Netgate hardware selection

deceptivehorse

Hi,

I'm considering several options for my first pfsense appliance and would greatly appreciate any help you can provide.
I am looking for decent VPN speeds for my home and my ISP provides around 1GB/s download speed and 800MB/s upload speed (nb : these are the specs advertised by the ISP so the real output might be quite lower).

I'm currently looking with a budget around 300$. What I found so far is :

• The official Netgate 2100 ($349)
• Used Netgate SG-5100 ($180)
• Used Netgate 4100 ($300)

I know the 5100 is now EOL, but for this price and knowing it still receives updates I wonder if it would be a good first appliance.
The 2100 feels safe as it is sold new by netgate, but I would feel I'm kind of missing a deal buying new and expensive for the most modest one.
I'm currently leaning towards the used Netgate 4100 as it is not yet in EOL, seems very powerful and I found a very reasonable deal for it.

I guess my main question is : is it a good bet to buy older hardware if it was much higher grade when it came out than current equivalents in price? In other words : is the 2100 as expensive as a used 4100 because it is as good due to improvements in technology, or only because it is newer and brand-new?

Thank you in advance for your help.

edit : typo

azdeltawye

@deceptivehorse Make sure the 4100 is a MAX version or
the eMMC storage has been disabled and replaced with an appropriate size NVMe. Same for the 5100.

There are numerous threads and warnings about the premature failure of eMMC storage in Netgate appliances.

patient0

@azdeltawye the SG-5100 also has (8GB) of onboard eMMC, potentially the same issue as the 4100 non-MAX. An M.2 SATA can be installed (SG-5100: M.2 SATA Installation)

@deceptivehorse how are you connected to the ISP? RJ45, SFP, SFP+? The 4100 does have two SFP ports, while the 5100 only got RJ45s.
And what VPN performance do you expect (and OpenVPN or Wireguard)? To get a idea what the real throughput will be, look at the IMIX (SG-4100 IMIX Traffic: 312 Mbps) and iperf3 (IPERF3 Traffic: 960 Mbps) numbers for that models. The real number is going to be somewhere between these two and probably closer to IMIX.

I would skip over the 2100 if you get an 900/800 connection, it's not powerful enough.

CPUs wise, the C3558 got better benchmarks than the C3338R in the 4100.

5100 review from Lawrence Systems: https://www.youtube.com/watch?v=lYRVgq81pUw

4100 review from Lawrence Systems:
https://www.youtube.com/watch?v=fbaBtOLv9OY

SteveITS

@deceptivehorse The 2100 will max out around 650 Mbps, without VPN.

tgl

FWIW, I'm using a 4200, and it easily handles full speed on my 1Gbps-ish Verizon FiOS connection. New, those are a bit over your budget, but maybe a used one would suit.

deceptivehorse

@azdeltawye said in Netgate hardware selection:

@deceptivehorse Make sure the 4100 is a MAX version or
the eMMC storage has been disabled and replaced with an appropriate size NVMe. Same for the 5100.

There are numerous threads and warnings about the premature failure of eMMC storage in Netgate appliances.

The 4100 I've found has been upgraded with NVMe storage. I didn't really understand why until I read your reply, thanks!

@patient0 said in Netgate hardware selection:

And what VPN performance do you expect (and OpenVPN or Wireguard)?

My ISP modem only supports outgoing RJ45. SFP is a nice add, but I don't think I'll find the use for it in the foreseeable future.

To get a idea what the real throughput will be, look at the IMIX (SG-4100 IMIX Traffic: 312 Mbps) and iperf3 (IPERF3 Traffic: 960 Mbps) numbers for that models. The real number is going to be somewhere between these two and probably closer to IMIX.

Thanks for the advice, my VPN provider offers both protocols so still TBD, but I think I'll go with WireGuard as I heard it offers faster data transfer with less CPU overhead.

CPUs wise, the C3558 got better benchmarks than the C3338R in the 4100.

Could you provide the website you got this from? Tried PassMark Software as Lawrence Systems uses it in the 5100 review but can't find information on the C3338R there.

@SteveITS said in Netgate hardware selection:

@deceptivehorse The 2100 will max out around 650 Mbps, without VPN.

Thanks, from this information and @patient0 advice I think the 2100 is a bit light for my use case. I'm not the only one using my internet connection and don't need to introduce bottleneck to other people.

@tgl said in Netgate hardware selection:

FWIW, I'm using a 4200, and it easily handles full speed on my 1Gbps-ish Verizon FiOS connection. New, those are a bit over your budget, but maybe a used one would suit.

I think a 4200 would be perfect for me, but new ones are indeed a bit expensive atm. I'll stay on the look for used ones.

After reading your advice, the 5100 looks fine but I think I think the 4100 would be a really sweet spot between performance, budget and longevity.

patient0

@deceptivehorse said in Netgate hardware selection:

Could you provide the website you got this from? Tried PassMark Software as Lawrence Systems uses it in the 5100 review but can't find information on the C3338R there.

You are right, I did use two sources: For one Passmark for C3338 vs C3558 (Factor 1:2.4) and a ServeTheHome comparison for the Intel Atom C3338R V C3338 Performance (Factor 1:1.2).