SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed
-
Hello all,
For the last two weeks I have been testing a rented SG-1100, to see if pfSense was a good option for me. In fact I like it more than my USG 3P, because all settings can be controlled in the GUI. Furthermore internet reviews state that pfSense is a reliable system.
My question:
I am debating SG-2100 vs SG-3100 vs SG-5100. My purposes are the following:- 200 mbit/s FTTH, possibly expanding to 500 mbit/s
- Gbit VLAN routing
- OpenVPN s2s (future requirement, it's in the works)
- Suricata
- pfBlocker
- up to 50 clients
- VoIP ATA for my 2 analog phones
- Logging traffic, NTOPNG DPI analysis
I may wish to engage in future projects so I want my device to be able to handle the above tasks easily. It would be a waste of money to splash out 400 for an SG-3100 only to find out I need to replace it two years on.
I have some 10GbE capable devices coming next year, such as a 10GbE capable UniFi switch and a new Synology NAS. There will be no layer 3 routing needs for these devices as they will be in the same subnet so the 10GbE switch can handle that traffic in layer 2.
My profile
I am 50 y/o, a home user that started to learn networking about 1-1,5 years ago. I have quite an extensive (for a beginning home user, yes) UniFi setup (see signature below). I use 7 VLANs for separating IoT traffic from secureLAN, cameras, legacy devices and such.Currently I managed to install and configure the SG-1100 to replace my ISP FttH router and all is working correctly. I also took out my USG and the SG-1100 is now routing traffic across all of my VLANs.
I choose Netgate hardware for ease of operation, power saving (eco friendly) and because pfSense upgrades will be tested on my hardware.
-
The SG-2100 is underspec’ed for your needs. Suricata and ntopng will kill the effective bandwidth on the device because of their relatively heavy CPU consumption.
I think a SG-3100 will meet your needs now, but going 500mbit would likely require a little restraining of your suricata settings for it not to become a bottleneck. Otherwise it should still be fine - but at it’s limits and internal Gbit VLAN routing will likely be impacted when heavy internet use/inspection is taking place.
The SG-5100 is undoubtedly the best choice if 500mbit will become a reality and you wish to have “options” for the future. And in any case it will deliver full Gbit VLAN routing without issues regardless of internet bandwidth used.
-
Yes, I would agree. If you want to be able to run Suricata, pfBlockerNG and NtopNG at 500Mbps with VPNs and do it 'easily' then go for the SG-5100.
Steve
-
Okay Thanks a lot for taking the time to reply and for your recommendations. Looking at the unit prices I think I should lower my requirements a bit. As I didn’t know what to expect all items listed are at the max I think they could ever be. Spending 300 extra for the 5100 over the 3100 may not be justified.
So first: “up to 50 clients” is more than I probably need. When counting all phones, iPads, AppleTVs, synology, and macs I come to 20, so 25 total would be a better estimate. The children will be at school most of the day anyway.
Then 500mbit/s is more like a worst case scenario, we’ve had 60 down 10 up until last month and that proved mostly adequate. So let’s assume 200/200 will be what the netgate should be able to handle.
The s2s VPN will be to our parents home to be able to backup our data on a local NAS I m going to move to their home. They have a very low ISP plan, probably no more than 50/10.
Suricata i will want to run.
NTOPNG is more like a way to identify which data is sent from which devices, so I can check whether or not my IoT crap is phoning home and to keep an eye on system resources. I haven’t even played with NTOPNG yet and really didn’t know it could be such a resource eater.
So based on this, could I get by comfortably with the SG-3100?
Thanks!!
Pete -
Just get a 7100 ;) Go big or go home! hehehe
Call the upgrade a xmas present to yourself.. If you have to justify the extra cost to the budget committee (significant other) hehehe
In fact I like it more than my USG 3P
Yeah its not even close.. While the usg3p isn't a bad little box.. At a good price point.. Its just doing anything is just so much harder than how easy it is in pfsense.. I ran one for a bit, couldn't get back to pfsense fast enough.. My sg4860 was on back order, and need something to handle a recent upgrade to 500/50 for internet..
It sat on the self for quite a bit, but my son recently bought a house... So got him a flexHD for AP and let him use my usg3p, he doesn't really do anything and only has 100/5 for internet.. So for that sort of setup its fine - and it reports into my controller so.. Can keep an eye on stuff for him..
I was in a toss up over the 3100 or the 4860.. I went really for the 4860 because of the discrete interfaces vs switch ports.. I do switching on my switch - I want my router to have interfaces ;)
Other than the extra horse power - the 5100 over the 3100 has interfaces vs switch ports, and can run TNSR if that is something you might want to play with.. I do believe the 5100 also supports QuickAssist and AES-NI, while I believe the 3100 is just AES-NI.. The 5100 also can upgrade the ram and storage I do believe as well.. All big pluses if you plan on keeping it around for a while.
Don't get me wrong the 3100 will prob be great setup for you - but hey why not treat your self to a better box -- if you can afford it..
If (knock on wood) my 4860 took a dump.. And I was in the market - it really would be a toss up between the 5100 and the 7100.. The ability to do some 10ge would be attractive..
-
@johnpoz hi john thanks for such an elaborate reply, straight from the enthusiast’s heart :-). First: yes I could afford even a 7100 in that I won’t starve, but we’re not millionaires so then I cannot buy this or that, iow it’s me that has to be convinced of a buy, the wife couldn’t care less about what I do with my money.
I thought the 3100 has three logical interfaces, just the lan is actually a 4p switch. Will tick the “logical interfaces” box well enough for me I suppose. Or did you mean something else, which I may be missing...
The sg-1100 has just one logical interface split across wan, lan and opt using VLANs 4090, 4091 and 4092. Not quite my cup of tea. But I got working as a FttH WAN split VLAN 4/6 by tying those two as tagged VLANs to the WAN interface.
By the way Like you I also do all of my switching outside the firewall, i.e. soon on a 10Gbe UniFi switch. The netgate just needs to perform gigabit L3 routing, I will keep the 10Gbe hungry devices (workstations and NAS for photo editing) in the same VLAN so layer 2 switching will take care of that.
Be aware that the 7100 also has the Soc internal “SG-1100 like” VLAN design to tie the lagg together and all LAN side VLANs need to get tied to the LAN ports in Interfaces/switch settings.
I’m not at all interested in TNSR.
So that leaves combining openvpn, suricata and ntopng. For our limited family use, based on your reply, I conclude the 3100 will do for my current use case.
Will chew on this for now. Price vs upgradability.
Would appreciate you clarifying the logical ports vs switch benefit of the 5100. Are you using many ports on your netgate box? I will typically only use WAN and LAN and maybe separate ports for IPTV.
Cheers,
Pete -
I have had issues running Suricata and SNoRT on my sg-3100. Random reboots with no explanation. Brought it up to Netgate and they told me it could be an issue with the ARM processor. They recommended I go to the SG5100.
-
Hi!
I am in a very similar situation. But I purchased the SG-2100.
I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.
I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.
I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?
I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.
Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.
There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)
I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?
The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.
Thanks!!
ISO
-
@Cabledude said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:
Okay Thanks a lot for taking the time to reply and for your recommendations. Looking at the unit prices I think I should lower my requirements a bit. As I didn’t know what to expect all items listed are at the max I think they could ever be. Spending 300 extra for the 5100 over the 3100 may not be justified.
So first: “up to 50 clients” is more than I probably need. When counting all phones, iPads, AppleTVs, synology, and macs I come to 20, so 25 total would be a better estimate. The children will be at school most of the day anyway.
Then 500mbit/s is more like a worst case scenario, we’ve had 60 down 10 up until last month and that proved mostly adequate. So let’s assume 200/200 will be what the netgate should be able to handle.
The s2s VPN will be to our parents home to be able to backup our data on a local NAS I m going to move to their home. They have a very low ISP plan, probably no more than 50/10.
Suricata i will want to run.
NTOPNG is more like a way to identify which data is sent from which devices, so I can check whether or not my IoT crap is phoning home and to keep an eye on system resources. I haven’t even played with NTOPNG yet and really didn’t know it could be such a resource eater.
So based on this, could I get by comfortably with the SG-3100?
Thanks!!
PeteIf the settings and needs you have are restrained to your explanation Here, i believe a sg-3100 Will suffice :-) I have No experience with suricata Being unstable on arm based devices
-
@iso667 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:
Hi!
I am in a very similar situation. But I purchased the SG-2100.
I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.
I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.
I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?
I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.
Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.
There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)
I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?
The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.
Thanks!!
ISO
The SG-2100 does not have a lot of CPU horsepower so forget using it for deeper traffic inspection. It’s a great litte device and Very userfriendly - it will also do lots of interesting things a little USG cannot (pfBlockerNG and so on). But it cannot offer what the USG can in terms of unified management, so that’s a good reason to stay with Unifi in your case.
Also: The SFP port is a Gbit Ethernet port, so unless your provider runs Ethernet over GPON your idea will not work. I have No idea if you can even get a GPON tranceiver that terminates Ethernet over GPON and works with Netgate devices. -
ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.
I love to hear about it if anyone has.
Steve
-
I read this "extensive" post for this to work here in Spain. Finally a company called Carlitoxx-Pro started shipping a GPON to GigabitEthernet device. There is also a ZISA one that is sold online from China:
https://forum.mikrotik.com/viewtopic.php?t=116364
It is from Mikrotik, but all the electronics are inside the device so I think it should work while the SG-2100 provides power to the GPON.
I've seen that UniFi also sells a GPON to Gigabit adapter but I don't know if this one could work on a SG-2100:
https://dl.ubnt.com/ds/uf_gpon
If you look into the data sheet, there is a GPON for ONT side, not for OLT. But I don't know if this SFP could work against "non-unifi" OLT's.
But yes, I think it is "doable" :) for the moment I am using a UF Loco ONT and connect my SG-2100 straight to RJ-45 cable, but maybe in the future I'll try one of those.
BR!
ISO
-
@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:
ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.
I love to hear about it if anyone has.
Steve
I’m running a SG-2100 with a 1000Base-BX20 SFP in the SFP slot that connects my fiber to the home directly. As the tranciever indicates, my ISP uses single strand Gigabit Ethernet to the edge.
-
Nice!
I tested some BiDi modules here and they worked without issue.
Steve
-
@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:
Nice!
I tested some BiDi modules here and they worked without issue.
Steve
Steve,
Do you know if the 1G BiDi will work with the XG-7100 1U? I've having some issues using the "generic" ones from FS.com. I've started another thread but haven't heard anything.
-
The one I have does:
[21.02.2-RELEASE][root@7100.stevew.lan]/root: ifconfig -vvvm ix1 ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: IX1 options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6> capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:08:a2:0e:a5:92 inet6 fe80::208:a2ff:fe0e:a592%ix1 prefixlen 64 scopeid 0x4 inet 172.21.16.243 netmask 0xffffff00 broadcast 172.21.16.255 media: Ethernet autoselect (Unknown <rxpause,txpause>) status: active supported media: media autoselect nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> plugged: SFP/SFP+/SFP28 1000BASE-LX (LC) vendor: OEM PN: SFP-GE-BX03-D SN: NV20200713025 DATE: 2020-07-14 module temperature: 27.94 C Voltage: 3.31 Volts RX: 0.20 mW (-6.79 dBm) TX: 0.12 mW (-8.97 dBm) SFF8472 DUMP (0xA0 0..127 range): 03 04 07 00 00 00 02 00 00 01 01 01 0D 00 03 1E 00 00 00 00 4F 45 4D 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 90 65 53 46 50 2D 47 45 2D 42 58 30 33 2D 44 20 20 20 41 20 20 20 06 0E 00 09 00 1A 00 00 4E 56 32 30 32 30 30 37 31 33 30 32 35 20 20 20 32 30 30 37 31 34 20 20 68 F0 01 0B FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FFThough I was quite surprised about that. It doesn't report a link speed so cannot be set to 1G fixed which is often required for use like this.
Steve
-
@stephenw10 Good to know it's possible! Have you been running this without any issue?
-
Not for any time. I just moved it from an SG-2100 to test. I saw no problems though and it also runs fine in the SG-2100, been running there for months.
Steve
-
@cabledude
You may be able to do the SG-3100 but only if you offload Suricata and/or nTopNG to a separate machine. Otherwise, go with the 5100 as suggested earlier.I speak from experience, as having tried it before. ;)
-
@msf2000 I too happen to be in the same boat. I have the SG-3100 and currently experiencing lock ups and random reboots. It just does not have the horse power needed to run these applications. I am now facing the hard choice that I am going to have to upgrade to the 5100. Don't make the same mistake that I did.
-
@msf2000 SG-3100 is not good for me. I just installed one for customer and was trying to get decent IPSec speeds between installed 3100 at 200Mbps fibre site and 500Mbps fibre remote site using SG-5100. I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all. Older SG-2220 is way better around 400Mbps IPSec but it is limited to around only 700Mbps LAN routing so I could never hit full 940Mbps in Speedtest. I wish Netgate would come out with inexpensive line of routers using the Intel CPU with good IPSec encryption instead of these ARM processors. Maybe SG-3100 work good connecting IPSec to another SG-3100 and maybe when I have time I can test a 700Mbps site to a this 200Mbps site both using SG-3100
-
The biggest trouble with the hardware offerings is that there is a world of difference between an Atom cpu and a Xeon. Atom can hardly keep up with moderate home use; and there is literally nothing in the lineup for full wire speed home without going up to a much more enterprise capable Xeon. The 5100 is really the lowest priced NICE machine in the lineup that can pretend to keep up with crypto.
I think something with Ryzen V2000 series embedded processors would be much more appropriate for long term use. Engineering team...please hear my prayers...
-
@brians said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:
I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all.
The Hardware Crypto offload in the SG-3100 supports AES_CBC do you use this?
I guess you have set up the IPsec with AEC_GCM and then, the SG-3100 have it run in slow software mode. -
Yes I tried AES and SHA1 for encryption and did not get expected results.
Could be that the other end, SG-5100, is doing software crypto with these settings and is the bottleneck? I am thinking SG-3100 to SG-3100 may be a good test to do when I get the chance.
-
I don't think so. the Atom of the SG-5100 supports AES CBC to.
-
After upgrading a few SG-3100 to 20.05 it seems to have resolved my issues with VPN speed, and I get expected IPsec VPN performance now.
SG-5100 is still far better if can justify the price.
