SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed

Burner27

I have had issues running Suricata and SNoRT on my sg-3100. Random reboots with no explanation. Brought it up to Netgate and they told me it could be an issue with the ARM processor. They recommended I go to the SG5100.

iso667

Hi!

I am in a very similar situation. But I purchased the SG-2100.

I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.

I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.

I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?

I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.

Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.

There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)

I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?

The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.

Thanks!!

ISO

keyser

@Cabledude said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Okay Thanks a lot for taking the time to reply and for your recommendations. Looking at the unit prices I think I should lower my requirements a bit. As I didn’t know what to expect all items listed are at the max I think they could ever be. Spending 300 extra for the 5100 over the 3100 may not be justified.

So first: “up to 50 clients” is more than I probably need. When counting all phones, iPads, AppleTVs, synology, and macs I come to 20, so 25 total would be a better estimate. The children will be at school most of the day anyway.

Then 500mbit/s is more like a worst case scenario, we’ve had 60 down 10 up until last month and that proved mostly adequate. So let’s assume 200/200 will be what the netgate should be able to handle.

The s2s VPN will be to our parents home to be able to backup our data on a local NAS I m going to move to their home. They have a very low ISP plan, probably no more than 50/10.

Suricata i will want to run.

NTOPNG is more like a way to identify which data is sent from which devices, so I can check whether or not my IoT crap is phoning home and to keep an eye on system resources. I haven’t even played with NTOPNG yet and really didn’t know it could be such a resource eater.

So based on this, could I get by comfortably with the SG-3100?

Thanks!!
Pete

If the settings and needs you have are restrained to your explanation Here, i believe a sg-3100 Will suffice :-) I have No experience with suricata Being unstable on arm based devices

keyser

@iso667 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Hi!

I am in a very similar situation. But I purchased the SG-2100.

I don't use Suricata or other things you have posted because I am really new to pfSense and I am starting learning how it works and what can I do.

I have a UniFi ecosystem with two switches and two access points and I run the controller actually on a raspberry-pi.

I am here writing to ask you about the reason to migrate from the USG to pfSense, is it because the pfSense has more functionalities and possibilities?

I think that the USG could be a "very limited" Firewall, but I am a bit attracted by the idea of having everything centralized into a unique administration console. I have renewed all my network at the same time, but I bought the pfSense first.

Nowadays I am thinking in buying a Cloud Key gen 2 from UniFi to manage the devices, because I need the raspberry-pi to use it at my IoT VLAN with homebridge installed on it. So I was tempted on buying a UDM (UniFi Dream Machine) or maybe a Cloud Key + USG. So your opinion could be very useful to continue with the SG-2100.

There is no any "real" need from my point of view to move from the SG-2100 to USG or UDM, just the "centralized" management perspective and that I have a 12 months old baby and less time that I want to configure my Network devices at home :)

I work as a CCIE and I am used to networking, so the only thing to move to "all unifi" is to save some time while at home. On the other hand I think I would lost a lot of functionalities and this is the reason you are going to go with NetGate, am I right?

The thing I love from the SG-2100 is that it has an SFP connector, that is not present at the SG-3100, and with this SFP, if your provider gives you a GPON connection based on fiber, you can connect this fiber straight to the device. In any case I am using an external ONT and connect the WAN port using RJ-45. But in case this could be interesting to you, it is something I took into account when I decided to buy this device.

Thanks!!

ISO

The SG-2100 does not have a lot of CPU horsepower so forget using it for deeper traffic inspection. It’s a great litte device and Very userfriendly - it will also do lots of interesting things a little USG cannot (pfBlockerNG and so on). But it cannot offer what the USG can in terms of unified management, so that’s a good reason to stay with Unifi in your case.
Also: The SFP port is a Gbit Ethernet port, so unless your provider runs Ethernet over GPON your idea will not work. I have No idea if you can even get a GPON tranceiver that terminates Ethernet over GPON and works with Netgate devices.

stephenw10

ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.

I love to hear about it if anyone has.

Steve

iso667

I read this "extensive" post for this to work here in Spain. Finally a company called Carlitoxx-Pro started shipping a GPON to GigabitEthernet device. There is also a ZISA one that is sold online from China:

https://forum.mikrotik.com/viewtopic.php?t=116364

It is from Mikrotik, but all the electronics are inside the device so I think it should work while the SG-2100 provides power to the GPON.

I've seen that UniFi also sells a GPON to Gigabit adapter but I don't know if this one could work on a SG-2100:

https://dl.ubnt.com/ds/uf_gpon

If you look into the data sheet, there is a GPON for ONT side, not for OLT. But I don't know if this SFP could work against "non-unifi" OLT's.

But yes, I think it is "doable" :) for the moment I am using a UF Loco ONT and connect my SG-2100 straight to RJ-45 cable, but maybe in the future I'll try one of those.

BR!

ISO

keyser

@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

ISPs providing exactly that do exist but I don't think we have ever tested one with a SG-2100.

I love to hear about it if anyone has.

Steve

I’m running a SG-2100 with a 1000Base-BX20 SFP in the SFP slot that connects my fiber to the home directly. As the tranciever indicates, my ISP uses single strand Gigabit Ethernet to the edge.

stephenw10

Nice!

I tested some BiDi modules here and they worked without issue.

Steve

wblanton

@stephenw10 said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

Nice!

I tested some BiDi modules here and they worked without issue.

Steve

Steve,

Do you know if the 1G BiDi will work with the XG-7100 1U? I've having some issues using the "generic" ones from FS.com. I've started another thread but haven't heard anything.

stephenw10

The one I have does:

[21.02.2-RELEASE][root@7100.stevew.lan]/root: ifconfig -vvvm ix1
ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: IX1
        options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0e:a5:92
        inet6 fe80::208:a2ff:fe0e:a592%ix1 prefixlen 64 scopeid 0x4
        inet 172.21.16.243 netmask 0xffffff00 broadcast 172.21.16.255
        media: Ethernet autoselect (Unknown <rxpause,txpause>)
        status: active
        supported media:
                media autoselect
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        plugged: SFP/SFP+/SFP28 1000BASE-LX (LC)
        vendor: OEM PN: SFP-GE-BX03-D SN: NV20200713025 DATE: 2020-07-14
        module temperature: 27.94 C Voltage: 3.31 Volts
        RX: 0.20 mW (-6.79 dBm) TX: 0.12 mW (-8.97 dBm)

        SFF8472 DUMP (0xA0 0..127 range):
        03 04 07 00 00 00 02 00 00 01 01 01 0D 00 03 1E 
        00 00 00 00 4F 45 4D 20 20 20 20 20 20 20 20 20 
        20 20 20 20 00 00 90 65 53 46 50 2D 47 45 2D 42 
        58 30 33 2D 44 20 20 20 41 20 20 20 06 0E 00 09 
        00 1A 00 00 4E 56 32 30 32 30 30 37 31 33 30 32 
        35 20 20 20 32 30 30 37 31 34 20 20 68 F0 01 0B 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

Though I was quite surprised about that. It doesn't report a link speed so cannot be set to 1G fixed which is often required for use like this.

Steve

wblanton

@stephenw10 Good to know it's possible! Have you been running this without any issue?

stephenw10

Not for any time. I just moved it from an SG-2100 to test. I saw no problems though and it also runs fine in the SG-2100, been running there for months.

Steve

msf2000

@cabledude
You may be able to do the SG-3100 but only if you offload Suricata and/or nTopNG to a separate machine. Otherwise, go with the 5100 as suggested earlier.

I speak from experience, as having tried it before. ;)

Biggy823

@msf2000 I too happen to be in the same boat. I have the SG-3100 and currently experiencing lock ups and random reboots. It just does not have the horse power needed to run these applications. I am now facing the hard choice that I am going to have to upgrade to the 5100. Don't make the same mistake that I did.

brians

@msf2000 SG-3100 is not good for me. I just installed one for customer and was trying to get decent IPSec speeds between installed 3100 at 200Mbps fibre site and 500Mbps fibre remote site using SG-5100. I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all. Older SG-2220 is way better around 400Mbps IPSec but it is limited to around only 700Mbps LAN routing so I could never hit full 940Mbps in Speedtest. I wish Netgate would come out with inexpensive line of routers using the Intel CPU with good IPSec encryption instead of these ARM processors. Maybe SG-3100 work good connecting IPSec to another SG-3100 and maybe when I have time I can test a 700Mbps site to a this 200Mbps site both using SG-3100

skogs

The biggest trouble with the hardware offerings is that there is a world of difference between an Atom cpu and a Xeon. Atom can hardly keep up with moderate home use; and there is literally nothing in the lineup for full wire speed home without going up to a much more enterprise capable Xeon. The 5100 is really the lowest priced NICE machine in the lineup that can pretend to keep up with crypto.

I think something with Ryzen V2000 series embedded processors would be much more appropriate for long term use. Engineering team...please hear my prayers...

NOCling

@brians said in SG-2100 vs SG-3100 vs SG-5100... ? Purchase advice needed:

I was only able to achieve around 80Mbps throughput. I had tried at home for a while where I use a home built pfSense. I try connecting SG-3100 to our work SG-5100 - both sites are 1Gbps fibre. With my home build setup I get around 700-800Mbps IPSec but with SG-3100 could not get any decent speed at all.

The Hardware Crypto offload in the SG-3100 supports AES_CBC do you use this?
I guess you have set up the IPsec with AEC_GCM and then, the SG-3100 have it run in slow software mode.

brians

@nocling

Yes I tried AES and SHA1 for encryption and did not get expected results.

Could be that the other end, SG-5100, is doing software crypto with these settings and is the bottleneck? I am thinking SG-3100 to SG-3100 may be a good test to do when I get the chance.

NOCling

I don't think so. the Atom of the SG-5100 supports AES CBC to.

brians

After upgrading a few SG-3100 to 20.05 it seems to have resolved my issues with VPN speed, and I get expected IPsec VPN performance now.

SG-5100 is still far better if can justify the price.