Netgate SG-5100 Firewall and Network Appliance Review

Netgate SG 5100 Cover
Netgate SG 5100 Cover

It has been quite a long time since STH has done a Netgate appliance review. The last time we looked at a SG series devices was the 2017 Netgate SG-1000. Now we have the Netgate SG-5100 which is in a completely different class than the SG-1000 in terms of features and performance. As you will see in the review, this is not a one-trick pony. It can run either pfSense or TNSR. TNSR is the company’s higher-performance Linux-based network operating system. Let us get into the review.

Netgate SG-5100 Hardware Overview

The Netgate SG-5100 is a fairly compact desktop unit. Rough measurements put it around 8.5×5.75×1.75 inches in size. The headline feature of the unit is a six 1GbE port array. The four IX ports come from the quad-core Intel Atom C3558 integrated MAC. The two IGB ports utilize two Intel i210-at NICs. Combined, Netgate has six Intel 1GbE NICs although there are slightly different feature sets.

Netgate SG 5100 Front
Netgate SG 5100 Front

Other features of the front panel are a USB serial console port, two USB 3.0 ports and status LEDs.

Technically, the Intel X553 on the Atom C3558 supports 10GbE and 2.5GbE speeds in a 2×10/2.5/1GbE + 2×2.5/1GbE configuration. It would have been really interesting if Netgate figured out how to make 2.5GbE a possibility on this platform but there are other parts such as PHYs that need to be accounted for. Still, we have had 1GbE firewall devices for a long time and in the next decade, we are going to see faster speeds required due to the rest of the infrastructure, including wireless, getting faster.

A feature you may have seen in the cover image is the heatsink top. The entire enclosure is made from metal. No cheap plastic here. The top of the unit has fins to increase surface area. That metal design acts as a heatsink to keep the unit passively cooled.

Netgate SG 5100 Front And Back
Netgate SG 5100 Front And Back

One can see the rear has a Kennsington lock port, a DC input, and both power and reset buttons. There are also four covered cutouts for Wi-Fi antenna mounting.

Netgate SG 5100 Underbelly
Netgate SG 5100 Underbelly

On the physical unit, we wanted to make two more points. First, the DC input has a locking connector. This is important to ensure that accidental bumps to not disrupt power. That is common in edge deployments. The power brick is a Channel Well unit that screws into the back of the chassis. That is a great touch.

Other internal specs include 8GB of eMMC and 4GB of RAM. Those can be upgraded to house up to 16GB of RAM. We also are using an internal M.2 port with a 32GB SATA M.2 (2242) SSD. If you want to see inside the unit which is largely inaccessible due to thermal glue, Netgate’s documentation has good photos.

What is missing from the Netgate SG-5100 that is present on some of the company’s higher-end solutions is an out of band IPMI/ Redfish management port. In the security world, BMCs are a risk. They also add cost and power consumption so it makes sense to exclude one. Still, that means you are using a 115200 rate serial console for low-level management.

Netgate SG-5100 Software Options

Technically, you can put a lot of different types of software on the Netgate SG-5100, but realistically, there are two main applications. The first is pfSense which STH covers quite a bit. While pfSense has a traditional shell, the gem of the FreeBSD-based solution is the Web management interface. For a novice, setting up interfaces, firewall rules, and VPNs is all done through an easy-to-use GUI.

Netgate SG 5100 Pfsense Firewall
Netgate SG 5100 Pfsense Firewall

The other option and the higher-performing one is Netgate TNSR. This eschews FreeBSD instead it uses a DPDK accelerated Linux stack. Netgate has taken a lot of the open-source improvements that go into a high-performance Linux networking stack and packaged them with a CLI that is more akin to traditional networking gear. For example, here is the “show interface” command in TNSR:

Netgate SG 5100 Tnsr Show Interface
Netgate SG 5100 Tnsr Show Interface

We are going to have a follow-up piece going into the performance of both on the SG-5100. As you may have seen, we have two Netgate SG-5100 units that we are going to use for this test. Still, we wanted to give some idea of what we are seeing, so next up we have the Netgate SG-5100 performance.


  1. No SFP+ port on this device means you’ll have to factor in additional costs and space for a media converter when using fiber. Too bad for what’s otherwise a great little device.

  2. $700 is not the cost of the device. The cost is $700 and whatever subscription you’re using at work for support.

    It’s nice to see that ya’ll are doing pfSense gear again.

  3. Would like to see alternative to my apu2c4, Iam running proxmox (pfsense as fw,router and openwrt as dumb ap,802.11n and 802.11ac), its working ok, but startup takes 5mins.

    I want something (mini itx or smaller) more powerfull, aesni, iommu, nvme + 2x m.2 for two wifi cards..

  4. Excellent write-up! I’ve been extremely curious about TNSR since hearing of it’s existence quite some time ago. Very little information exists on it so I eagerly await that portion of the review!

  5. This “Netgate” SG-5100 looks, to me, to be a rebranded / relabeled device designed and manufactured by “Lanner” (look ’em up).

    I’ve got a (now several years old) “RouterMaxx 1106” embedded device acting as my firewall / router that was also manufactured by Lanner. It was originally sold with RouterOS (and runs OpenBSD and FreeBSD wonderfully!) that looks *very* similar to this SG-5100 — Atom CPU / SOC, SODIMM slots for RAM (upgradable!), 6 x Intel 1 GbE ports (via two separate MACs), serial console, metal heat-sink for a case, exact same style of power connector and reset button, roughly the same price, and so on…

    Google “RouterMaxx 1106” and compare images of it to this device and you’ll see what I’m talking about. I wouldn’t be surprised if Netgate is getting many of their devices from Lanner — and they definitely aren’t the only ones.

    I don’t think Lanner sells directly to consumers but you can probably find this exact same device with some other company’s name on it (instead of Netgate) and get it for a bit cheaper.

    All that said, I can’t really complain about the device I’ve got. It’s been in constant use for probably ~6 years now (with the RAM upgraded, the CompactFlash card replaced with an SSD, and RouterOS replaced with — at the moment — OPNsense; Debian, FreeBSD, and OpenBSD all “just work” too!) and I’ve yet to experience any issues with it, FWIW.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.