Technical Discussion
  >> DSL Hardware Discussion


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | (show all)   Print Thread
Standard User ian72
(eat-sleep-adslguide) Fri 13-Jan-17 09:16:20
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: RobertoS] [link to this post]
 
Building a standard PC is almost certainly not worth it. But, if you are a serious gamer or have other specific requirements then selecting the components can result in a much better device. Prebuilt devices will almost certainly have some components that are not "perfect" for a specific goal. I have built my last few PCs but I haven't replaced my current PC in 4 years (I used to replace every 2 years). So, for some people it is definitely a benefit but for the average user it is far easier just to buy off the shelf.

Or, if you want a middle ground then some PC suppliers (like Novatech) do bespoke build services so you can pretty much select all the items you want and they will build it for you.
Standard User BatBoy
(sensei) Fri 13-Jan-17 09:30:27
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
I run pfsense on a vm on my home server under vmware and I found that if I reduce the CPU to what I considered a sensible level then that affected speedtests badly. So I leave the CPU uncapped.

I chose pfsense as I have two FTTC connections and pfsense gave me a free way to use load-balancing across the two WAN's rather than pay for expensive hardwired kit. There is also almost-unlimited upgradeability and a very helpful support community.
Standard User PhilipD
(experienced) Fri 13-Jan-17 10:28:06
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: RobertoS] [link to this post]
 
Hi

I will quote myself, as I did say, which you've just repeated:

But for those who like building their own bits of kit and tinkering plus wanting a reliable separate router that will go the distance, which is much more configurable and better supported than consumer hot plastic boxes, it is a great option.


It is a great hobby, I and hundreds of thousands of other people are using pfSense, in the same way hundreds of thousands of people flash their cheap and cheerful routers and use Tomato firmware, or download and modify open source software and tinker with that. Linux itself, that runs on virtually all consumer routers, in a large part has been built by people tinkering as a hobby. Everyone benefits from people tinkering, it should be encouraged, it's what has given rise to main stream boxes by and large at cheap prices.

No router or firewall offers 100% protection, and the number of security flaws and holes they keep finding in consumer routers proves that.

This post wasn't about trying to get more people to use pfSense, but seems to have turned into, by you, a post knocking us for using it. It isn't for you, fair enough you've made that clear, but don't try and tell us we are fanciful please. I use a lot of features to my advantage in pfSense I don't find in consumer routers and even some industrial ones, it isn't just about a firewall. On top of all the extra features, yes I do get personal fulfillment I built it myself, nothing wrong in that, that's being human, wanting a sense of pride or satisfaction in a job well done, it's not fanciful to want that, it's a human condition.

Regards

Phil

Edited by PhilipD (Fri 13-Jan-17 10:37:39)


Register (or login) on our website and you will not see this ad.

Standard User RobertoS
(elder) Fri 13-Jan-17 11:21:31
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: PhilipD] [link to this post]
 
The Subject is "firewall". The content is mainly about problems. wink

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 54999/14466Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User awontroba
(regular) Fri 13-Jan-17 11:22:39
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: PhilipD] [link to this post]
 
The SG-1000 is indeed not that much of a computer. A SoC similar to a Beaglebone - I use one at home under FreeBSD as a local DNS (BIND) server. The SG-1000 has an on board 1 Gb/s switch serving the host, LAN and WAN. pfSense forum discussions seem to indicate a maximum throughput per port of a third of that, but currently you can't get much more than 100 Mb/s. I got slightly more than that through the LAN with iperf.

Part of the cost must be part of the "free" (normally $99) subscription to pfSense Gold for a year. TANSTAFL. I bought from their UK distributor, so import duty, VAT, startling shipping cost and profit all take their toll. Netgate boxes are all rather expensive, but as pfSense is under Netgate's control you would expect them to work well together.

When idling (like now) with the web interface displaying something static the SG-1000 runs at 98% idle.
With the web interface displaying the dashboard with a few widgets, idle time ranges between 0-60% idle, generally at the lower end of the range.
With the web interface displaying something static, vmstat with 5 second snapshots over a TBB speed test shows that the machine has spare processor capacity throughout the test (see bottom of this).

Possibly, poor interrupt latency having a noticeable but sort of acceptable effect on multi-stream downloads and uploads, and this dire effect on single threaded downloads such as TBB single stream and FTP.

I must of course try different cables and ports on the home hub and LAN switch, but as two ALIX/APU boxes worked entirely well with these this is a clutching at straws move.

I don't know about the Pi, never had my hands on one.

I prefer to avoid as much hardware work as I can (fat finger plus the the classic programmer with a screwdriver syndrome), so usually buy my boxes ready built.

The LinITX PC Engines based ALIX (i386) and APU(amd64) boards are well constructed, and speeds were in line with my expectations. The ALIX and one of the APUs were fine, but the APU I recently got for here proved to be flakey - rebooting itself with no indications as to why after a few hours to a couple of days. Returned for testing, found fault free, sent back to me without a PSU, replacement sent when I nagged. Much elapsed time with this as I am only here some of the time. Eventually LinITX agreed to a refund, and having suffered a lemon decided to try other hardware. Perhaps I should have chosen a mini-ITX box with amd64 multiple cores and intel NICs.

5 second interval vmstat output
# vmstat -w 5
procs  memory       page                    disks     faults         cpu
r b w  avm   fre   flt  re  pi  po    fr   sr mm0 md0   in    sy    cs us sy id
1 2 0 448M   73M   756   0   0   1   768   15   0   0  212  5787   309 18 17 65
<idle>
0 2 0 448M   73M     0   0   0   0     1   12   1   0   71    83   147  0  1 99
0 2 0 448M   73M     0   0   0   0     0   12   0   0   36   121   115  0  1 99
<single stream download>
2 2 0 448M   73M     0   0   0   0     0   12   0   0 1048   294  1699  1  7 92
0 2 0 448M   73M     0   0   0   0     0   12   0   0 2970    81  4823  0 16 84
0 4 0 460M   72M  1032   0   0   2  1124   12   0   0 3688  1579  5495  7 45 48
0 2 0 448M   73M   688   0   0   2   709   12   0   0 3263   793  4993  5 29 66
<multi stream download>
2 3 0 450M   73M   319   0   0   1   354   12   1   0 6109   501  8473  2 52 45
1 2 0 450M   72M   691   0   0   0   774   12   0   0 9257  1123 12590  6 94  0
<upload>
3 2 0 448M   73M   723   0   0   1   747   12   0   0 4502   830  6399  5 42 53
0 2 0 448M   73M   301   0   0   0   324   12   0   0 3425   596  5180  2 30 69
0 2 0 448M   73M     0   0   0   0     0   12   2   0 2498   382  3641  1 14 84
0 2 0 448M   73M     0   0   0   0     1   12   3   0  232    81   305  0  1 98
1 2 0 448M   73M     0   0   0   0     0   12   0   0   27    69    92  0  1 99


--
Adrian
Standard User awontroba
(regular) Fri 13-Jan-17 11:52:54
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
The Subject is "firewall". The content is mainly about problems. wink
Generally the only problems I have had with pfSense firewalls, or indeed FreeBSD/ipfw firewalls (my first was an AT&T Death Star desktop I'd picked up at a computer fair in the mid 90s) have been of my own making. Usually misunderstanding and misconfiguration.

I turned to pfSense boxes when I wanted to both repurpose a HP Microserver and continue my replace FreeBSD systems I maintain for myself with FreeBSD based "appliances", which usually require far less time and effort. I seem to be having a run of bad luck recently with my choices.

Computers have fascinated me since I first programmed one at university in 1969, and turned into both my profession and a hobby. Now I am retired, and want to reduce the time spent on that hobby for the benefit of other pastimes, such as drinking beer in muddy fields listening to loud music.

--
Adrian
Standard User RobertoS
(elder) Fri 13-Jan-17 12:34:30
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
In reply to a post by awontroba:
Computers have fascinated me since I first programmed one at university in 1969, and turned into both my profession and a hobby.
Me too since I took a job as a trainee programmer in 1966 instead of going into the standard management graduate training scheme at the same company.
Now I am retired, and want to reduce the time spent on that hobby for the benefit of other pastimes, such as drinking beer in muddy fields listening to loud music.
Sounds like a plan. However your complementary pastime might within a couple of years involve deep research into warmth clothing and whether Horlicks keeps well in a vacuum flask. smile

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 54999/14466Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User awontroba
(regular) Thu 19-Jan-17 17:50:49
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
The UK SG-1000 supplier (Amica) happily agreed to a return and upgrade to a SG-2220. This is eye wateringly expensive (but comes with 2 paid support incidents for a year) and seems to be working very well. Best speed I have seen in the last few months.
Thu 19/01/17 16:56	59.08 Mbps	58.93 Mbps	18.59 Mbps

Looks like I can stop fiddling with firewalls (8-)

--
Adrian
Standard User fredfox
(experienced) Thu 19-Jan-17 20:39:21
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: awontroba] [link to this post]
 
For Christmas my wife bought me one of these and it handles my 200Mbps FTTH connection with pfSense very well. I get actual speeds of up to 215 Mbps smile However, ClamAV is way to much for it so i've turned that off.

I'd looked at the SG-10000 but wasn't convinced - happy I stuck with the APU2.

Previously I was running pfSense on a VM but needed to separate it from the rest of my stuff wink I still run Astaro in a VM on my slow backup ADSL connection.

Pipex
Nildram
UKFSN
Be *
Now -> Xilo / Uno (and BT)

Fibre is almost here !
Standard User awontroba
(regular) Thu 19-Jan-17 22:15:45
Print Post

Re: Netgate SG-1000 pfSense firewall first impressions


[re: fredfox] [link to this post]
 
I had one of those too, but it kept on rebooting. Possibly a lemon. Otherwise it was fine. Good to know that it can keep up with FTTH. I have an older model at home which has no problems and am happy with. I wittered about ALIX/APU earlier in this thread.

ClamAV does need a lot of memory, and can use a lot of power. I run it, SpamAssassin and sendmail on my main FreeBSD box. Out of interest, how were you passing mail through ClamAV on your firewall? Or were you using it to check HTTP traffic? (I am fixated on email).

There are surprisingly few complaints about the SG-1000 single-stream performance on the pfSense forum. Could be due to low sales, a problem only affecting a few machines, people not noticing...

If you have a backup ADSL connection, why not go dual WAN? For failover it works well. Good reasons for not doing so include inertia, incompatibility and not wanting all your eggs in one basket.

--
Adrian
Pages in this thread: 1 | [2] | 3 | (show all)   Print Thread

Jump to