Netgate SG-2100 pfSense Router and Firewall Review

6
Netgate SG 2100 Cover
Netgate SG 2100 Cover

The new Netgate SG-2100 desktop-class network appliance is targeting to fill the gap between SG-1100 and SG-3100 devices. With the surge in remote working and the need to connect multiple sites with VPNs and secure networks, Netgate has a lower-cost device using an Arm-based processor, to provide something new. In our review, we are going to take a look at the new router and firewall appliance to see what it has to offer, and how it performs.

Netgate SG-2100 Overview

This solution is designed to be a low-power and quiet edge device. As a result, Netgate is using a desktop form factor. The device measures 107.95 x 172.72 x 43.18 mm ( 4.25 x 6.8 x1.7 inches). At the front of the device, one can find 3 RGB status LEDs which are largely overshadowed by the large Netgate logo.

SG 2100
Netgate SG 2100 front three quarter

Netgate SG-2100 has a reasonable design for a desktop unit with metal bottom and plastic top cover. Netgate’s original Arm-based mini-router, the Netgate SG-1000 came in an all-metal housing, but the product line has evolved.

All ports are located at the back of the device which has space for five (5) Gigabit Ethernet ports one combo GbE/SFP port by default is assigned to WAN and (4) switched GbE ports handled by Marvell 88E6141 Ethernet switch connected with 2.5G uplink to SoC. In addition, we can see a mini-USB console port, USB 2.0 host interface, micro SIM slot, (3) antenna holes covered by rubber caps, and power input.

SG 2100 rear
Netgate SG 2100 rear

Power is provided by included DC power adapter (12VDC, 2.0A) and unlike many other devices in the consumer market has a threaded barrel connector.

Inside, the SG-2100 is based on a Marvell ARMADA 88F3720 SoC. Looking at the block diagram, we see that SOC has a dual-core Cortex-A53 CPU and includes a variety of connectivity. For the SG-2100 it is interesting to note that it has USB 3.0, SATA 3.0, PCI-Express 2.0, and 2.5 GbE IP blocks.

Marvell Armada 3700
Marvell Armada 3700

For memory, the Marvell SoC in this device is coupled with 4GB DDR4-1600 memory and is not expandable.

At the bottom of the device, one can find 2 integrated keyholes for wall mounting, rubber feet, and 4 screws.

SG 2100 bottom
Netgate SG-2100 bottom

Inside the device, we have M.2 slot that can be used either for a M.2 2242 (42mm) SATA SSD or USB LTE module.  It worth mentioning that the M.2 slot is technically not user-serviceable and either option can only be selected when ordering a new device from Netgate. At this time, ordering from Netgate gives an option to add a 32GB SATA SSD, but not a WiFi or LTE module.

Netgate SG-2100 Management

Netgate SG-2100 is managed by pfSense a FreeBSD based open-source distribution tailored for use as a firewall and router, which STH covers quite a bit. At the time of this review, the latest version available was 2.4.5p1. Please read our review for details about the new features available in this release.

PfSense
PfSense Dashboard on Netgate SG-2100

On the x86 side, features such as AES-NI are well-supported by pfSense but basic crypto offload features are going beyond this simple setup. Intel is heavily pushing Intel QuickAssist Technology in its edge chips but that requires a lot of extra work to support so many software packages do not use it. Many of the Arm vendors have their own cryptographic offload engines. Here we can see the two Arm Cortex-A53 cores, but then we can see “Crypto: (Inactive)”. The Marvell SoC has a crypto offload feature, but the current pfSense release does not support it. This may change in the future which would, in turn, potentially change the performance numbers we are about to look at.

Next, we are going to look at the Netgate SG-2100 performance before getting to our final thoughts.

6 COMMENTS

  1. I’ve seen people discussing on some forums how they installed Wireguard with pfSense, so it should be possible. That was probably on x86 boxes though, so it may be different on ARM.

  2. This would have been a killer if at least one of the ports was switchable 24 or 48 volt PoE. As it is, you’ll still need to buy a switch or Power Injection devices for your Access Points and Cameras.

    I wouldn’t buy it until they release version 2.5 pfSense, and only then if the AES offload is mechanized. Stick with the SG-1100 otherwise.

  3. I probably would have purchased the SG-2100. The SG-1100 seemed like it wouldn’t allow for future growth in my home network, and the SG-3100 was too expensive.

    I used an x86 box to run pfSense instead. After several weeks of running that, it’s obvious that even the SG-1100 would have been more than adequate for my needs now and probably for at least several years in the future.

    I did want to try OPNSense, IPFire, and Untangle as well, so the x86 box let me do that. Some of the people at Netgate have done some, let’s say, unsavory things, and I was leaning away from pfSense for that reason. After doing my comparison though, I decided that pfSense was my best bet. (pfBlockerNG was one of the things that made up my mind.)

    Knowing what I know now, I’d just buy the SG-1100. However, I’d probably have purchased the SG-2100 if it had been available, since I had been wishing for something that was in between the 1100 and 3100.

  4. “(3) antenna holes covered by rubber caps” – does this imply this or a future iteration could include wireless routing?

  5. What is meant by “the M.2 slot is _technically_ not user-serviceable”? Is it not possible to open the case and add SSD memory if needed? I am thinking of collecting usage statistics, maybe attack attempts, if that’s possible. Have to add I am not yet familiar with pfSense. I am in the process of looking for a small firewall like this. What would be arguments to order it with the optional M.2 SSD?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.