Netgate SG-1000 (FreeBSD based pfSense on ARM) First Look

Discussion in 'STH Main Site Posts' started by Patrick Kennedy, Mar 23, 2017.

  1. #1
    William likes this.
  2. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,115
    I've considered this box to sit between the POE switch serving my cameras and the rest of my network (or pretty much anything else). Set up rules so that every port is blocked except those absolutely necessary for your NVR to access the cameras. Lots of risk firmware, backdoors and other nasty stuff in those little beasties...

    Also include detailed enough rules so that ONLY the cameras can get through (just in case someone trys to detach the RJ45 and connect something else to your network).

    Plenty of horses in that box for this - and its cheap enough/low power enough to make it worthwhile.
     
    #2
    T_Minus, Patriot and Patrick like this.
  3. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Yep, she's a NICE lil' device, been thinking I am gonna use these as my 'go-to' for friends/small businesses CPE/termination/demarc point from now on.
     
    #3
  4. spazoid

    spazoid Member

    Joined:
    Apr 26, 2011
    Messages:
    91
    Likes Received:
    10
    Neat box, but I still think it's too expensive. Gold membership has no value to me, so it feels like I'm paying $150 for a $50 device, or 3 times the value of the hardware. The situation with the more expensive Netgate devices is completely different, has the software is a much lower portion of the total price.

    Start selling a version at $79 without Gold membership, and I might consider it for fun projects like putting internet in the car or something that doesn't require high speed.
     
    #4
  5. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    I'd hop for $99 version, even @ $150 though it's still a great value for 'set it and forget it' / 'pre-built/ready-to-go' build. Even w/ a APU2 ($170 approx all-in) I have to spend 15-20 mins assembling, 15-20 mins laying down image...time is $$$.
     
    #5
  6. cactus

    cactus Moderator

    Joined:
    Jan 25, 2011
    Messages:
    826
    Likes Received:
    76
    What makes this better than a less expensive Edge Router Lite as a gateway device? If you are fully invested in pfSense or you need a gateway and IoT device in one, maybe it makes sense at $150.
     
    #6
    wildchild likes this.
  7. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,115
    Looking at this a bit deeper - not sure I'd bite.

    Coretex A8 based - single core, 1Ghz. Not much juice in there. The APU2C4 is just slightly more expensive and there are plenty of J1800/J1900/N3150/etc. packaged systems for under $200 that would do much more.
     
    #7
  8. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,545
    Likes Received:
    4,467
    I see this more as a management network VPN gateway. It is fairly awesome for that.

    Also, I just had a friend install pfSense on a $100 1U Atom machine. He has 100mbps down cable so well within what this box can do.

    ERL is valid but after I had two different units hard freeze on me, I just stopped that experiment.
     
    #8
  9. Jaket

    Jaket Member

    Joined:
    Jan 4, 2017
    Messages:
    69
    Likes Received:
    11
    Was thinking it would be nice to link between an older cisco switch for VPN access for a management network/ IPMI
     
    #9
  10. Cheddoleum

    Cheddoleum Member

    Joined:
    Feb 19, 2014
    Messages:
    80
    Likes Received:
    15
    Ubiquiti seems to have had the same thought. When I lazily use Google to search for the Netgate info page on this product (i.e., just search for netgate sg-1000) I get a sponsored Google shopping box for the EdgeRouter X to the right of the results.

    Anyway, here's that info page [link]. They're talking about throughput on the order of 300mbps, so while that still doesn't tell you how it would do for things like PPPoE, VPNs, SPI etc. as compared to basic routing and packet filtering, they're at least managing expectations below full-bandwidth GigE applications. It'd be interesting to see some benchmarks and recommended use cases and applications.
     
    #10
  11. wiretap

    wiretap Active Member

    Joined:
    Jul 14, 2015
    Messages:
    128
    Likes Received:
    82
    Do we have any iperf results for this little box yet? I'm interested to see how much throughput it has on this ARM chip. But I would agree, it would probably be good for a management network that doesn't require heavy bandwidth.
     
    #11
  12. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,545
    Likes Received:
    4,467
  13. wildchild

    wildchild Active Member

    Joined:
    Feb 4, 2014
    Messages:
    394
    Likes Received:
    57
    I have 2 edgeroute-x spf's here.
    When i get the chance i'll do some iperf tests, incl and excl hw nat, and ipsec
     
    #13
  14. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,115
    Those are interesting and helpful, but benching a router/firewall based on fixed 1500 byte packets and measuring Mbps is a bit simplistic.

    What really matters on a box like this is not bps, but pps. In most cases, a CPU-based "slowpath" design like pfSense will always deliver consistent pps across a mix of traffic types, but bps will vary all over the map depending on whether your traffic load is web browsing, video streams, file transfer, VoIP, etc.

    I know the tools at hand are simplistic (iperf) - but a much better profile for a router/firewall would at least have the packet sizes mixed using something like an "imix" profile.
     
    #14
  15. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,545
    Likes Received:
    4,467
    @PigLover I agree.

    If you have something specific you think should be run, shoot me a PM/ email and I am happy to run that once we get the little box into the data center (mid-next week ETA).

    I am also contemplating seeing if it can pass the wife test and trying to put her networking on it for a few days at home :)
     
    #15
  16. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,115
    The tools we use for this are licensed and expensive. There is an open source tool that can get the job done (Seagull) but the configuration is massively complex for simple things.

    At the very least, I'd use a tool that can generate a random mix of packet sizes against a known traffic distribution - imix, which is a characterization of "typical" internet traffic types and sizes, is well known and a good sample for routers/firewalls. Would be even better if your traffic generator could also randomize the arrival rate of packets - doing this really fleshes out queuing limitations and race conditions.

    When you report it you should always report pps and traffic mix (x pps using imix) and include Mbps (not because Mbps is terribly interesting, but because its "easier to explain" and everyone will ask).
     
    #16
  17. cesmith9999

    cesmith9999 Well-Known Member

    Joined:
    Mar 26, 2013
    Messages:
    1,097
    Likes Received:
    333
    It needs a 3 port version. one for WAN, one for protected LAN, one for my test environment.

    and I agree with @whitey it is still a little high @ $150 it is hard for me to want to replace my old desktop running as my PFSense router.

    Chris
     
    #17
Similar Threads: Netgate SG-1000
Forum Title Date
STH Main Site Posts Netgate SG-1100 Launched Higher-Speed Arm pfSense Firewall Jan 13, 2019
STH Main Site Posts QNAP adds Netgate pfSense Security to their NAS Portfolio Jan 10, 2018

Share This Page