SG-2220 or SG-2440

cplmayo

I’ve been running pfSense for about two years now and I have loved it. Went from a dual core Atom to a Rangeley C2558 build. I’m now looking at using my Rangeley unit to replace a super old ESXi machine that is very power inefficient. This leaves me with having to replace my pfSense box with something else.

I have been looking at either the SG-2220 or SG-2440. I have vlan aware switches and know that I can get away with just the one LAN port but when I did this before I had to try and figure out how to run native IPv6 on the vlan interfaces; track interface was not working to get them an IP. This I can figure out.

What I really do not know is if the SG-2220 has the horse power for my setup. I want a box that can handle 1Gbps so that I have some headroom if my WAN gets upgraded. I also have it setup with one possibly two OpenVPN clients; one for P2P/UseNet, and one for all other traffic. I also would like to be able to use it as an OpenVPN Server for when I want to connect to my network remotely.

I know that 1Gbps is unreasonable throughput over OpenVPN but I would like to know that it could hit those numbers with unencrypted traffic.

As for other services I really don’t run a whole lot at the moment. May implement SNORT, Squid, and e2guardian. However I am waiting until 2.3 before I dig into these services again.

I am leaning towards the SG-2440 as this with an SSD should do everything that I need it to do. I guess I’m just looking for a second opinion.

Thank you for your time.

hda

Did you see this ?

cplmayo

@hda:

Did you see this ?

Based off of that they both appear to be basically equal, so besides the extra NICs they are the same performance wise. I just wonder how less RAM on the SG-2220 would affect any installed packages, if I decided to add any.

Guest

Yea but the C2338 offers no "Quick Assist" and the C2358 does.
So if that gets implemented as planned they those numbers should increase.

cplmayo

@Phishfry:

Yea but the C2338 offers no "Quick Assist" and the C2358 does.
So if that gets implemented as planned they those numbers should increase.

I didn't realize that quick assist wasn't a feature on the SG-2220. I was leaning towards it after looking at the performance numbers but now knowing that I don't think it will be an option because with VPN performance being such a huge part of my setup that is a feature that I will want to have in the future if it is implemented.

Guest

I thought I would throw that factoid out there.
The way it looks to me the Intel implementation in Linux uses a binary blob and that might not pass muster in FreeBSD. So it may not be an advantage except with Linux.. I can not speak much about the topic as I am not familiar with it.

Regardless I like seeing hard numbers that GonzoP posted on Reddit.

Guest

Looking further it looks like it is being worked on:

https://blog.pfsense.org/?p=1626

Guest

Discussion of the issues..

http://openbsd-archive.7691.n7.nabble.com/vpn-performance-C2750-vs-C2758-td264741.html

cplmayo

After reading the pfSense road map I have been drooling over the features they are adding. A lot of what they are trying to implement will make significant improvement in performance.

Quick Assist may not be implemented yet but with the prospect of it coming the future I will have to have it as a feature. Especially with VPN being such a important part of my gateway.

Guest

I could be wrong on Quick Assist as I am going by the Intel Ark page for the CPU features.

It would not be uncommon to have the bottom rung on the cpu ladder to be missing a feature.

Guest

@cplmayo

Go and save a little bit more money and go for the SG-2440 unit.
It comes with AES-NI and Intel QuickAssist and let you expand the whole box for mSATA and WiFi
or a modem & SIM card if at some days needed. If Intel QuickAssist is going in to the pfSense code
I would really say the first year all customers of an SG-xxxx units will be benefit from this feature
at first before all others would be able to see it in the wild and so it might be a really hint to go with
one of this boxes.

Especially with VPN being such a important part of my gateway.

If so, please take the time to set up a IPSec VPN and now at the time you will be benefit
from the AES-NI feature mostly!!! You can high up the number of the throughput to 4x
or 5x as without using AES-NI. since version 2.2.5 this will work for everybody!

Mostly it all is pending on the used services, installed packages, the WAN and VPN speed
if you are going to set up a fully UTM device and need something around ~500 MBit/s of
VPN throughput also the SG-4860 could be a really challenge for you.

cplmayo

@BlueKobold:

@cplmayo

Go and save a little bit more money and go for the SG-2440 unit.
It comes with AES-NI and Intel QuickAssist and let you expand the whole box for mSATA and WiFi
or a modem & SIM card if at some days needed. If Intel QuickAssist is going in to the pfSense code
I would really say the first year all customers of an SG-xxxx units will be benefit from this feature
at first before all others would be able to see it in the wild and so it might be a really hint to go with
one of this boxes.

Especially with VPN being such a important part of my gateway.

If so, please take the time to set up a IPSec VPN and now at the time you will be benefit
from the AES-NI feature mostly!!! You can high up the number of the throughput to 4x
or 5x as without using AES-NI. since version 2.2.5 this will work for everybody!

Mostly it all is pending on the used services, installed packages, the WAN and VPN speed
if you are going to set up a fully UTM device and need something around ~500 MBit/s of
VPN throughput also the SG-4860 could be a really challenge for you.

Right now I'm running a self built box with a Supermicro Rangeley C2558 CPU that is pure overkill; AES-NI is awesome from what I have seen. However I have a ESXi box that is build on super old, P4 era Xeon, dual CPU system. Due to the power draw from this box I want to use a pfSense Appliance to support the cause and migrate my C2558 system to VM duties, it is only four cores but that should be plenty for what I use my vms for.

Guest

I want a box that can handle 1Gbps so that I have some headroom if my WAN gets upgraded.

The first SG-xxx unit that is named to handle right the 1 GBit/s at the WAN interface and route it, is the SG-2440
unit. And for sure it will be the best option for you as I see it right now. (Only my opinion)

Right now I'm running a self built box with a Supermicro Rangeley C2558 CPU that is pure overkill;

It is more to compare with the SG-4860 and that is capable to run pfSense firewall, Snort, pfBlocker-NG and route
also 1 GBit/s at the WAN interface, but IPSec with nearly ~500 MBit/s on top of this too!!!

AES-NI is awesome from what I have seen.

But please accept that the OpenVPN you want to use, is not taking any advantage from the presents of AES-NI!
Only IPSec is at the moment benefit from this AES-NI CPU or SoC registers, but then well. It is speeding up the
entire IPSec throughput up to x4 or in good conditions up to x5 of the normal throughput.

Due to the power draw from this box I want to use a pfSense Appliance to support the cause and migrate my C2558 system to VM duties, it is only four cores but that should be plenty for what I use my vms for.

Good luck and well success.

wayner92

I am in the same boat as I am looking for a new router/firewall that could support a Gbps internet connection.  I currently have Rogers cable's 250 service which actually measure out at 320 Mbps.  Soon Rogers will be offering 1Gbps in all of my city.

I really don't need a lot of ports as I have a 24 port switch in my house.  I also don't need wifi as I have a few Ubiquiti Unifi WAPs in my house.

The gateway supplied by Rogers is a Hitron 32x8 DOCSIS 3.0 device.  It normally acts as both router and modem but can be put in Bridge mode to only act as a modem.  But the router function of this device sucks - or at least I am pretty sure it will if it is similar to other Hitron devices that Rogers has deployed.

But I want something that can support gigabit internet.  I will be using Open VPN on it and doing some port forwarding but nothing else that is too fancy.

I have started playing around with pfSense on an older PC with two NICs so I am considering this option or getting a 2220 or 2440.

Guest

I have started playing around with pfSense on an older PC with two NICs so I am considering this option or getting a 2220 or 2440.

The SG-2220 will not handle 1 GBit/s at the WAB interface as I see it right. And the PPPoE connection is
only using one CPU core at the moment to handle the WAN speed. But if you don´t need the PPPoE part
you will be really surprised.

Techtrends

This post is deleted!