Netgate SG-1000 (FreeBSD based pfSense on ARM) First Look

PigLover

Moderator
Jan 26, 2011
2,911
1,231
113
I've considered this box to sit between the POE switch serving my cameras and the rest of my network (or pretty much anything else). Set up rules so that every port is blocked except those absolutely necessary for your NVR to access the cameras. Lots of risk firmware, backdoors and other nasty stuff in those little beasties...

Also include detailed enough rules so that ONLY the cameras can get through (just in case someone trys to detach the RJ45 and connect something else to your network).

Plenty of horses in that box for this - and its cheap enough/low power enough to make it worthwhile.
 

whitey

Moderator
Jun 30, 2014
2,770
865
113
37
Yep, she's a NICE lil' device, been thinking I am gonna use these as my 'go-to' for friends/small businesses CPE/termination/demarc point from now on.
 

spazoid

Member
Apr 26, 2011
91
10
8
Copenhagen, Denmark
Neat box, but I still think it's too expensive. Gold membership has no value to me, so it feels like I'm paying $150 for a $50 device, or 3 times the value of the hardware. The situation with the more expensive Netgate devices is completely different, has the software is a much lower portion of the total price.

Start selling a version at $79 without Gold membership, and I might consider it for fun projects like putting internet in the car or something that doesn't require high speed.
 

whitey

Moderator
Jun 30, 2014
2,770
865
113
37
I'd hop for $99 version, even @ $150 though it's still a great value for 'set it and forget it' / 'pre-built/ready-to-go' build. Even w/ a APU2 ($170 approx all-in) I have to spend 15-20 mins assembling, 15-20 mins laying down image...time is $$$.
 

cactus

Moderator
Jan 25, 2011
826
76
28
CA
What makes this better than a less expensive Edge Router Lite as a gateway device? If you are fully invested in pfSense or you need a gateway and IoT device in one, maybe it makes sense at $150.
 
  • Like
Reactions: wildchild

PigLover

Moderator
Jan 26, 2011
2,911
1,231
113
Looking at this a bit deeper - not sure I'd bite.

Coretex A8 based - single core, 1Ghz. Not much juice in there. The APU2C4 is just slightly more expensive and there are plenty of J1800/J1900/N3150/etc. packaged systems for under $200 that would do much more.
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,802
4,760
113
I see this more as a management network VPN gateway. It is fairly awesome for that.

Also, I just had a friend install pfSense on a $100 1U Atom machine. He has 100mbps down cable so well within what this box can do.

ERL is valid but after I had two different units hard freeze on me, I just stopped that experiment.
 

Cheddoleum

Member
Feb 19, 2014
97
21
8
What makes this better than a less expensive Edge Router Lite as a gateway device? If you are fully invested in pfSense or you need a gateway and IoT device in one, maybe it makes sense at $150.
Ubiquiti seems to have had the same thought. When I lazily use Google to search for the Netgate info page on this product (i.e., just search for netgate sg-1000) I get a sponsored Google shopping box for the EdgeRouter X to the right of the results.

Anyway, here's that info page [link]. They're talking about throughput on the order of 300mbps, so while that still doesn't tell you how it would do for things like PPPoE, VPNs, SPI etc. as compared to basic routing and packet filtering, they're at least managing expectations below full-bandwidth GigE applications. It'd be interesting to see some benchmarks and recommended use cases and applications.
 

wiretap

Active Member
Jul 14, 2015
128
84
28
Michigan
Do we have any iperf results for this little box yet? I'm interested to see how much throughput it has on this ARM chip. But I would agree, it would probably be good for a management network that doesn't require heavy bandwidth.
 

wildchild

Active Member
Feb 4, 2014
394
57
28
I have 2 edgeroute-x spf's here.
When i get the chance i'll do some iperf tests, incl and excl hw nat, and ipsec
 

PigLover

Moderator
Jan 26, 2011
2,911
1,231
113
Those are interesting and helpful, but benching a router/firewall based on fixed 1500 byte packets and measuring Mbps is a bit simplistic.

What really matters on a box like this is not bps, but pps. In most cases, a CPU-based "slowpath" design like pfSense will always deliver consistent pps across a mix of traffic types, but bps will vary all over the map depending on whether your traffic load is web browsing, video streams, file transfer, VoIP, etc.

I know the tools at hand are simplistic (iperf) - but a much better profile for a router/firewall would at least have the packet sizes mixed using something like an "imix" profile.
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,802
4,760
113
@PigLover I agree.

If you have something specific you think should be run, shoot me a PM/ email and I am happy to run that once we get the little box into the data center (mid-next week ETA).

I am also contemplating seeing if it can pass the wife test and trying to put her networking on it for a few days at home :)
 

PigLover

Moderator
Jan 26, 2011
2,911
1,231
113
The tools we use for this are licensed and expensive. There is an open source tool that can get the job done (Seagull) but the configuration is massively complex for simple things.

At the very least, I'd use a tool that can generate a random mix of packet sizes against a known traffic distribution - imix, which is a characterization of "typical" internet traffic types and sizes, is well known and a good sample for routers/firewalls. Would be even better if your traffic generator could also randomize the arrival rate of packets - doing this really fleshes out queuing limitations and race conditions.

When you report it you should always report pps and traffic mix (x pps using imix) and include Mbps (not because Mbps is terribly interesting, but because its "easier to explain" and everyone will ask).
 

cesmith9999

Well-Known Member
Mar 26, 2013
1,145
346
83
It needs a 3 port version. one for WAN, one for protected LAN, one for my test environment.

and I agree with @whitey it is still a little high @ $150 it is hard for me to want to replace my old desktop running as my PFSense router.

Chris