Is the SG-2220 the device I need?



  • Hi,

    I'm a new member/future user from Belgium and am looking to start my adventure with pfSense.

    I currently have a Linksys E3000 and a Linksys WRT610N, both with DD-WRT and both with their own public IP.

    While DD-WRT has been great to me, speed over VPN is very slow and I have been planning to get something more powerful and future proof.
    I have my mind set on pfSense and would like to support the project so I'm looking at the SG-2220.

    I know there will be a learning curve and I am more than willing to invest the time needed to get it right.
    I will probably do so along the way.

    Since "along the way" means I need a device first I was hoping to get the starting info to select said device from some people that already have the knowledge :).

    My network consists of:

    • 2 entry level servers (Supermicro with Xeon E3)

    • 2 PC's

    • 1 laptop

    • 3 IP cams

    • some mobile devices on wifi

    • some small devices (Raspberry Pi, Arduino, ESP8266, …)

    • wifi (from external router like Asus RT-N66U or internal on SG-2220)

    so nothing really spectaculair and quite small.
    All the cables are Cat6 connected to a Netgear ProSafe GS108 (Gigabit).
    Recently I added a TP-Link TL-SG2424 (Gigabit) to start experimenting with VLAN.

    I was wondering if the throughput of the SG-2220 will be Gigabit or only half since there is only 1 LAN port which, I think, would mean that packets have to arrive and leave over the same port. But then again I need to learn a lot.

    My main needs are:

    • Dynamic DNS (DNS-O-Matic)

    • VLAN: I would like to keep my IP cams on a separate LAN and be able to access them from my internal LAN and outside

    • VPN (I currently use OpenVPN)
      2 VPN's, 1 for internal LAN and 1 for IP cam (or something similar)

    • Static DHCP: so I know where to find my devices

    For the near future I was thinking about:

    • QoS: to give priority to VoIP like Skype, backups to CrashPlan Central and backups to my servers on LAN

    • logging: so I know the amount of traffic per device, domains connected, ..

    • firewall: protect my home network from danger

    • blocking certain sites at specific times

    • blocking protocols (torrents for example)

    • blocking certain sites and protocols for specific VLAN

    For further future I was thinking about:

    • 3G auto failover: so in case of no internet i still have internet through a SIM card

    • some other nice things that are available in the packages like Snort

    I think most of it will be basic and the SG-2220 will have no problem with it but I would really appreciate feedback (for those that read up to here :)).
    Will it be sufficient for full Gigabit speeds?
    Will it be future proof for multiple packages?

    Thanks in advance!
    grtz,
    W.



  • I read some more topics on this forum and I think a lot has become clear.

    If I understand correctly the SG-2220 will handle my main needs and my near future needs.
    It would also be ok for my further future needs but it seems packages like Snort can use quite some memory.
    It's not clear if this might be an issue with 10 devices..

    So at this point 2 questions remain:

    • will 2GB RAM suffice for a network with 10 (max 20) devices when using packages like Snort and Squid?

    • is the LAN throughput of the SG-2220 full Gigabit?



  • If I understand correctly the SG-2220 will handle my main needs and my near future needs.

    What are your main and future needs? The SG-2220 is for a home usage firewall ideal, and for sure
    then also with snort on top, but with squid it is a bit to much as I see it right, perhaps.

    It would also be ok for my further future needs but it seems packages like Snort can use quite some memory.
    It's not clear if this might be an issue with 10 devices..

    Pending of the throughput it will be perhaps an issue but not related to the snort and Squid usage.
    Then you perhaps get not so full throughput but all services are up and running.

    So at this point 2 questions remain:

    will 2GB RAM suffice for a network with 10 (max 20) devices when using packages like Snort and Squid?

    For snort and firewall it would be perhaps running but for max. 20 users and Squid on top
    I really don´t know!

    is the LAN throughput of the SG-2220 full Gigabit?

    Only for you as a home firewall perhaps nearly 1 GBiT/s but not really full 1 GBit/s.
    Here you can see it be your own, which firewalls or SG-xxxx units are capable of 1 GBit/s throughput.
    pfSense Hardware



  • thanks a lot for your reply!

    @BlueKobold:

    What are your main and future needs? The SG-2220 is for a home usage firewall ideal, and for sure
    then also with snort on top, but with squid it is a bit to much as I see it right, perhaps.

    I listed them in 3 groups in the first post, I think the one that will demand the most from the device are VPN and QoS.

    For snort and firewall it would be perhaps running but for max. 20 users and Squid on top
    I really don´t know!

    I just read some more on Squid and I don't think we would benefit that much from it as we don't really visit the same sites.

    Here you can see it be your own, which firewalls or SG-xxxx units are capable of 1 GBit/s throughput.
    pfSense Hardware

    Thanks, it seems it starts from SG-2440.

    I also read in one of your other posts that QuickAssist will be useful in the future and that it will be used for Snort.
    On the Intel site I read it can be used for cryptography and VPN.
    Since VPN is important to me and I'm looking at Snort for the future, this might be something to consider.

    Although the price will hurt my budget, the SG-2440 might beworth it because of:

    • 4GB RAM

    • QuickAssist

    • 4 LAN port which would allow for 2 WAN ports (if needed)



  • I was wondering if the throughput of the SG-2220 will be Gigabit or only half since there is only 1 LAN port which, I think, would mean that packets have to arrive and leave over the same port. But then again I need to learn a lot.

    The SG-2220 unit comes with 2 Intel GB LAN Ports!

    I also read in one of your other posts that QuickAssist will be useful in the future and that it will be used for Snort.

    Speeding up enormously things such as DPI,IDS/IPS, encryption and compression was announced
    by Intel first and then taken back for some services and functions, at today it will be speeding up
    en- and decryption & compression stuff.

    On the Intel site I read it can be used for cryptography and VPN.

    In former days there were two different adapters to speed up things such we are talking now
    about. De- and Compression cards (Comtech AHA) and Crypto Accelerators (Exar) but now this
    can be easily done and realized by Intel QuickAssist Technology, please read this website here:
    Intel QuickAssist

    In normal AES-NI based Intel CPUs are speeding up the crypto acceleration and QuickAssist
    will be taken for the compression capabilities. Smaller CPUs or SoCs are often sorted with both
    techniques to speed up things, but greater and stronger CPUs are often comes with AES-NI
    and then Intel QuickAssist adapters will be used in servers, as you will be able to read under
    the link from above.  :-\

    Since VPN is important to me and I'm looking at Snort for the future, this might be something to consider.

    Once more again, IDS/IPS & DPI are not anymore on the road map from QuickAssist but crypto acceleration
    and de- & compression stuff will be benefit from this technique.

    Although the price will hurt my budget, the SG-2440 might be worth it because of:

    For sure since the Internet connection speed is growing up or gaining and things such as Squid and
    Snort will be more common also for home users it might be that the hardware gets more expensive.  :o

    You will be also be able to fiddle it together by your own using Supermicro parts
    but often this comes near by the price from the SG-xxxx units from the pfSense store!
    And the best things from both worlds Alix APU with three miniPCIe slots and the Intel
    C2x58 SoCs will be also only be able to get from the pfSense store.  ::)

    **Supermicro A1SRi-2558F ~320 €
    AES-NI & QuickAssist
    M350 mini-ITX Gehäuse + PicoPSU 150W ~120 €
    2 x 4 GB ECC RAM DDR3L ~60 €
    Intel SSD530 - 120 GB ~75 €
    In total = 575 € + ~ 30 € shipping
    = ~610 €

    But no miniPCIe slots for modem & SIM or WiFi cards or mSATA cards!!!
    And compared to the SG-4860 units with identically SoC but 2 more Intel
    GB LAN Ports for $699 and pfSense support on top and pre installed and
    tuned the latest pfSense OS.**

    So it is not really cheaper as you could imagine perhaps.



  • You could also build a C2758 system in a mini enclosure with 16GB of RAM and an SSD for around $650 compared to the pfsense store's asking price of $1,400.

    Which is what I just did!



  • @BlueKobold:

    I was wondering if the throughput of the SG-2220 will be Gigabit or only half since there is only 1 LAN port which, I think, would mean that packets have to arrive and leave over the same port. But then again I need to learn a lot.

    The SG-2220 unit comes with 2 Intel GB LAN Ports!

    But 1 is used for WAN connection so only 1 is available for LAN and If I understand correctly this would mean that packages arriving to and departing from the router need to go over the same port thus causing a speed hit.?..

    In former days there were two different adapters to speed up things such we are talking now
    about. De- and Compression cards (Comtech AHA) and Crypto Accelerators (Exar) but now this
    can be easily done and realized by Intel QuickAssist Technology, please read this website here:
    Intel QuickAssist

    In normal AES-NI based Intel CPUs are speeding up the crypto acceleration and QuickAssist
    will be taken for the compression capabilities. Smaller CPUs or SoCs are often sorted with both
    techniques to speed up things, but greater and stronger CPUs are often comes with AES-NI
    and then Intel QuickAssist adapters will be used in servers, as you will be able to read under
    the link from above.  :-\

    Thanks for the interesting info!

    Once more again, IDS/IPS & DPI are not anymore on the road map from QuickAssist but crypto acceleration
    and de- & compression stuff will be benefit from this technique.

    Good to know.
    Crypto and compression will come in handy for my VPN so it's something for me to consider.

    Although the price will hurt my budget, the SG-2440 might be worth it because of:

    For sure since the Internet connection speed is growing up or gaining and things such as Squid and
    Snort will be more common also for home users it might be that the hardware gets more expensive.  :o

    I'm leaning more and more towards the SG-2440..

    You will be also be able to fiddle it together

    Thanks for the clear list of hardware but at since pfSense is completely new to me, offcially supported hardware is a plus for me :)

    But no miniPCIe slots for modem & SIM or WiFi cards or mSATA cards!!!
    And compared to the SG-4860 units with identically SoC but 2 more Intel
    GB LAN Ports for $699 and pfSense support on top and pre installed and
    tuned the latest pfSense OS.

    I might expand with a SIM or wireless later on so again a plus.

    I think I will order the SG-2440 unless there is something I missed..

    codyst:
    thanks for your reply and suggestion!
    There are a few main things that drew my attention to the pfSensore Store hardware:

    • official hardware, certainty that future updates will work as it is tested

    • low power usage

    • supporting the project

    and I think at this point I will stick to these options :)



  • But 1 is used for WAN connection so only 1 is available for LAN and If I understand correctly this would mean that packages arriving to and departing from the router need to go over the same port thus causing a speed hit.?..

    But you are free to buy a smaller or greater network switch that is capable to handle VLANs!
    Netgear GS105Ev2
    Netgear GS108Ev2
    Cisco SG200-10/20
    Cisco SG300-10/20
    D-Link DGS1510-20

    I'm leaning more and more towards the SG-2440..

    • 1 GBit/s capable
    • double LAN Ports
    • double RAM
    • 3 miniPCIe + SIM Slots

    official hardware, certainty that future updates will work as it is tested

    And for your ADI image you will get QuickAssist support at first of all pfSense versions as a small "thank you"
    from the pfSense team!

    low power usage

    For sure this would be here in Germany a big plus, because the price of electricity is gaining more then
    30% of the actual price we have now!

    supporting the project

    And getting one year of support via Email, and that is not only a marketing clou as many customers
    would imagine!!! Because if you mail your problem and one of the team is not really sure, it could be
    that then the whole team is working on your support ticket to serve you a solution much faster!
    This means something around 5 peoples are helping you then out.

    codyst:
    thanks for your reply and suggestion!
    There are a few main things that drew my attention to the pfSensore Store hardware:

    But on one thing codyst is right! If you not of the need of miniPCIe slots but you will need urgent
    a free PCIe slot for an extra card, you want to use SATA-DOM or SSD-DOM or you need a IPMI Port
    connected to your Aten RJ45 KVM switch, VGA is a must be and/or more RAM must be installed
    like 32 GB or 64 GB, his solution is also really wicked.



  • @BlueKobold:

    But 1 is used for WAN connection so only 1 is available for LAN and If I understand correctly this would mean that packages arriving to and departing from the router need to go over the same port thus causing a speed hit.?..

    But you are free to buy a smaller or greater network switch that is capable to handle VLANs!

    I have a TP-Link TL-SG2424 for future purposes :)

    low power usage

    For sure this would be here in Germany a big plus, because the price of electricity is gaining more then
    30% of the actual price we have now!

    30% is a very steep increase!
    In Belgium they're planning on increasing taxes on electricity from 6% to 21% which is already a costly affair..

    Anyway, thanks a lot for your time and help!

    I ordered the SG-2440 last Sunday from the pfSense Store and it should arrive just before the weekend :)
    I guess I'll know what to do this weekend :)