Netgate SG-2100 pfSense Router and Firewall Review

Netgate SG 2100 Cover
Netgate SG 2100 Cover

The new Netgate SG-2100 desktop-class network appliance is targeting to fill the gap between SG-1100 and SG-3100 devices. With the surge in remote working and the need to connect multiple sites with VPNs and secure networks, Netgate has a lower-cost device using an Arm-based processor, to provide something new. In our review, we are going to take a look at the new router and firewall appliance to see what it has to offer, and how it performs.

Netgate SG-2100 Overview

This solution is designed to be a low-power and quiet edge device. As a result, Netgate is using a desktop form factor. The device measures 107.95 x 172.72 x 43.18 mm ( 4.25 x 6.8 x1.7 inches). At the front of the device, one can find 3 RGB status LEDs which are largely overshadowed by the large Netgate logo.

SG 2100
Netgate SG 2100 front three quarter

Netgate SG-2100 has a reasonable design for a desktop unit with metal bottom and plastic top cover. Netgate’s original Arm-based mini-router, the Netgate SG-1000 came in an all-metal housing, but the product line has evolved.

All ports are located at the back of the device which has space for five (5) Gigabit Ethernet ports one combo GbE/SFP port by default is assigned to WAN and (4) switched GbE ports handled by Marvell 88E6141 Ethernet switch connected with 2.5G uplink to SoC. In addition, we can see a mini-USB console port, USB 2.0 host interface, micro SIM slot, (3) antenna holes covered by rubber caps, and power input.

SG 2100 rear
Netgate SG 2100 rear

Power is provided by included DC power adapter (12VDC, 2.0A) and unlike many other devices in the consumer market has a threaded barrel connector.

Inside, the SG-2100 is based on a Marvell ARMADA 88F3720 SoC. Looking at the block diagram, we see that SOC has a dual-core Cortex-A53 CPU and includes a variety of connectivity. For the SG-2100 it is interesting to note that it has USB 3.0, SATA 3.0, PCI-Express 2.0, and 2.5 GbE IP blocks.

Marvell Armada 3700
Marvell Armada 3700

For memory, the Marvell SoC in this device is coupled with 4GB DDR4-1600 memory and is not expandable.

At the bottom of the device, one can find 2 integrated keyholes for wall mounting, rubber feet, and 4 screws.

SG 2100 bottom
Netgate SG-2100 bottom

Inside the device, we have M.2 slot that can be used either for a M.2 2242 (42mm) SATA SSD or USB LTE module.  It worth mentioning that the M.2 slot is technically not user-serviceable and either option can only be selected when ordering a new device from Netgate. At this time, ordering from Netgate gives an option to add a 32GB SATA SSD, but not a WiFi or LTE module.

Netgate SG-2100 Management

Netgate SG-2100 is managed by pfSense a FreeBSD based open-source distribution tailored for use as a firewall and router, which STH covers quite a bit. At the time of this review, the latest version available was 2.4.5p1. Please read our review for details about the new features available in this release.

PfSense Dashboard on Netgate SG-2100

On the x86 side, features such as AES-NI are well-supported by pfSense but basic crypto offload features are going beyond this simple setup. Intel is heavily pushing Intel QuickAssist Technology in its edge chips but that requires a lot of extra work to support so many software packages do not use it. Many of the Arm vendors have their own cryptographic offload engines. Here we can see the two Arm Cortex-A53 cores, but then we can see “Crypto: (Inactive)”. The Marvell SoC has a crypto offload feature, but the current pfSense release does not support it. This may change in the future which would, in turn, potentially change the performance numbers we are about to look at.

Next, we are going to look at the Netgate SG-2100 performance before getting to our final thoughts.


  1. I’ve seen people discussing on some forums how they installed Wireguard with pfSense, so it should be possible. That was probably on x86 boxes though, so it may be different on ARM.

  2. This would have been a killer if at least one of the ports was switchable 24 or 48 volt PoE. As it is, you’ll still need to buy a switch or Power Injection devices for your Access Points and Cameras.

    I wouldn’t buy it until they release version 2.5 pfSense, and only then if the AES offload is mechanized. Stick with the SG-1100 otherwise.

  3. I probably would have purchased the SG-2100. The SG-1100 seemed like it wouldn’t allow for future growth in my home network, and the SG-3100 was too expensive.

    I used an x86 box to run pfSense instead. After several weeks of running that, it’s obvious that even the SG-1100 would have been more than adequate for my needs now and probably for at least several years in the future.

    I did want to try OPNSense, IPFire, and Untangle as well, so the x86 box let me do that. Some of the people at Netgate have done some, let’s say, unsavory things, and I was leaning away from pfSense for that reason. After doing my comparison though, I decided that pfSense was my best bet. (pfBlockerNG was one of the things that made up my mind.)

    Knowing what I know now, I’d just buy the SG-1100. However, I’d probably have purchased the SG-2100 if it had been available, since I had been wishing for something that was in between the 1100 and 3100.

  4. “(3) antenna holes covered by rubber caps” – does this imply this or a future iteration could include wireless routing?

  5. What is meant by “the M.2 slot is _technically_ not user-serviceable”? Is it not possible to open the case and add SSD memory if needed? I am thinking of collecting usage statistics, maybe attack attempts, if that’s possible. Have to add I am not yet familiar with pfSense. I am in the process of looking for a small firewall like this. What would be arguments to order it with the optional M.2 SSD?

  6. Thank you for being as non-committal as possible which begs the question – who are you getting funded by.

  7. I recently purchased the sg-2100 from netgate for my home business and the device crashed halfway through the first month from their stable software update / upgrade off of the web gui. It became unusable – I could not connect to the internet, ping out, or even access the webconfigurator. Their netgate support helped me console into the device and all I could see were a bunch of errors reading “Fatal Error Unable to create lock file: Bad file descriptor (9)” and “cylinder checksum failed.” They sent me the latest pfsense plus firmware and I had to reflash the device. They informed me there was a possibility future upgrades might cause crashes and that power failure on the device can cause file corruption – which seems like a serious flaw. I’m sending the device back and hoping to get my money back since I’m within their 30 day return policy. The policy itself is a bit dubious; 25% open box fee + keeping your shipping costs, and they want you to ship the items back at your own expense. Their zero-to-ping support is very limited and not getting much help from them now that they realize I’m planning to ship the device back. Please watch out for this company – you are better off building your own appliance and installing pfsense yourself.

  8. Dear Sir

    I am joseph from Axiom international Qatar it is regarding an enquiry
    we would like to purchase Netgate SG-2100 pfSense Router from your company
    kindly send your best pricing to “” or kindly share your email id


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.