It has been quite a long time since STH has done a Netgate appliance review. The last time we looked at a SG series devices was the 2017 Netgate SG-1000. Now we have the Netgate SG-5100 which is in a completely different class than the SG-1000 in terms of features and performance. As you will see in the review, this is not a one-trick pony. It can run either pfSense or TNSR. TNSR is the company’s higher-performance Linux-based network operating system. Let us get into the review.
Netgate SG-5100 Hardware Overview
The Netgate SG-5100 is a fairly compact desktop unit. Rough measurements put it around 8.5×5.75×1.75 inches in size. The headline feature of the unit is a six 1GbE port array. The four IX ports come from the quad-core Intel Atom C3558 integrated MAC. The two IGB ports utilize two Intel i210-at NICs. Combined, Netgate has six Intel 1GbE NICs although there are slightly different feature sets.
Other features of the front panel are a USB serial console port, two USB 3.0 ports and status LEDs.
Technically, the Intel X553 on the Atom C3558 supports 10GbE and 2.5GbE speeds in a 2×10/2.5/1GbE + 2×2.5/1GbE configuration. It would have been really interesting if Netgate figured out how to make 2.5GbE a possibility on this platform but there are other parts such as PHYs that need to be accounted for. Still, we have had 1GbE firewall devices for a long time and in the next decade, we are going to see faster speeds required due to the rest of the infrastructure, including wireless, getting faster.
A feature you may have seen in the cover image is the heatsink top. The entire enclosure is made from metal. No cheap plastic here. The top of the unit has fins to increase surface area. That metal design acts as a heatsink to keep the unit passively cooled.
One can see the rear has a Kennsington lock port, a DC input, and both power and reset buttons. There are also four covered cutouts for Wi-Fi antenna mounting.
On the physical unit, we wanted to make two more points. First, the DC input has a locking connector. This is important to ensure that accidental bumps to not disrupt power. That is common in edge deployments. The power brick is a Channel Well unit that screws into the back of the chassis. That is a great touch.
Other internal specs include 8GB of eMMC and 4GB of RAM. Those can be upgraded to house up to 16GB of RAM. We also are using an internal M.2 port with a 32GB SATA M.2 (2242) SSD. If you want to see inside the unit which is largely inaccessible due to thermal glue, Netgate’s documentation has good photos.
What is missing from the Netgate SG-5100 that is present on some of the company’s higher-end solutions is an out of band IPMI/ Redfish management port. In the security world, BMCs are a risk. They also add cost and power consumption so it makes sense to exclude one. Still, that means you are using a 115200 rate serial console for low-level management.
Netgate SG-5100 Software Options
Technically, you can put a lot of different types of software on the Netgate SG-5100, but realistically, there are two main applications. The first is pfSense which STH covers quite a bit. While pfSense has a traditional shell, the gem of the FreeBSD-based solution is the Web management interface. For a novice, setting up interfaces, firewall rules, and VPNs is all done through an easy-to-use GUI.
The other option and the higher-performing one is Netgate TNSR. This eschews FreeBSD instead it uses a DPDK accelerated Linux stack. Netgate has taken a lot of the open-source improvements that go into a high-performance Linux networking stack and packaged them with a CLI that is more akin to traditional networking gear. For example, here is the “show interface” command in TNSR:
We are going to have a follow-up piece going into the performance of both on the SG-5100. As you may have seen, we have two Netgate SG-5100 units that we are going to use for this test. Still, we wanted to give some idea of what we are seeing, so next up we have the Netgate SG-5100 performance.
No SFP+ port on this device means you’ll have to factor in additional costs and space for a media converter when using fiber. Too bad for what’s otherwise a great little device.
$700 is not the cost of the device. The cost is $700 and whatever subscription you’re using at work for support.
It’s nice to see that ya’ll are doing pfSense gear again.
> If we are being transparent, one can build a Supermicro Atom C3000 based solution for $400-500
for example?
Do you have a reference or documentation to your test methodology? I would like to replicate the results.
Would like to see alternative to my apu2c4, Iam running proxmox (pfsense as fw,router and openwrt as dumb ap,802.11n and 802.11ac), its working ok, but startup takes 5mins.
I want something (mini itx or smaller) more powerfull, aesni, iommu, nvme + 2x m.2 for two wifi cards..
@alekun
eg https://www.wiredzone.com/shop/product/41113201-supermicro-sys-e200-9a-compact-embedded-intel-processor-iot-barebone-6982
Excellent write-up! I’ve been extremely curious about TNSR since hearing of it’s existence quite some time ago. Very little information exists on it so I eagerly await that portion of the review!
How about SG-5100 pairs for HA?
Did the SG-5100 review using TNSR ever get published?
This “Netgate” SG-5100 looks, to me, to be a rebranded / relabeled device designed and manufactured by “Lanner” (look ’em up).
I’ve got a (now several years old) “RouterMaxx 1106” embedded device acting as my firewall / router that was also manufactured by Lanner. It was originally sold with RouterOS (and runs OpenBSD and FreeBSD wonderfully!) that looks *very* similar to this SG-5100 — Atom CPU / SOC, SODIMM slots for RAM (upgradable!), 6 x Intel 1 GbE ports (via two separate MACs), serial console, metal heat-sink for a case, exact same style of power connector and reset button, roughly the same price, and so on…
Google “RouterMaxx 1106” and compare images of it to this device and you’ll see what I’m talking about. I wouldn’t be surprised if Netgate is getting many of their devices from Lanner — and they definitely aren’t the only ones.
I don’t think Lanner sells directly to consumers but you can probably find this exact same device with some other company’s name on it (instead of Netgate) and get it for a bit cheaper.
All that said, I can’t really complain about the device I’ve got. It’s been in constant use for probably ~6 years now (with the RAM upgraded, the CompactFlash card replaced with an SSD, and RouterOS replaced with — at the moment — OPNsense; Debian, FreeBSD, and OpenBSD all “just work” too!) and I’ve yet to experience any issues with it, FWIW.