When we did our Netgate SG-5100 Firewall and Network Appliance Review, we noted that along with pfSense, the unit supports Netgate TNSR as well. For those who do not know, Netgate is the company behind the popular pfSense firewall software. TNSR is effectively its next-gen software based on Linux. While one currently loses a lot of the ease-of-use features such as the WebGUI of pfSense, what TNSR offers is performance. Here is a quick rundown of the differences. The value proposition is that using modern Linux tools, the same hardware can perform much better with TNSR versus pfSense. There has always been a catch with TNSR adoption beyond just the lack of a GUI and scope. TNSR has been licensed on a per-Gbps model. Now, Netgate is turning to a per-node model and is offering a free edition to try. This is a huge deal.
Netgate TNSR Adds Home+Lab
Previously, Netgate had customer evaluations tied to a sales process. With the newest change, TNSR is moving to a free trial model it calls Home+Lab. We are going to talk about that in a moment since that is ultra interesting. The other change is that when we did our SG-5100 review, it was hard to show the pricing for TNSR. Now, Netgate is moving to Pro and Enterprise levels with support SLAs that are based on a per-instance model. Since Netgate is doing per-instance, a 1Gbps AWS or Azure instance is priced the same as a 10Gbps office or 100Gbps data center node. Effectively, Netgate is transitioning from charging on the data transmission rate capability to tieing support to the number of devices out there.
This is a big change and one that makes sense since it is tied to the number of instances that are being supported. Effectively while other vendors are charging an annual support subscription plus charging for hardware at large premiums for higher-end gear, Netgate is focusing on the support aspect. Using DPDK and FD.io vector packet processing instead of the kernel packet processing found in pfSense, TNSR scales much better. Here is an example as an update to our SG-5100 review pfSense v. TNSR:
Since we completed these tests, Netgate has increased the performance of TNSR, but the directional improvement is clear. When we went beyond simple L3 forwarding, we saw a huge performance uplift by moving from the FreeBSD kernel packet processing to the Linux DPDK VPP packet processing. That is what Netgate is effectively selling, a performance-oriented software product that can be managed using APIs and CLI tools for a scale-out infrastructure using commodity hardware.
Netgate SG 5100 Tnsr Show Interface
TNSR Home+Lab is not a replacement for pfSense at this point. Bluntly, pfSense has a friendlier WebGUI interface for managing a smaller number of installations. That solution also has tons of plugins that allow it to provide more features. In contrast, TNSR is built for speed. TNSR Home+Lab requires an ELA sign-off and “non-commercial use” application to get started. One of the biggest missing features is the lack of rolling software updates. Effectively, one gets a 6-month evaluation period. After that, the evaluation is effectively locked-out so you cannot make configuration changes or reboot. The Home+Lab option also does not get the software updates of a subscription to TNSR. Netgate truly is locking Home+Lab down to evaluation scenarios. This is a big step forward, but it is also a long way from replacing pfSense.
Final Words
This is absolutely a better model for Netgate in terms of being able to demonstrate to customers that their software is suitable. The company has shown with pfSense that open source software can sit on commodity hardware and reliably push packets. With TNSR, it needs to show that it can move packets at the speed of many of the higher-end solutions in the markets that use exotic silicon. Running TNSR on commodity hardware and being able to push huge IPSec traffic is awesome. At the higher-end of the hardware segment, larger premiums are extracted from customers, but with the new per-instance TNSR model the hardware costs what it costs and the software is a fixed price.
Ideally, we would love to see a Home+Lab option that was more like a pfSense “free” model without support. We understand why this is not possible since it would probably have an impact on support sales. As with iXsystems and TrueNAS Scale, we see a move to Linux for higher performance and scalability. Perhaps that is the way forward for these projects.
With the focus on L3 forwarding capability, it seems they are positioning TNSR for the enterprise router market (on with commodity hardware), and not edge firewalling like pfSense. For instance TNSR could do duty as a core router for a multi-site hub and spoke VPN overlayed on the Internet and/or metro Ethernet. Still my confidence in Netgate’s routing abilities has been dampened by poor experiences on pfSense whereby a link comes up, and all existing neighbor relationships are dropped and reestablished – it’s sheer madness! So having fast throughput is one thing, but being ready for the enterprise with sane software is another thing entirely.
Please, please don’t write articles with unexplained/unexpanded acronyms, other than those that are widely used (VPN etc.) ! I have read this and ended up none the wiser as to what ‘TNSR’ is. A sensible practice is to expand it once and then use the acronym. Now I have to head off to google to make sense of the article.
Simon – “TNSR” is the product name.