Netgate SG-2100 pfSense Router and Firewall Review

9

Netgate SG-2100 Performance

We wanted to get some sense of performance for the Netgate SG-2100 solution. At $299 it is a fairly inexpensive router/ firewall compared to many on the market wit ha similar feature set.

Test Bench Setup

Our testing bench is based on a Cisco T-Rex project which in turn is based on the DPDK framework which we are going to cover in future articles and consists of:

Host Dell Precision 7920
CPU (2) x Gold 6134 CPUs 16 cores/32 threads x 3.19 GHz
RAM 128GB: 8*16GB DDR4-2133P
Host OS VMware ESXi 6.7U3
Guest Debian 10. 6 vCPUs 32GB RAM
T-Rex version v2.81
Network Intel I350-AM4 in PCI Passthrough mode

We will update this system as we get to higher-performing machines, but this is overkill for this class of device. This is a new system and a different configuration, but you can read our Dell Precision T7920 Dual Intel Xeon Workstation Review for more on the platform itself.

Use Case Driven Benchmarks

While synthetic benchmarks are good for marketing and when used properly give a high-level overview of device potential, it does not make it easier to evaluate the performance of the device for a particular use case or compare performance across devices due to different boundary conditions. Such boundary conditions may result in more than an order of magnitude difference for final numbers.

T-Rex gives us the freedom to define any workflow we like, or even create one based on real traffic captured from a production system. In order to see how the Netgate SG-2100 will perform in a more realistic scenario, we will use the SFR profile. This profile includes a combination of traffic templates such are:

  • http_get / http_post / https
  • mail-related traffic flows
  • SIP
  • DNS
  • and etc.

Below we can find a graphical representation of SFR profile:

SFR Profile
Netgate SG-2100 SFR Profile Testing

The profile is normalized to 1GbE with a 10-millisecond delay between client and server. During test execution, a new client/server pair is generated for each flow. For a range of bandwidth, we capture different metrics, such as maximum, and average latency distribution, packet drop rate. Below you can find a snapshot of test results showing packet drop rate at a given throughput for the SFR profile.

SG-2100 Routing performance (firewall disabled)

The first test on our list is routing performance with the firewall disabled. We simply wanted to see how fast this solution can route traffic at full 1Gbps speeds.

Sg 2100 Rte Drop
Netgate SG 2100 Rte Drop

With our test setup, we see 0% packet drop up to ~450Mbps, after 500Mbps the drop rate starts to pick up but remains in the acceptable range throughout the test up to 1Gbps.

SG-2100 NAT performance

For this test, all incoming connections on the WAN are blocked, and all connections from clients to servers are masqueraded using pfSense manual outbound NAT.  We believe this is a base configuration for firewall and will be a starting point for many home users.

Sg 2100 Nat Drop
Netgate SG-2100 NAT Drop rate

With NAT turned on we see packet drops ~0.02% even at low bandwidth. It starts to pick up at ~500Mbps and reaches 1% at ~550Mbps. This is an acceptable result, but it shows how much loss can occur.

Special note:

During our review when we logged to GUI for the first time, we observed rather high idle CPU load in a range of 30-45%. A quick check shows that it comes from servicing ic_timer interrupt which is firing at a rate of 500+ interrupts/second

[2.4.5-RELEASE][admin@pfSense.sth]/root: vmstat -i
interrupt total rate 
gic0,p11:-ic_timer0 448323 508

After talking to Netgate, it turned out that this behavior is triggered by an open dashboard. Logging off the GUI or even navigating to a different page with no active elements brings idle CPU load to ~2-3%. We got an explanation from Netgate engineering team for this behavior, but we are still waiting for an official statement that we can release to the public. We will update this review if that comes in.

We run a spot check to see if an open GUI Dashboard affects performance and based on what we see under moderate load (~600MBps / SFR profile.)

GUI Test
Netgate SG-2100 GUI Test

There are no measurable changes in packet forwarding performance. Some may wonder whether pfSense performance is being impacted by the GUI and this seems to indicate that it is not.

Netgate SG-2100 Power Consumption

We saw an average power consumption for the device around 6W during the test execution and 4.6W while idling. This was observed on 120V North American power.

A 5W device using $0.10/kWh power 24x7x365 costs around $4.40 to run annually. One of the big advantages of using this Arm platform is lower power consumption. That lower power consumption translates to lower ongoing costs. We are using 5W and $0.10/ kWh here so you can easily scale to either your local power rate or current router power consumption.

Final words

We think the Netgate SG-2100 can be a great device for home users looking to migrate from a basic/flat network to a more complex segmented setup with WAN connection up to 500-550Mbps. It is definitely an interesting choice for users who familiar with pfSense and network enthusiasts who are looking to get their hands on more advanced network technology.

We would have liked to have seen easy service expansion slot access through external doors such as are found on the Lenovo ThinkCentre M720q type machines. That would make adding WiFi or LTE significantly easier at only a minor incremental cost and is why companies like Lenovo are doing it in their small edge devices.

Unlike entry-level firewalls like Ubiquiti ER-X, the performance remains reasonable as advanced features are enabled or thousands of states are tracked for client/server connections. That makes sense given the price disparity. The mid-range SOHO firewalls market is tight with multiple offerings from all major players. At $299 for base configuration, SG-2100 is not the cheapest out there. With pfSense, one gets a lot of features also not found on other devices either directly or installable via packages which can greatly increase the value of a solution like this.

For a company looking to deploy SG-2100s to remote workers, labs, or for remote offices/ retail locations, there is an option to purchase professional support for the SG-2100 which is not common in this segment of the market.

9 COMMENTS

  1. I’ve seen people discussing on some forums how they installed Wireguard with pfSense, so it should be possible. That was probably on x86 boxes though, so it may be different on ARM.

  2. This would have been a killer if at least one of the ports was switchable 24 or 48 volt PoE. As it is, you’ll still need to buy a switch or Power Injection devices for your Access Points and Cameras.

    I wouldn’t buy it until they release version 2.5 pfSense, and only then if the AES offload is mechanized. Stick with the SG-1100 otherwise.

  3. I probably would have purchased the SG-2100. The SG-1100 seemed like it wouldn’t allow for future growth in my home network, and the SG-3100 was too expensive.

    I used an x86 box to run pfSense instead. After several weeks of running that, it’s obvious that even the SG-1100 would have been more than adequate for my needs now and probably for at least several years in the future.

    I did want to try OPNSense, IPFire, and Untangle as well, so the x86 box let me do that. Some of the people at Netgate have done some, let’s say, unsavory things, and I was leaning away from pfSense for that reason. After doing my comparison though, I decided that pfSense was my best bet. (pfBlockerNG was one of the things that made up my mind.)

    Knowing what I know now, I’d just buy the SG-1100. However, I’d probably have purchased the SG-2100 if it had been available, since I had been wishing for something that was in between the 1100 and 3100.

  4. “(3) antenna holes covered by rubber caps” – does this imply this or a future iteration could include wireless routing?

  5. What is meant by “the M.2 slot is _technically_ not user-serviceable”? Is it not possible to open the case and add SSD memory if needed? I am thinking of collecting usage statistics, maybe attack attempts, if that’s possible. Have to add I am not yet familiar with pfSense. I am in the process of looking for a small firewall like this. What would be arguments to order it with the optional M.2 SSD?

  6. Thank you for being as non-committal as possible which begs the question – who are you getting funded by.

  7. I recently purchased the sg-2100 from netgate for my home business and the device crashed halfway through the first month from their stable software update / upgrade off of the web gui. It became unusable – I could not connect to the internet, ping out, or even access the webconfigurator. Their netgate support helped me console into the device and all I could see were a bunch of errors reading “Fatal Error Unable to create lock file: Bad file descriptor (9)” and “cylinder checksum failed.” They sent me the latest pfsense plus firmware and I had to reflash the device. They informed me there was a possibility future upgrades might cause crashes and that power failure on the device can cause file corruption – which seems like a serious flaw. I’m sending the device back and hoping to get my money back since I’m within their 30 day return policy. The policy itself is a bit dubious; 25% open box fee + keeping your shipping costs, and they want you to ship the items back at your own expense. Their zero-to-ping support is very limited and not getting much help from them now that they realize I’m planning to ship the device back. Please watch out for this company – you are better off building your own appliance and installing pfsense yourself.

  8. Dear Sir

    I am joseph from Axiom international Qatar it is regarding an enquiry
    we would like to purchase Netgate SG-2100 pfSense Router from your company
    kindly send your best pricing to “sales5@axiomqatar.com” or kindly share your email id

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.