Netgate 4100 Performance
The Netgate 4100 is powered by an Intel Atom C3338R. This is one of theĀ Intel Atom C3000 Refresh parts that arrived in 2020, three years after we saw theĀ Intel Atom C3338. There are three main differences with the refresh part: Increased clock speed, Intel QAT, and slightly higher (10.5W v. 8.5W) TDP. In terms of raw CPU performance, under Linux we tested the Atom C3338R versus the older C3338 and saw solid performance gains just due to the increased clock speeds:
Most of this is attributable to the increase in the base clock from 1.5GHz to 1.8GHz and the more mature process keeping clock speeds generally higher. It is still only a dual-core Denverton CPU, but that is good enough for many router/ firewall applications. Although we did not have one to test, the Netgate 6100 uses the Intel Atom C3558 that we tested previously. The Netgate 6100 should have roughly twice the CPU performance (mostly due to twice the cores) as the Netgate 4100. Compared to some of the low-cost AliExpress Celeron N5105 boxes, the C3338R is roughly 34-38% of the CPU performance, but it has QAT and much lower power consumption.
For straight networking, we tested the Netgate 4100’s ports using iperf3 and very basic NAT and firewall active. We saw solid performance, in the basic use case. If you just need a basic NAT box for a modern cable modem solution, this can work.
A quick note would be if you have many clients, want to run IDS, big firewall rules, VPN clients, and want to maintain 1Gbps, then you likely want a higher-end model as this will not saturate 1Gbps with many high-end features due to the Atom C3338R. Running only a fairly simple set of firewall rules and NAT this should be able to saturate a 1Gbps WAN connection. It is the combination of many of these services that will push this below 1Gbps speeds.
VPN Performance
On the VPN side, we had OpenVPN running in the 210-225Mbps range using a single connection and iperf3. OpenVPN is commonly used with pfSense and it is known for its ease, rather than its performance. We will transition to WireGuard as well for future reviews, but WireGuard should be closer to 800-900Mbps on this with a single connection and iperf3.
The big one is certainly IPSec VPN here. IPSec VPN, using pfSense Plus and the Intel QAT enabled Intel Atom C3338R can achieve iperf3 speeds in the 900M-1Mbps or basically 1GbE wire speeds. Adding many more VPNs, and real-world traffic will cut traffic by more than two-thirds.
QAT is a game changer, but it is also the case where if you want to saturate a 1Gbps (or faster) WAN connection via VPN, we would suggest getting a higher-end unit for more CPU performance.
Netgate 4100 pfSense Plus Power Consumption and Noise
In terms of power consumption on 120V power we saw 10.7-10.8W at idle. Adding a 1Gbps RJ45 link saw power jump to 11.3W.
Lighting up two additional 2.5GbE LAN ports saw power climb to 12.8W for about 0.7-0.8W per port. The maximum power consumption we saw never crested 20W but there may be optics or other workloads to get over that figure. Still, this is a low-power device and well below the 60W power supply rating, especially since we are measuring wall power.
Again we will note that the locking power supply is great and is a nice feature for an edge box like this.
In terms of noise, this system was fanless and we could not hear noise from it, so we are going to call this effectively a silent unit.
this is 4g of non-upgradable ram, C3338R with 2c/2t and 2.2ghz turbo and only 16gb of emmc for $600. zero 10gb sfp+.
when netgate sells you a firewall, firewall you get. installing IDS, packet capture, netflow, monitoring server is out of the question.
//
> On the VPN side, we had OpenVPN running in the 210-225Gbps…
what a typo.
You can easily upgrade to pfSense Plus for free. I also got this unit from Amazon
Barebones with a Intel Core I7 1165G7 for $550.00. Excellent build quality and customer service.
I’ve talked to people who own the SG-4100 and they all say that it’s a very high-quality device. It’s probably better to compare the price to one of the big commercial firewall vendors, rather than to a somewhat sketchy device from Aliexpress with no support or real warranty.
As for the extra features you list, I’d argue that they don’t belong on your firewall anyway. :-)
The SG-4100 (and Netgate’s other appliances) aren’t for everyone, but if you need a solid, supported commercial firewall appliance, they seem to be good values. YMMV
Stuart, if you are to argue those features don’t belong on the unit, whar do you propose for said features?
I had the older version based on Intel Atom. It stopped functionnig after 4 years of normal usage in a home. Seemed to be an issue with the atom processor used inside (Intel acknowledged the problem). It totally bricked itself.
Also, don’t know if the issue with the speed for a PPPoE WAN connecrion is fixed. The issue was that PPPoE was running over a single core, thus never being able to go over 500Mbps in a Gigabit WAN connection. It could have been pushed to 600Mbps by overclocking the unit (via the GUI).
I liked it but I felt let down when it bricked itself (just stopped functioning). Also, I went for an Edgerouter-12 and not for the 4100 or 6100 from pfSense as this one has more ports, I was able to reach Gigabit WAN connection, was able use linux packages on it (apt-get FTW) and it’s waaaaay chwaper.
Sorin N – We did a lot on the C2000 series AVR54 bug, and even got hit by it in one of our firewalls. See Intel Atom C2000 AVR54 bug
There was a C0 stepping to fix that on the Atom C2000 series that came out later, but that is also what delayed the Atom C3000 series launch.
It was a bug that hit every vendor in the industry.
Patrick – don’t get me wrong. I really loved the product. I know it’s not Netgate’s fault.
I still would like to use one but these newer models have less ports than the old RCC-VE 4860 and are very hard to find on a decent price anywhere in Europe. (I asked a friend from USA to bring it to me and I paid him back as he was coming to Europe.)