speedtest instead of just processing packets.

              I would continue to look for something local that is the cause of the slowdown you are seeing. I know it's easy to say "When I install this device it slows down" but it there is obviously another element to this problem.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Have you reset to default as suggested and tested without installing any additional packages?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  joshua777
                  last edited by joshua777

                  1. Apparently, the ISP speed either fluctuates or is faster than we remembered.
                  2. Backed up the config.
                  3. Did a factory reset from the Console port.
                  4. Initialized the WAN interface to 192.168.15.160 and added a default gateway of 192.168.15.1.
                  5. Reinstalled the speedtest package from the console
                  6. Did another speedtest from the command line with the following result:

                  [2.4.4-RELEASE][root@pfSense.localdomain]/root: speedtest-cli
                  Retrieving speedtest.net configuration...
                  Testing from Spectrum (xx.xx.xx.xx)...
                  Retrieving speedtest.net server list...
                  Selecting best server based on ping...
                  Hosted by Spacelink (San Diego, CA) [12.85 km]: 37.95 ms
                  Testing download speed................................................................................
                  Download: 227.87 Mbit/s
                  Testing upload speed................................................................................................
                  Upload: 23.35 Mbit/s
                  [2.4.4-RELEASE][root@pfSense.localdomain]/root:

                  1. Also did a speedtest through the Chrome browser with the following result:
                    0_1549851433600_{4D5D4932-A36D-4AB8-A125-7ACA9C93295B}.png.jpg

                  2. There was obviously something REALLY flaky with the setup or the intial configiruation when I got it. The new numbers are a lot closer to yours. I'm glad I went through this exercise.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Maybe test from something other than Tijuana.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      joshua777
                      last edited by joshua777

                      1. Testing from ZTelco as before produces:
                        98.90 Mbits/sec down
                        23.20 Mbits/sec up

                      2. The numbers I am seeing now are REALLY close to what they were WITHOUT the SG-1100.

                      I'M ECSTATIC! THANKS!

                      It's like the firewall isn't even there anymore speed wise.

                      1. Now I'm going to readd the other packages and see what happens to the speed.

                      2. Added pfBlocker without configuring and got the following results:

                      Chrome speedtest: 108.44Mbits/sec down, 23.13Mbits/sec up
                      Speedtest-cli: 134.95Mbits/sec down, 23.56Mbits/sec up

                      1. Then added ntopng without configuring and got the following results:

                      Chrome speedtest: 110.16Mbits/sec down, 23.42Mbits/sec up
                      Speedtest-cli: 212.10Mbits/sec down, 22.80Mbits/sec up

                      1. Then turned on pfBlocker, turned on DNSBL, and specified ALL available options under Firewall->pfBlocker->DNSBL->DNSBL Easylist->Categories. At this point the firewall rules list shows EMPTY.

                      Chrome speedtest: 104.17Mbits/sec down, 23.34Mbits/sec up
                      Speedtest-cli: 192.51Mbits/sec down, 23.40Mbits/sec up

                      I'm completely baffled at this point. The firewall rules list should NOT be empty after turning on pfBlocker and DNSBL. DNS Resolver is enabled and pfBlocker DNSBL is set to "Unbound" for the Easylist rules so pfBlocker should be working.

                      By uninstalling and reinstalling pfBlocker, enabling DNSBL, and then doing a Firewall->pfBlocker->Update->Select 'Force' option->Reload, the firewall rules were readded. With everything now working properly, the data rate remains the same as item 6 above.

                      Everything is working great and at full wire speed now. Thanks!

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Seems there needs to be some sort of handle there on what is actually expected throughput.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.