Better option for $$$ than Protectcli FW6C with 16GB ram & 512GB M2?

  • I'm narrowing down my options for a HW build for pfSense.
    Candidates are

    • Protectcli FW6C for ~$800
      with a i5-7200U CPU (64 Bit, 2.5 GHz, 3.1 GHz Turbo, 3MB Cache)
      16GB ram
      Samsung 860 EVO mSATA SSD @ 500GB


    • Supermicro SYS-E300-8D for ~$900
      with Intel Xeon D-1518, Dual 10G SFP+, 6 GbE LAN, IPMI
      16GB ram
      Samsung 860 EVO 2.5" SATA3 SSD @ 500GB

    Note: I don't really need the 10G SFP+ ports yet as switches only have 1G SFP (not used) and I still have plenty of RJ45 copper ports open to use for the router interconnects.

    Packages in-use include:
    PFBlockerNG, snort, squid, squid rev-proxy, lightsquid, bandwidthd, ntopng.

    Currently have a 300/50 mbit WAN connection, anticipating 1gbps fiber in the near future. I'm supporting both residential and 12hx5d business traffic on this connection.

    Would like to enable OpenVPN for for some classes of out-going traffic and for incoming client devices - but won't even start thinking of any of that until on a hardware solution.

    Have been running pfSense 2.4.4-p2 in a 2vCPU/8G VM on a dual-cpu i7-6700 @ 3.4GHz 4-core QNAP NAS with 64GB RAM. Truth be told, this VM is overkill resource-wise as I rarely get over 12-20% CPU or 30% memory utilization - that's without the VPN, but... stability/reliability of the QNAP OS and maintenance BUI sucks. I'm tired of QNAP's dodgy Network vSwitch BUI tools changing my networks out from under me every time I try to create a new private vSwitch for a test env... and taking the network down every time I have to do NAS maintenance, etc... when QNAP "fixes" something else dodgy in their firmware - which seems like every few weeks...

    Any advise and/or alternatives on the HW selection would be most appreciated.

  • Rebel Alliance Netgate Administrator

    The SG-5100 would exceed your needs, at $799.

    The SG-3100 would probably meet your needs, with it's everyday low price of $349.

  • @chrismacmahon
    Thanks for the quick expert advise and sales pitch. Was wondering how long that'd take. :-) Impressive.

    I always purchase to "exceed" current needs, y'know: tomorrow ain't today and "would probably meet my needs" just doesn't make it past the architects or the finance guys. Though I understand I didn't give you enough info to make any better of an assessment.

    protectli published VPN benchmark specs for the FW6C on what I can presume is an ideal lab network of:
    OpenVPN AES-256-CBC/SHA256: 580 Mbps
    IPsec AES-256-GCM/SHA256: 880 Mbps
    Unencrypted: 940 Mbps
    Granted, there's no indication of what traffic payload they pushed or how...

    Is there a corresponding NetGate benchmark for OpenVPN across the SG-*100 devices?

  • Rebel Alliance Netgate Administrator

    We are working on both Intel QuickAssist and the ARM crypto accelerator. Once those are complete I would expect speed bumps in all areas.

    The numbers are similar for the SG-5100 and the device from the company that does not fund pfSense.

    The SG-3100 is less.

  • Thanks @chrismacmahon.
    Regarding expansion on the SG-5100:
    The product sales page says
    8GB eMMC Flash on board
    4GB DDR4 2400 MHz DIMM (max 16 GB, 1x 260-pin SODIMM)
    Expansion: 1x Mini-PCIe (PCIe), 1x M.2 2242 B/B+M (USB 3.0/SATA), 1x Nano SIM

    Is there a preferred M.2 SSD, or any other details for SSD selection I should consider, besides a 42mm form factor? What does "B/B+M" mean?

    After reading
    It appears there is only one SODIMM socket. Is that correct?

    Is the PCIe "expansion" slot usable? Doesn't look like there's any room for a card on the SG-5100 or XG-7100.
    says that the Intel SoC Integrated MAC ports (IX0-IX3) don't support ALTQ traffic shaping directly and that tagged vlans should be used if that feature is desired. Is this also the case with the ETH2-ETH7 on the XG-7100?

  • Netgate Administrator

    B or B+M refers to the slot keying that determines what card types will fit:

    Any m.2 42mm SATA card should work there. It does not support NVMe.

    The PCIe expansion is via a mPCIe slot.

    There is one SO-DIMM slot, yes.

    The AtlQ restriction applies to the ix driver on any hardware including the XG-7100. However there it's not a problem on the Eth1-8 ports as they are connected internally by VLAN anyway.


  • Rebel Alliance Netgate Administrator

    As an aside, The SG-5100 is now 699.00:

  • @stephenw10 what would one typically put in the pci slot on a sg-5100? It doesn’t exactly apprar as if I could toss a 10G card in there...

  • Netgate Administrator

    Typically it would not be used at all. 😉
    But I imagine almost everyone who has used it would be for a wifi card. The case has antenna holes.
    However I would really only do that if you happen to have the hardware available or, like me, are just testing.
    WIFI hardware support in FreeBSD/pfSense is not great so a separate access point is almost always preferable.


  • @fabrizior said in Better option for $$ than Protectcli FW6C with 16GB ram & 512GB M2?:

    I'm supporting both residential and 12hx5d business traffic on this connection.

    So you use the device somewhat professionally, right? Still consider buying something else than "dedicated" hardware from Netgate or other professional stuff like Supermicro?

    If you want to buy SFP+ capable hardware today chances are, you are looking at Netgate's XG-7100 or XG-1537 1U. The latter obviously is a Supermicro chassis and I'd expect so see a Supermicro board inside as well.
    If SFP+ is not yet needed then the Netgate SG-5100 wins by price.

    Just my € 0,02

  • Thank you gentlemen. I appreciate your time and feedback.

Log in to reply