Netgate SG-3100/XG-7100 “future proof” for residential use

  • I was hoping I could get some guidance as to which model best suites my needs (please have crystal ball at the ready) because I am looking for a router with enough power for a few years to come.

    I currently have gigabyte--CenturyLink PPPoE--service and I plan to put the ISP router in bridge mode so my main problem is keeping up with "future needs" and kids. Ultimately, I want to do normal things like keep the kids safe (block websites, devices, and etc) but also support future needs and utilize things like LAGG inherently built into my infrastructure (-i.e. FreeNAS). Please note, that I also switched to Gb service because I will be working from home--full time--very soon (not quite sure I'll need stringent VPN requirements but it might not hurt to have in the back pocket).

    I've been doing quite a bit of reading on two devices, 3100 and 7100, and if I understand properly the 7100's (not the 3100) internal switch will allow me:
    NOTE: I am not an IT guy but I used to be a more active BSD user before the kids came along though so I know how to RTFM but so far the manual is a good part foreign language.

    • Utilize LAGG easier -i.e. more flexibility and if I understand properly, I want LACP support but this does not seem be avail--just yet?-.
      • LACP will be offered later?
    • Allow for future faster ISP speeds.
      • I understand the SPF port does not allow "copper" at this time because of a driver issue (I assume this will be resolved via software methods later).
      • I don't know if these SPF ports are something that can/will be used in larger residential speeds but I assume you can LAGG the 1gb RJ45 ports to support larger speed inputs (as in: ISP @ 2g so use two(2) RJ45 ports if SPF isn't available).
      • Trying to determine what 'copper' means: I am guessing that if an ISP does offer greater than 1gb speeds it could possibly be delivered via the current infrastructure -i.e the Cat6 cable from the "ONT" device. And I would then need some sort of RJ45->SPF adaptor (the Cat6 cable being the 'copper').
    • Have enough power, and options (-e.g. vs a non-switched option like the 5100), to support any future "safety" and work related tasks -i.e. blocking/segregating/etc.

    The 3100 internal switch does not seem to offer as much flexibility as the 7100 -i.e. from the manual I read it as ports wan and opt are the only ports LAGG(able) so I am leaning towards the 7100. I know the 7100 would be overkill for a typical home service but I do not mind spending a little more cash upfront for something a little more 'future proof', safe, and configurable.

    I realize I am most likely showing my ignorance but I am trying to learn this complicated subject in what very little free time I have. And, if I'm leaving large gaps in my explanations please ask; I would prefer to take my time and get this right before I make a large investment.

    Thank you for your time. I do very much appreciate any and all help and/or guidance on this.


    ISP Router <--> (LAN Router)
    (modem only)      / | \    \
    [1gb]            /  |  \    \
                FreeNAS |  Users \
                        |         \
                        AP       *Printer/Work Laptop/Etc.
                      Bridge      ("segregated stuff")
    * This isn't an accurate representation because some/all may connect
       to the AP but I would like to keep these items on a "guest" network
       (but I don't know how I'd depict that with the above "diagram".


  • Netgate Administrator

    The internal switches actually offer pretty much the same features the big difference being the switch in the 7100 is connected to the SoC via a load-balance lagg of two 2.5Gbps links. The 3100 switch is connected via a single 1Gbps link.
    LACP is not supported on either switch directly. You can create a lagg from the switch ports to an external switch but using load-balancing only. If you need to use LACP you must use the other interfaces on both firewalls.
    The 7100 SFP+ ports do not support RJ-45 adapter style modules. As I understand it this is a limitation of the SoC. I do not believe this can be added via a driver change.

    Unless you need 10Gb the SG-5100 might be a better fit here.

    If you need 1Gbps PPPoE though you may need to look at a CPU faster than any of those.


  • Thanks for the reply.

    I'll set the ISP router into bridge mode so it (the 5100) won't need to do PPPoE--although that would be nice if it did-.

    The external switch for LACP is unfortunate because I was hoping to eliminate the need of one (less moving parts and all that) but maybe it would be better.

    I was told by @sales that the 5100 is only good for about 750mbs with PPPoE, what are your thoughts of its possibilities behind the bridged mode ISP router?

    Are there any benchmarking numbers on the 5100?

  • I was going to recommend the SG-5100 as well.

    With those 4 OPT ports, all separate interfaces, you can do pretty much everything you mentioned in your original post.

    Just curious, you mention LAGG as part of your network because of your NAS. What do you serve on your NAS? I ask, because if these services are mostly NOT internet facing, using LAGG on whatever network switch you have all your internal machines plugged into should work just fine. Inter-network traffic, all talking to each other, never hits the pfsense router anyway, hence it really shouldn't be a problem that you can't LAGG on the router.


  • Netgate Administrator

    Yes, that would work. It looks like he wants to filter between the NAS and users. Though ASCII diagram so...

    But you could use two NICs from the SG-5100 directly to the NAS in an LACP LAGG for >1Gbps. As long as you have multiple connections going over that link.


  • I was trying to avoid buying a switch; I think I finally come to the conclusion that is a requirement. How is a "cisco sg250-10p" router? Any good. Anything better (and don't tell me a Ruckus; I don't have $4k to drop on a switch ;] ).

    Right now, the server is just a file, media and rsync server but I'm planning on making my server work a little harder in the near future. For example (this example forms the basis of a dumb question), I just created a FreeBSD Jail DNS to act as a ad-blocker (I think this is called a "DNS sinkhole"? ...please remember I am not smart with this networking stuff. But, this actually creates a question for you; if I offload some responsibilities of the firewall would this then increase the abilities of the device. For example, let's assume I need the 5100, if I offload the pfBlocker portion to my server, could I then potentially get by with an 1100 (I'm making an exaggerated comparison here only to see if the principle exists)? I would imagine 'not' but I thought I'd ask.

    But I also have a friend who's trying to talk me into helping him with a firewall/security project he's been working on the last two years. He mentioned that I'd need to create a "Hypervisor" (or a "hyper v" or whatever it is called from the basic description it sounds like a virtual machine that has a bunch of VMs inside it, it spins up/dn as the network changes). I have absolutely no idea what that is for or how to use something like that at this point so you'll have to fill in your own blanks.

    I've also got some plans to get my eldest kid introduced to computers so I was going to set up one of those "kids programming language servers" (or two).

    The long and short of it is, my server called and said it was bored, so I plan to make it work a bit harder and I thought I'd need a bit more juice to do that and I thought, since it supports LACP, why not try/do that.

  • How many computers, wifi access points, network cameras, or streaming things do you have in your house? That usually determines if you actually need a switch or not.

    Network switches are very affordable, even the "smart" managed ones that let you segment your network, or do the fancy port aggregating (LAGG) like you're talking about. You can look on ebay for 8 or 16 or 24 port versions, again, depending how many wired things you've got in your house. Or you can buy brand new for just a little bit more money.

    You can't offload any of the pfsense functions to another server, unless that also happens to be running pfsense. The packages that are available in pfsense only run in pfsense. I'm not sure if a FreeBSD server changes that or not, maybe somebody else here knows that.

    The Netgate SG-1100 is a good starter firewall/router. It would probably suite what you're trying to do just fine. But, if you get into any of the fancier stuff - more CPU intense packages, VLAN heavy network configs, many rules, faster ISP speeds, VPN stuff, you're going to hit the hardware's operating ceiling pretty quickly. If it were me, I would probably avoid that one.


  • @JohnKaul said in Netgate SG-3100/XG-7100 “future proof” for residential use:

    I was trying to avoid buying a switch; I think I finally come to the conclusion that is a requirement. How is a "cisco sg250-10p" router? Any good. Anything better (and don't tell me a Ruckus; I don't have $4k to drop on a switch ;] ).

    I use Ubiquiti at home for my switch: Ubiquiti UniFi Switch 24 Gigabit+ 2 SFP, if you are buying a switch to future proof get one that supports VLANS, you may want to use them in the future for separating network domains.

Log in to reply