SG-2100 WAN speed problem
-
New user here, about a week and a half old. I have a 1gig connection from my internet provider. Without having the sg2100 connected I get speeds from 800mb to 1gig. If I install the sg2100 to the cable modem (arris cm8200), I only get speeds from 140mb to 150mb ever since the sg2100 came out of the box. New sg2100 purchased from Netgate. What do I have to configure in the sg2100 WAN to get any speed in pfsense.
-
@alleykat Well you’re not going to get 800Mbps to 1gig through that box. The “880mbps” marketing sticker on it is an impossible usecase in real life. So expect about 600Mbps to be the limit of what it can do with only firewalling enabled (no packages that does any kind of trafic inspection/gathering)
But 140-150mbps is way way to little for the SG-2100 so something is off. My first guess would be that you have installed a package that does traffic inspection (IPS) like suricata or Snort. The SG-2100 is not in any way form or shape equiped to handle that CPU load, and throughput will hit the deck.
If no packages are installed things get a little more strange - perhaps a slightly dud RJ45 cable between your modem and the SG-2100? Some units are much more sensitive to “bad” cables than others.
If by chance you have a normal switch in your house - try and install that between the modem and SG-2100 - just so we can verify/rule out that it is a link negotiation issue between your units.
-
@keyser That's concerning about the sg2100 not being capable for home use, maybe 4 pc's and a wireless access point, That's why I didn't buy the sg1100...
The only package that I installed in Package Manager is Acme, to play with certs. I was think about adding Haproxy. The services loaded right now are dhcpd, dpinger, ntpd, syslogd and unbound.
All RJ45 cables upgraded this morning to cat6, brand new. Side note, I did have the internet provider out this morning to check everything from the tap in the easement to the cable modem, he says everything is good.
Have a Cisco 5 port laying around, tried it. modem to switch, switch to wan on the sg2100, same issue.
-
The 2100 has a similar CPU to the 1100 but has a separate WAN port (the 1100 has a 2 port switch configured with VLANs to separate the traffic).
Is the Arris bridging, passthrough, or NAT to the 2100?
I'd be tempted to reset to factory defaults just to rule out any configuration issue? (diagnostics->factory default)
You could also open a ticket with Netgate support to take a look.
-
@teamits At this point, learning what I know now, should have bought the sg3100?
The Arris has a status page at 192.168.100.1, not much to see there. Doesn't show anything about bridging, passthrough, or NAT.
I may have to get Netgate involved, but I'm am going to reset factory defaults first, oh yea, backup the config, lol.
-
Yes back up, sorry.
I have a 2100 at home that is running Snort and it's quite obviously limited by the 50-55 Mbps ISP download speed. Given they say at https://www.netgate.com/products/appliances/ that for IMIX "Firewall: 314 Mbps (10k ACLs)" I should think a plain config with less rules should be faster, or at least not slower.
Did you look at https://docs.netgate.com/pfsense/en/latest/troubleshooting/low-throughput.html ? Duplex, MTU, you're not testing over Wi-Fi, etc.
-
@alleykat I have a SG-2100 as well, and it is a sweet thing. I didn’t say it wasn’t a capable and very effective little box, I just said it wouldn’t do 800Mbps - 1Gig of real throughput which it seemed like you were expecting.
I have a 500Mbps Internet connection at home, and I can get 530Mbps with no issues from it. But I did try it against a 1Gig connection and it tapped out @ about 620mbps (Single session).
It will easily handle your 4 PC’s and what not - you could add 40 PC’s and it would still work perfectly. It’s just that you cannot use all of your 1Gig connection, and you cannot install advanced packet inspection packages and still expect decent performance.
-
@keyser @teamits Thanks guys for your input!
I got to the bottom of speed results at my speed test "client" machine using this link:
https://www.addictivetips.com/windows-tips/fix-slow-internet-windows-10/
Now I'm reporting 614mb down on the 1gb service. I had also run speedtest from the "command prompt" in pfsense. It also showed the 150mb speed. I now know from other threads this is not the correct way. I have a better understanding of speedtests, lol.
The downside to this was about a week and a half ago I upgraded my ISP service from 300mb to the 1gb package. At this point, I probably should have stayed with the 300mb? -
Ah, interesting. I seem to recall a few posts here over the years saying not to run speed tests on pfSense itself.
At least 614 is twice 300. I get 50 from AT&T.
It'd be interesting to know how fast people do get with Snort/Suricata on it? Just for reference for selling to our clients. We have sold several 3100s before the 2100 came out but have only my 2100 in service so far as it's only been out a few months.
-
@alleykat said in SG-2100 WAN speed problem:
I had also run speedtest from the "command prompt" in pfsense. It also showed the 150mb speed.
Running the speedtest CLI client from pfSense itself will often show a reduced throughput. Especially in this sort of situation where then line speed to greater than the firewall throughput. The client itself uses significant CPU cycles and pfSense is not optimised as a TCP endpoint.
It's a useful tool for checking relative speed or, for example, knowing you don't have a 100M connection in your link. It also tests only the WAN so you would see if you had a bad LAN port for example.Steve
-
@alleykat Cool. 614mbps is what you can expect to be peak throughput on the SG-2100. Now whether you think that is fine or not - because you have a GigE service - is up to you. Personally I wouldn't bother getting a bigger box unless you need packet inspection as well. 620mbps in homeuse is more than ample throughput for all but THE most hardcore downloader that spends hours and hours doing massive downloads every day (Good luck finding services that will actually deliver that bandwidth sustained).
-
@keyser So let me ask you, do you think these sg boxes are capable of supporting two pc's streamimg video and one pc playing graphic intensive video games at the same time?
-
@alleykat I can guarantee you that the SG-2100 can do that. You can do that simultaniously from 20 PC’s and it would still run completely smooth.
I do it at home with at least 10 clients at times (my kids and their friends along with my Wife and I). No issues at all - not even close to exaustion.
-
@keyser That's awesome, I was hoping you were going to say that. Thanks again for your help!
-
@stephenw10 Ok, thanks for the reply. I think I have a better understanding of that going forward.
-
Well off to the HAproxy threads, I have a TrueNAS box running the Nextcloud plugin I need to protect...
-
@alleykat Hey, don't forget... once you get it setup and working, and BEFORE jumping into a new area of pfsense, make a backup of the config. That way, if you mess up something along the way, you can quickly revert to a working backup copy.
Diagnostics -> Backup & Restore
If this is on your home network, you don't want to "accidentally" knock the family off the internet for too long! LOL
Jeff
-
@akuma1x Yes, got it. My system is strictly home computer hobbyist. I'm in the process of dumping Microsoft, Google and all "cloud services" and keeping that data here local. Just installed Linux Mint on another pc to help with the transition, TrueNAS is god sent for me.
-
@alleykat HAproxy runs excellently on the SG-2100 - I use that too ;-)
-
I had a 400/40 Mbit cable connection and an SG-1100.
I managed over 400 Mbit with this small device.
Now I have received 1000/50 cables and handed the SG-1100 over to my parents.Now I'm the last one in the segment and have 600-800MBit Down.
This is not the limit of the SG-3100, but the limit of my wired connection.When I turn off the limiter, the speed increases, but ping (about 100ms) and packet loss (10%) occur. And that's not worth that little bit more speed to me.
So I get an A to A + rating, with no Limiter C or worse.If you don't want your firewall to limit, you have to have the SG-3100 for GBit. But that doesn't mean that it comes out clean.
