Netgate 4100 SFP modules compatibility

nicpic19

Hi everyone

I'm having a hard time finding a definitive answer on what type of SFP module I can add to my Netgate 4100. I would like to add a 2.5GBASE-T Copper SFP module but I'm unable to find an official answer on Netgate's website. I read on the forum that it only support Fiber SFP modules, is it correct ? That would be a real disappointment.

I'm aiming for this model :

https://www.fs.com/products/139650.html

I know can still configure a LAN port as WAN but I would prefer to use a dedicated WAN port with the SFP module.

Any help/advise appreciated !

rcoleman-netgate

@nicpic19 There is no definitive list. Because they're Intel SoC NICs your best option is an Intel SFP.

ACTIVE DACs are supported, but not PASSIVE.

The C3000 CPU does not support RJ45 SFPs officially so support there could change on a board firmware update. We recommend avoiding them.

The C3000 only supports fixed speeds -- IIRC 1Gbps only, not 2.5 or 5 or 10, on those ports.
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4100/io-ports.html

Note

The igc(4) and ix(4) network interfaces on this device do not support fixed speed operation. 
These interfaces emulate a speed/duplex choice by limiting the values offered during 
auto-negotiation to the speed/duplex value selected in the GUI.

The other devices connected to these interfaces must be set to auto-negotiate,
not to a specific speed or duplex value.

nicpic19

@rcoleman-netgate Thank you for your quick answer Ryan despite it is not what I wanted to hear lol

I will see if I can find find one at work and just give a try, otherwise I guess I'm stuck using a LAN port and reassigning it as WAN. My modem/box device on the other end doesn't have SFP port available (it is already used for the fiber module to the ISP), only one 2.5 Gb RJ45 and two 1 Gb RJ45.

rcoleman-netgate

@nicpic19 said in Netgate 4100 SFP modules compatibility:

otherwise I guess I'm stuck using a LAN port and reassigning it as WAN

These are parts in NAME only on the device -- they are not switched ports but 4 discrete 2.5GbE ports.

RobbieTT

@rcoleman-netgate said in Netgate 4100 SFP modules compatibility:

@nicpic19 There is no definitive list. Because they're Intel SoC NICs your best option is an Intel SFP.

ACTIVE DACs are supported, but not PASSIVE.

Hi Ryan,

You have stated this previously but it has not been explained or clarified, so we remain confused by it.

Intel states that both active and passive DACs are supported, they list examples of both, the standards that define both and include a statement that 3rd-party SFPs that meet these standards (both passive and active) can also be used.

The original manufacturer of the 4100/6100/8200 devices approves the use of passive DACs and Netgate both recommends and sells passive DACs for the 4100/6100/8200 family. Following the same theme, the Netgate user manuals for these products also specify the use of passive DACs.

Where are you sourcing the new contradicting information from, does Netgate publish it anywhere, does Netgate intend to revise its paper documentation, the online documentation and issue a warning to all customers?

Apologies for chasing you on more than 1 thread but we urgently need this point to be clarified so we can understand which statements are in error and understand the 'get-well' path proposed by Netgate, which may include product recalls or potential refunds.

Regards, Rob

️

rcoleman-netgate

@RobbieTT said in Netgate 4100 SFP modules compatibility:

You have stated this previously but it has not been explained or clarified, so we remain confused by it.

Intel states that both active and passive DACs are supported, they list examples of both, the standards that define both and include a statement that 3rd-party SFPs that meet these standards (both passive and active) can also be used.

We have seen users with certain model hardware and firewalls actively lose their repo access due to a changed NDI because a DAC reset their interface' sMAC address.

There is now a redmine for it -- although I am not sure if it is a public or internal one. @stephenw10 opened it last night.

RobbieTT

@rcoleman-netgate

Ok, sounds like a very odd issue to chase-down. No visible public Redmine for it, so must be secret.

️

stephenw10

Actually I'm still trying to replicate locally before opening it. I haven't found it easy to replicate at all but some users hit it on every boot. I think it must be a specific combination of things I haven't tried yet.

When you do hit it though it's pretty obvious because the MAC is reported as all zeros.

But notably it appears to only happen with passive DAC cables.

Steve

RobbieTT

@stephenw10

When the error strikes is the MAC address change reversible?

️

stephenw10

Only be rebooting with the DAC detached as far as I know. Which is... not convenient!

Of course as well as changing the NDI it also stops passing traffic on that link.

RobbieTT

@stephenw10

That is really odd for an otherwise transparent connection and not something I have heard of before in the (too many) years working with SFP links. Other than the programmed id for the DAC there is very little going on with an SFP port-to-port link over twinax.

It sounds unlikely to be a pfSense issue; perhaps upstream or at the Intel driver level?

A hardware issue would be a surprise but are the reports confined to Silicom routers alone?

Rob

stephenw10

Indeed it feels more like a driver or hardware issue. I've seen it on other hardware.
It does at least seem consistent. If you reboot and it comes back up fine it should always do so. And it's not that easy to hit. None of the passive DAC cables I have here hit it on anything I've tested with.

nicpic19

Thank you guys for deeply looking into this, it is very appreciated. I would just like to refocus on my initial request which was to use a SFP module with a RJ45 connector and a basic network cable so no DAC involved here :) I'm using those on an UniFi switch (SFP+ 10 Gb) and it works well, I just want to do the same on my firewall with a 2.5 Gb SFP module.

stephenw10

Technically we cannot support any SFP RJ-45 modules because Intel states specifically they are not supported with the C3K SoCs.

That said we have seen people using them and there are reports here on the forum or working modules. We have also seen modules that fail though, the issue is real!

It could only work at 1G though on the 4100. The SFP ports there are on the combo ports and can only link at 1G.

Steve

nicpic19

@stephenw10 Thanks a lot Stephen, not the answer I wanted to hear but I will deal with it :). Just to confirm, I will be able to use one of the integrated 2.5 Gb ports and reassign it the WAN interface, correct ?

stephenw10

Yes, you can use the 2.5G ports as anything you want, including a WAN.

nicpic19

That would do the trick then. I may not sleep well at night because I'm a kind of OCD guy and I'm not sure I will be able to deal with a WAN interface plugged in a LAN labelled port but I should survive to it.

I won't be able to test until the end of September so threat can be closed. Thanks again for the definitive answer ;)

RobbieTT

There are some newer Broadcom-based SFP RJ45 adapters on the market that run at a lower wattage. When you have an SFP cage that is wired direct to the Atom CPU they make a lot of sense.

For those using SFP+ RJ45 the newer Broadcom units not only use less power in like-for-like conditions they also offer support for longer cable lengths at 10 GbE.

️

stephenw10

You have a link to a part? The Mikrotik part uses that?

RobbieTT

@stephenw10

Not to hand but anything with the Broadcom BCM84891. The 10Gtek 80-meter come to mind but there are others.

Edit: There is one with me here - Ipolex ‎10G-SFP-T-80, apparently. Clearly I didn't just pull it out and push it back in...

️