Technical Discussion
  >> DSL Hardware Discussion


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User awontroba
(regular) Thu 12-Jan-17 17:14:57
Print Post

Netgate SG-1000 pfSense firewall first impressions


[link to this post]
 
I have used pfSense firewalls for several years. A far more powerful and flexible a firewall than that included in consumer kit. Probably much more complicated than the average home user can cope with.

At home I use a PC Engines APU 64 bit mini ITX box, connecting with PPoE to an unlocked HG612 to Plusnet.

At my mothers I was using a PC Engines 32 bit ALIX box, connected to a BT Home Hub 5B. The hub also has a BT YouView box, a Fon access point, and a Vodafone Sure Signal connected to it.

As pfSense 2.4 will not support 32 bit processors I decided to upgrade to the recently released Netgate SG-1000, buying from a UK partner rather than direct from Netgate. https://shop.amicatech.co.uk/shop/hardware/sg-1000-m... - £172.80 inclusive of VAT and shipping. Includes a year subscription to pfSense Gold, notably providing access to the pfSense book and remote configuration backup.

The SG-1000 is a tiny ARM SoC box.
LAN and WAN interfaces - the host, LAN and WAN are connected to a 1 Gb/s switch. iperf shows the LAN capable of 103 Mb/s.
Comes with a small 5v PSU, with the cable coming out of the bottom of the plug.
Has a built in serial console to micro USB bridge. Comes with a 1m micro USB - A USB cable. Drive this with Realterm or similar at 115200 baud, ANSI.

Easy to upgrade:
Backup old firewall's configuration.
Connect SG-1000 to PC via USB and power up. Allow Windows to update its drivers.
Connect to SG-1000 console.
Shut down old firewall.
Via console, option 2, amend LAN details if 192.168.1.1 does not suit.
Plug in LAN and WAN.
Connect to LAN address with a browser.
Restore configuration.
When prompted, fix interface assignments - WAN is cpsw0, LAN is cpsw1.

Performance:

TBB Multi-streamed download and upload much the same as before.

TBB single stream download is DIRE. This might be due to BT congestion. I normally do my speed tests in the dead of night.
New box: http://www.thinkbroadband.com/speedtest/results.html...
Old box: http://www.thinkbroadband.com/speedtest/results.html...

The web interface, particularly the dashboard, consumes a lot of the weeny processor's power, often running at 100%.

So far I am rather underwhelmed (8-(

--
Adrian

Edited by awontroba (Thu 12-Jan-17 17:17:53)

Administrator MrSaffron
(staff) Thu 12-Jan-17 18:33:41
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
Try also using

http://labs.thinkbroadband.com/speedtest
and
https://labs.thinkbroadband.com/speedtest

Single thread but done over HTTP, whereas on the flash version its a custom TCP protocol

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User awontroba
(regular) Thu 12-Jan-17 20:13:16
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: MrSaffron] [link to this post]
 
Thanks. Tried the labs version, much the same result - http://www.thinkbroadband.com/speedtest/results.html...

Intriguing that merely changing a device inboard of the modem/router appears to provoke the slow single threaded performance that some complain about. When I get the chance I'll try a dead of night test.

It is not just TBB single threaded speed tests that are slow. A FTP download from UKC runs at around the same speed.


[aw1@swelter /tmp]$ ftp ftp.mirrorservice.org
Trying 212.219.56.184:21 ...
Connected to ftp.mirrorservice.org.
220-----------------------------------------------------------------------------
220-Welcome to the University of Kent's UK Mirror Service.
220-
220-More information can be found at our web site: http://www.mirrorservice.org/
220-Please send comments or questions to help@mirrorservice.org.
220-----------------------------------------------------------------------------
220
Name (ftp.mirrorservice.org:aw1): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /pub/FreeBSD/releases/ISO-IMAGES/11.0
250 Directory successfully changed.
ftp> get FreeBSD-11.0-RELEASE-amd64-bootonly.iso.xz
local: FreeBSD-11.0-RELEASE-amd64-bootonly.iso.xz remote: FreeBSD-11.0-RELEASE-amd64-bootonly.iso.xz
229 Entering Extended Passive Mode (|||44600|)
150 Opening BINARY mode data connection for FreeBSD-11.0-RELEASE-amd64-bootonly.iso.xz (69712628 bytes).
100% |**************************************************************| 68078 KiB 2.31 MiB/s 00:00 ETA
226 Transfer complete.
69712628 bytes received in 00:28 (2.31 MiB/s)
ftp> quit
221 Goodbye.

--
Adrian


Register (or login) on our website and you will not see this ad.

Administrator MrSaffron
(staff) Thu 12-Jan-17 22:54:27
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
It may be that RWIN scaling is broken

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User awontroba
(regular) Thu 12-Jan-17 23:04:15
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
Just tried 3 speed tests, 2 with the SG-1000 sandwiching a test with the ALIX.

The single threaded download runs considerably slower on the SG-1000 (around 12 Mbps rather than around 58 Mbps)
Even the multi-threaded download is slower (around 51 Mbps rather than around 58 Mbps).

Not Fit For Purpose (8-(

Thu 12/01/17 22:46	12.74 Mbps	50.50 Mbps	18.55 Mbps	SG-1000
Thu 12/01/17 22:42	57.79 Mbps	57.80 Mbps	18.61 Mbps	ALIX
Thu 12/01/17 22:35	11.19 Mbps	51.55 Mbps	18.38 Mbps	SG-1000


--
Adrian
Standard User awontroba
(regular) Fri 13-Jan-17 01:02:44
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: MrSaffron] [link to this post]
 
In reply to a post by MrSaffron:
It may be that RWIN scaling is broken

Perhaps, but I cannot find any complaints about this having happened in pfSense 2.4. But there is a lot of software change. FreeBSD 10.3 to 11.0, i386/amd64 to ARM. pfsense 2.3 to 2.4 (still in beta).

My suspicion is that the box just isn't powerful enough.

Caveat emptor!

I'll:
* Take it up with the supplier (and maybe upgrade to the SG-2220).
* Whinge on the pfSense forum.
* Consider other PC-Engines hardware. Though I had trouble with the last one I had an APU model here for a while, which worked fine except for it rebooting ever now and then. Never ran for more than 2 days. An older APU model at home has worked well for a couple of years

--
Adrian
Standard User RobertoS
(elder) Fri 13-Jan-17 01:17:52
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
In reply to a post by awontroba:
Caveat emptor!

I'll:
* Take it up with the supplier (and maybe upgrade to the SG-2220).
* Whinge on the pfSense forum.
* Consider other PC-Engines hardware. Though I had trouble with the last one I had an APU model here for a while, which worked fine except for it rebooting ever now and then. Never ran for more than 2 days. An older APU model at home has worked well for a couple of years
In reply to a post by awontroba:
I have used pfSense firewalls for several years. A far more powerful and flexible a firewall than that included in consumer kit. Probably much more complicated than the average home user can cope with.
It seems to me that the kit the average home user buys may be a better idea than geek kit wink. I don't recall any major firewall failures in mainstream products being reported anywhere, particularly when allied to the software ones in mainstream IS systems.

We do keep hearing recommendations to change the default passwords of course, but even the failure to do that doesn't seem to have caused widespread mayhem.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 54999/14466Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User PhilipD
(experienced) Fri 13-Jan-17 08:04:37
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
Hi

I run pfSense but on a home built system running a Intel Pentium N3700 and 4 Intel network embedded ports. Still on pfSense 2.3, but get 74/18 on single and multi-threaded speed tests, which is my line maximum.

I've seen the device you have posted about but rather surprised at the cost, given it's not much more than a raspberry pie in hardware terms, that seems very expensive. I had read it should be capable of more throughput, although that might be maximum theoretical speeds or in the lab tests, bit I did read they stated it had 1Gbs Network ports for a reason. Perhaps it is just a case version 2.4 isn't optimised for it yet?

My setup runs at about 10 watt idle, that includes 3 watts on the IPMI (Intelligent Platform Management Interface) chip, but I suspect SG-1000 is much lower which is nice, but that might be at the cost of being under-powered in performance as well.

Hopefully some new software might improve things.

Regards

Phil
Standard User PhilipD
(experienced) Fri 13-Jan-17 08:21:26
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: RobertoS] [link to this post]
 
Hi

It seems to me that the kit the average home user buys may be a better idea than geek kit wink. I don't recall any major firewall failures in mainstream products being reported anywhere, particularly when allied to the software ones in mainstream IS systems.


Indeed, it isn't for the average home user, in the same way a lot of business kit isn't. But for those who like building their own bits of kit and tinkering plus wanting a reliable separate router that will go the distance, which is much more configurable and better supported than consumer hot plastic boxes, it is a great option.

My pfSense box is way more reliable and configurable than any consumer router I've owned, more future proof and better supported. I built it myself so I know it has quality memory and components, and it's fanless and in a small case like any consumer device, plus gets nowhere near as hot! I had the fun of building it and learning about it, and get a reliable router at the end of it.

Regards

Phil
Standard User RobertoS
(elder) Fri 13-Jan-17 09:11:33
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: PhilipD] [link to this post]
 
You can build a kit car as well. That doesn't mean it is worthwhile other than to achieve a sense of personal fulfilment smile.

Building a PC from readily available components made sense at the time I used to, both for use internally in my mainly tailored business software VAR business and for customers wanting to save a bit. Whether it still does I don't know. That was decades ago.

This sort of faffing about with pfSense and Raspberry PI type stuff sounds like a great hobby. So is building a radio. I have no problem with such activities, but this idea that there is any real advantage in practical terms over mainstream boxes for private and even SME businesses strikes me as rather fanciful.

The "average" user, as in "I have used pfSense firewalls for several years. A far more powerful and flexible a firewall than that included in consumer kit. Probably much more complicated than the average home user can cope with", is more like 99.9% or more of the population than implied by the statement smile.

How much more powerful does a firewall need to be than the 100% protection offered by a mainstream box and decent software firewall on the computer kit itself? It's a chimera. A bit of fun for hobbyists. That's fine by me, but is all it is.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 54999/14466Kbps @ 600m. BQMs - IPv4 & IPv6
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to