pfSense Plus (pfSense+) Software
We are not going to go into too much depth on pfSense+ here. Most STH readers know about pfSense and there is tons of documentation with millions of pfSense installs out there.
Most of the configuration is meant to be done via the GUI, but there is a CLI as well.
One of the powerful features of pfSense is the ability to install a myriad of packages. That includes things like pfBlockerNG but there is a lot of functionality here. One can even setup ACME Let’s Encrypt certificates with HAProxy and make a reverse proxy that terminates HTTPS with this setup using packages. That may not be an often-used functionality compared to some of the firewall/ IDS packages, but it shows its flexibility.
One of the big features of pfSense+ is the VPN connectivity. Perhaps the most popular over the years has been OpenVPN. OpenVPN is easy, but not necessarily the fastest, as we will discuss in the performance section. If you do use OpenVPN, we suggest getting the export tool package to make setting up clients even easier.
WireGuard is a newer and higher-performance VPN solution that has become popular. One can get that working with the Netgate 4100 and pfSense+.
One of the nice pfSense+ features is that if you run AWS, there is an easy configuration wizard to get a VPN connected to AWS VPCs so you can bridge on-prem and cloud environments.
For the Netgate 4100 and pfSense+ specifically, the IPsec VPN is a major functionality. IPsec VPNs are still widely used, but a challenge on an Intel Atom C3338R can be performance.
With pfSense+, the Netgate 4100 can take advantage of Intel QuickAssist Technolgy (Intel QAT) and accelerate IPsec using the built-in Intel Atom C3338R acceleration.
Next, let us get to our performance section for more on how this all works in practice.
this is 4g of non-upgradable ram, C3338R with 2c/2t and 2.2ghz turbo and only 16gb of emmc for $600. zero 10gb sfp+.
when netgate sells you a firewall, firewall you get. installing IDS, packet capture, netflow, monitoring server is out of the question.
//
> On the VPN side, we had OpenVPN running in the 210-225Gbps…
what a typo.
You can easily upgrade to pfSense Plus for free. I also got this unit from Amazon
Barebones with a Intel Core I7 1165G7 for $550.00. Excellent build quality and customer service.
I’ve talked to people who own the SG-4100 and they all say that it’s a very high-quality device. It’s probably better to compare the price to one of the big commercial firewall vendors, rather than to a somewhat sketchy device from Aliexpress with no support or real warranty.
As for the extra features you list, I’d argue that they don’t belong on your firewall anyway. 🙂
The SG-4100 (and Netgate’s other appliances) aren’t for everyone, but if you need a solid, supported commercial firewall appliance, they seem to be good values. YMMV
Stuart, if you are to argue those features don’t belong on the unit, whar do you propose for said features?
I had the older version based on Intel Atom. It stopped functionnig after 4 years of normal usage in a home. Seemed to be an issue with the atom processor used inside (Intel acknowledged the problem). It totally bricked itself.
Also, don’t know if the issue with the speed for a PPPoE WAN connecrion is fixed. The issue was that PPPoE was running over a single core, thus never being able to go over 500Mbps in a Gigabit WAN connection. It could have been pushed to 600Mbps by overclocking the unit (via the GUI).
I liked it but I felt let down when it bricked itself (just stopped functioning). Also, I went for an Edgerouter-12 and not for the 4100 or 6100 from pfSense as this one has more ports, I was able to reach Gigabit WAN connection, was able use linux packages on it (apt-get FTW) and it’s waaaaay chwaper.
Sorin N – We did a lot on the C2000 series AVR54 bug, and even got hit by it in one of our firewalls. See Intel Atom C2000 AVR54 bug
There was a C0 stepping to fix that on the Atom C2000 series that came out later, but that is also what delayed the Atom C3000 series launch.
It was a bug that hit every vendor in the industry.
Patrick – don’t get me wrong. I really loved the product. I know it’s not Netgate’s fault.
I still would like to use one but these newer models have less ports than the old RCC-VE 4860 and are very hard to find on a decent price anywhere in Europe. (I asked a friend from USA to bring it to me and I paid him back as he was coming to Europe.)