Great review and led me to purchase the 6100 Base model a few years ago. A few days ago, the firewall wouldn't boot and isolated to the on-board eMMC had failed. From the video you can see there are M.2 slots to add a NVMe M.2 128 GB SSD and highly recommend that you do. Once you add one, it will be a pro model and easier to replace in case of a failure in the future. The Netgate website list the NVMe model that needs to be purchased, but I couldn't find any instructions or videos on how to install the NVMe SSD or configured for the 6100. I did find other videos or blogs on how to do it.
Dear Tom, keep up the great work. I've learned a lot from your videos. Although you have bias (since you are a human being afterall), you are one of the more humble RU-vidr and I love the way you break down and simplify the technical tidbits. Cheers.
It's amazing how many companies out there are still living in a world from 4-5 years ago where only medium-enterprise companies had gb or multi-gb pipes. FTTH is changing everything. Fibre is being installed here with speeds including 2gbps and 10gbps available and as competition increases these bigger speeds will start to migrate down the chain whether people need them or not. Looking to put in kit that won't constantly require changing out for a few years is proving difficult. Yes most people won't use these speeds properly now but as more people get access to them then things will change quickly.
The other 10G products were overkill and out my price range. This seems like the perfect upgrade / replacement. My WAN is slow but I want faster inter-VLAN routing. To-date I have been using a thin client with SFP+ and then using VLANs in my switch for WAN etc.
I purchased 2 Netgate 4100 for a client, I mentioned your name / company so hopefully they will give you "something" Thanks for the great videos and information...
I obtained a 6100 and while it may be a bit overkill for my home network setup currently, I can grow into it more as time passes. Especially with the SFP 10G WAN ports should I ever get fiber in my area. Right now, it's just [coax] cable internet. And of course the firewall blows just about any wifi-router that you might buy at Best Buy, WalMart, or what have you out of the water for performance, flexibility, and scalability. My setup is cable modem > 6100 > Netgear 2.5G managed switch > Unifi 6 lite AP. Handlily outperforms the previous Asus routers I have had before. I also dig the VLAN setup, something that most store bought routers don't have.
One question about the SFP+: Netgate and you mentioned the two ports are for fibre and DAC only basically. I have a 10Gbps home internet connection and it uses HuaWei EchoLife HN8245q which only has RJ45. Now I would like to use 6100 for the setup. You mentioned there are ‘compatible’ modules that would work for 6100. Would mind sharing the models if possible? Or there are other solutions?
Hi Tom. Thanks for the valuable video. Question re the storage. What's the purpose of the storage on this device? Cannot decide which model I should buy, basic or max. Thanks for your advice!
Been waiting for this review -- I appreciate the real-world numbers. I do wish there was a more modern processor on this, but I sure do appreciate the 2.5G performance at least! I also wish they had included ears -- the dimensions are *roughly* 1U, and silicom-usa has rack ears, so I'm wondering why that wasn't done (heat? time? product differentiation?). Now we just need unifi to actually ship a 6E 2.5Gbe AP.... :)
I'm trying to decide if this is a good starter that'll last a year or two before we (finally?!) get a post-2017 processor. The alternatives I've found are a little power hungry/noisy. Mostly I'm just going to be needing cross-vlan routing rather than vpn perf. I probably don't *need* sfp+ routing speeds, but as I already have sfp28 locally, it feels like something I should at least consider.
AWSOME VIDEOS! REALLY LOVE HOW DETAILED YOU ARE! 🤣 I'm needing 10g fiber and 2.5g fiber, is the combo port capable of performing on at 2.5g network or do they only work at 1g?
@@ImTheKaiser Thankful for this review and appreciate your offer but it appears this unit suffers from some of the same SFP port limitations the 7100 I have does. I finally decided yesterday after this review to just buy the riser card for the 7100 so I can use just about any PCIE NIC I want to get around those limitations and finally put it into use after it sitting around for a year because I didn’t do my research first. They wouldn’t take it back at 31 days after taking forever on correspondence with me.
@@fenilmanani Compatibility in general, lack of support for copper sfp, no 2.5gb sfp support and in some cases no 1gb sfp support. I would swear some of the documentation was added or changed after I got my unit. It is an original release I had sitting around longer than I had remembered, I’ve heard they replaced some boards for some with early issues and that is when they likely added and changed documentation to limit liability. It originally sat because it choked very fast on too many vlans, especially at reboot. Further testing at that point on decent dell xeon server with 32GB ddr4 had pfsense choking on vlans in general. It is the way the config loads and not hardware limitation. Was trying to deploy pfsense as gateway for PAN environments anywhere between 200-800 vlans each with own subnet and had to use MikroTik for that instead, better captive portal anyway and same reboot time with even 2000 vlans setup as the pfsense would take about 2 hours with 800 vlans to boot up if at all. For the home and typical office though pfsense all the way, even better than opnsense anyday. Just not suitable for edge cases even though most of these edge cases are becoming everyday use cases now. Hope they fix it sooner than later, worked closely with support and engineering at that time and it never felt like they knew the software well themselves which was weird, maybe the mono wall documentation is lacking…Pfsense does support enough vlans without choking for most use cases in general otherwise.
Thanks tom. If you're open to requests, I'd love to see a pfsense appliance that can handle single stream 10G. Basically what do you need to actually achieve that in a real world scenario. Preferably something with two PSU so there's a bit of redundancy in the mix as well.
Why would they silkscreen it that way? So frustrating. I AM glad they didn’t do that split chip crap here. I manage four of those of various sizes. They work fine, but are unnecessarily complex.
I'm sure this is in the Fine Manual, but what is the default configuration? I preferred the WAN, LAN, OPTn labeling. That anemic (and quite old in this case) CPUs is the biggest reason I have been buying my own hardware. Current device is a Protecli 6-port with an i5. This is interesting as I am wanting to move up from 1 GbE, but I like having the additional horsepower.
@@LAWRENCESYSTEMS Thanks. I don't own a PfSense box so i can't test things. I'm learning the differences between load-balancing and bonding before deciding what will fit my field situation, could you make a tutorial on how to bound 2 WANs together with a Netgate router?
just a quick noob question. why does it have so many lan ports? wouldnt it be enough to just have one lan and one wan port... maybe two each for redundancy but whats the point of the other ports? is it just so you dont need vlans?
VLAN's are nice but share bandwith with native and adjacent VLANs on that same port. Individual ports are nice for creating exclusive networks without the shared bandwidth issues.
Imagine you use this router for a business office snd you’re renting space to a couple other businesses. You can wire their switch to one of the various ports and create a dedicated and separate physical network. Like the OP said, VLANs are great but you’re also sharing a connection and at some point can saturate it especially with how much internet usage we do now. You can also configure these ports as switch ports. I have a customer who doesn’t even need a dedicated switch because the firewall has 8 ports on it.
Also, if you have a managed switch that only has 1 gbps ports, you can aggregate the 4 LAN ports in a LAGG and get a total bandwidth of 4 gbps with multiple streams, adding link redundancy in the process.
I also disapprove the way that Netgate chose to name the ports on their appliances. A port is a port, an interface is an interface, these are completely different concepts. Their naming should not use the same vocabulary. Surely it is easier for beginners, but once you get to use more advanced features such as LAGG, VLAN, Bridge, then it just creates more confusion and can even lead to errors and longer outages. In my opinion, it would be fine to name the port with a simple number (ex: Port 1) or the system port name (ex: igb0). We can always add a label later on the appliance to identify the ports more conveniently.
can you clarify for me if you are able to use these interraces (the lan ones) as routed interfaces? as in to assign ip addresses on them/tag vlans etc?
@@neofitsolovan1459 Yes you can use the LAN1 to 4 ports as routed interfaces. You can use them with untagged traffic and assign an IP address directly on them, or you can add VLAN tags to them an also use the sub-ports as routed interfaces in pfSense. As said in the Netgate 6100 manual, the LAN ports will actually be shown in pfSense as igc0, igc1, igc2 and igc3. If you add a VLAN to a port, you will end up with a virtual port such as igc0.99 where 99 is the VLAN number. You can then add an interface in pfSense, which is routed by detault, and bind it to that virtual port.
@@viaujoc Thanks for clarifying. I'm comfortable with networking terminology (Cisco Enterprise World) but they are not very good at explaining things. Do you happen to know if on pfsense plus you are allowed to install all the packages you can install on CE? (eg openvpn, freeradius,etc)? thanks!
@@neofitsolovan1459 Yes, packages are the same in both Plus and CE editions. Netgate has not, as of today, made a value-added package repository for Plus customers. Most packages are open-source and maintained by seperate communities, so it would be very hard to close them and make them commercial only.
@Lawrence Systems -- I really like your review of the Netgate 6100 pfsense firewall. Thank you. I was wondering if you knew, off the top of your head, about ECC memory supported on it. Can it support ECC memory? I think it can but I didn't see it in the specs but I know the CPU can do it, just unsure if the motherboard chipset support will. And if so, in the 8gb single slot, does it support the same memory speed? I believe from the specs it as two memory slots on the motherboard. And I believe it says higher capacity memory DIMMs may run memory at slightly slower speeds, it's a trade off sometimes in terms of hardware capability. I'm aware you can't mix ECC and non ECC memory, it's one or the other. This is a fantastic device as is! I do want to replace my current consumer router in the future because of lack of security and slower performance at higher internet speeds. The reason I bring up ECC capabilities, and maybe some of your customers specific needs may have too, is because of higher cosmic rays reaching the earth's ground surface. Scientific studies have increasingly shown that cosmic rays and other energetic particles are breaching the earth's magnetic field due to Sun changes (think solar minimum, superflares, etc.). Bit flips will be more common according the research so resiliency in the future will be needed. I think the DDR5 memory spec with built in ECC and DFE will lead the way in the future, in addition to more capacity and speed than previous DDR4. In short, ECC and DFE is all about speed, capacity, and stability magic for DDR5 memory to run flawlessly. For those unfamiliar with DDR5's new DFE capability, I'll share with you this brief description of it from the website I've sourced. "At a very high level, decision feedback equalization (DFE) is a means to reduce inter-symbol interference by using feedback from the memory bus receiver to provide better equalization. And better equalization, in turn, allows for the cleaner signaling needed for DDR5’s memory bus to run at higher transfer rates without everything going off the rails." Source Anandtech.com
What’s the point of 10G WAN if the LAN is only 2.5G if I want to put a Ubiquiti 10G switch behind this? Have to port bond (LAG) all 4 LAN posts to the UniFi switch. Silly, should have 10G LAN ports.
Really they should label the ports like “p1-p8” or whatever. But really thinking about upgrading my virtual instance at home with this. I been really wanting the 10G connectivity
@@KhaledTheSaudiHawkII just for internal use. I segment out my networks with VRFs and that have to route through pfsense to get to different network segments
In your home, it is more unlikely that you will get enough simultaneous streams to fill up a 10 gbps link. IMHO you would probably be better with a DIY firewall that has an AMD or Intel CPU with higher clock rate that would be able get you at least 5 gbps per stream. By building it yourself, you will probably end up paying the same amount as the 6100 anyway. If you don't plan on subscribing to Netgate commercial support, building your own appliance will not be a big issue and you will probably get more bang for your buck.
@@0bsmith0 Just curious. I have a 100mbps fiber optic line and I think it is plenty. I stream 4K content and play games online. Family is also on the same network. I was wondering about other scenarios where you would need anything north of 500mbps, and wanted to see if I’m missing something.
Tom, your pfsense videos have been the most helpful for a novice like myself. I am having a problem finding a solution to whether or not I can have another router behind my diy pfsense box on its own lan interface be given access to a public ip. I have Xfinity residential service and cannot get additional public ips. I have installed a Deeper Connect Mini DPN device on pfsense box nic igb3. Is it possible to for this to be done and if so, what is easiest method? There are a lot of people looking to answer this that are either installing Helium miners and/or Deeper Network devices, so it might be a great topic to cover in a RU-vid video. I keep keep seeing this question on Discord and lots of different answers. DMZ, NAT 1:1, virtual ip, port forwarding etc but not any solutions for pfsense users. Thanks for the great tutorials.
Great Firewall Device. One Issue I Have Is The Boot Load Corruption Of Files Once Their Is Power Interruption. Which Is Better UFS OR ZFS File System? The Device Comes With UFS As Default But Cannot Cope Well In An Environment Where Power Is Fluctuating
Uhm.. this has the exact same processor as the SG 7100.. I have a whole fleet of those and I've never been able to push more than 3gbps through the chip with iperf or mix traffic no matter how many parallel streams or interfaces I throw at it... I've even tested the internal fabric throughput by turning iperf3 back on itself by hitting localhost with 10 to 30 streams and I can only ever get 7gbps to localhost.. I've just accepted that that Xeon in the SG7100 is just bad. This is depressing.. my laptop will do 70 gigabit when I run iperf against localhost. I'm not sure if this is just a major bug with pfSense 2.4.5 or not, but it still sucks. And you can't even upgrade to pfSense Plus when you're using FRR because there's so many system breaking bugs (that are documented and not fixed yet) in the FRR package when using any of the pfSense Plus builds. 😑
Please excuse my lack of knowledge - can it have something like an Intel M2 wireless card installed then set up for multiple SSIDs some of which have direct VPN connection? (Thus negating the need for VPN setup on the device once the wireless password is used) Thank you
The 4 year old cpu is a bit of a disappointment, but probably ok since Intel has not really released much in the last 4 years 😅. 4x 2.5GbE ports is pretty forward thinking and modern though. Great new box, finally something modern from netgate, most other boxes they sell are a bit dated, especially the horrendous SG-3100 which features a 32bit-only arm cpu from 2011 and is still currently sold by netgate.
Thanks Tom for the un-bias info! My opinion: A little disapointed with Netgate hardware. The SuperServer 5019D-4C-FN8TP has smoked SG-6100 out of the box. And cheaper. Thought they would have came up with something better; @ Price /Harware /LTE Compatability; as the SM SS
Well that’s a 60W tdp cpu compared to the 16W tdp cpu from the sg-6100, not really a fair comparison. Both are ancient though, the Atom from the sg-6100 was introduced 4 years ago, the skylake Xeon from the 5019d you mentioned was introduced 3 1/2 years ago. Both are utter crap by 2021 standards. Probably enough for routing though.
@@mrmotofy Yes and no. Apples 2 Apples yes. 10G Apples do not compare; but should. We could compair the "Older" Unifi XG Gateway; bad SW solution! This device could have been much better. As @Gerald H. mentioned. I choose my device because of LTE/10G hardware integration. No other optimale solution out there?
Great review Tom! And I am glad there is a pair of discrete SPF+ connectors on that device now so you could start building more efficient networks and not having to bottleneck to your servers/services at 1Gbps. This is very a very neat device for Netgate. +1 Edit: Also, no switch port on this model which is another big plus. I never really understood why Netgate put that on some of their models. Edit2: To be able to do 10Gbps in a single stream, you need to have your packets inspection go into dedicated ASICs and not rely on a multi-purpose CPU - although some could do it, but you need 4GHz+ per core for that which will start defeating the low-power benefit of those solid state appliances.
Thanks Tom for the review. Forgetting about 10GB, thinking purely on 1GB, can it run Suricata + Traffic Shaping/QoS + pftop/NTOPng and still sustain gigabit?
Great review, thank you! Beautiful device. Also thanks for clearly stating in the beginning of the video that Netgate did not have any say in the content provided.
Question: you mentioned in one of your older pfsense build videos, that using an sfp+ 10gbe port would lock the speed at 10Gbps. Could that be resolved by using a transceiver that's capable/compatible with 1gbe, 2.5gbe, etc?
@@LAWRENCESYSTEMS Hi I am new to networking. can you please elaborate more on the logical port vs switch port? can these port be used similar to the ports on isp router?
@@DR19X Yeah, you can. It isn't best practice but you can bridge the interfaces you want and it will work. But you'll have much better performance using a switch.
Hey there! I was curious if the 6100 can do inline ips mode with suricata or snort? I know it can run in legacy mode, but I don't want to block I just want to filter and manually block. Thanks!
@@LAWRENCESYSTEMS would you be kind enough to give it a test? I have the sg-2100 currently and am unable to do inline. I do have an old computer with a dual intel nic which can do inline, but would like to buy a better solution. Thanks! 🙂
I'm considering upgrading my Atom C2758 based router so I can do 10GB routing, do you know if Netgate has a router that can do 10GB single-stream routing? Or can you say what level of processor can handle 10GB single-stream routing (say bulk file transfer between two systems on the LAN)? (Atom C3758, or C3958? Xeon D?)
So it seems this device is meant to serve 2.5Gbps to your clients with a 10Gbps uplink. Still an amazing leap forward but at this rate it seems like 10 Gbps home networking/broadband is going to arrive long after I'm dead. lol
This is a good but slightly misleading review. The speed limitation is not a limitation of firewalls in general. Its more of a limitation of freebsd. Linux firewalls are not as gimped by stream count. Also, your Suricata process is NOT running in inline mode and you ran it with only the base included rules without full suite of ET rules enabled like 99% of people would in order to properly protect their network. Nothing against Netgate hardware but with Suricata now supporting VLANs natively without disabling hardware VLAN offloads, this firewall doesn’t have enough RAM to keep up a serious multi-VLAN enterprise environment. While I wholeheartedly support the price as PfSense is very highly capable, one can do much better by purchasing a used server that will perform exponentially better for the same or less money. QAT is of limited use since most users who need that level of IPSec throughput will just go the TNSR home/enterprise edition route or use Wireguard to get similar throughput as QAT accelerated IPSec without the need for on-die QAT or QAT expansion cards.
You are right. When releasing the 6100, Netgate also made other subtle changes in their product line. 1. They removed the SG and XG prefixes from the model numbers. The SG-3100 is now the Netgate 3100, the XG-1541 is now the Netgate 1541 and so on... 2. The 7100 desktop appliance was retired, leaving room for the 6100 that has the same processor and 10gb ports. The rackmount version is still the 7100 1U.
really annoying again no rackmount kit or option. i dont know a wsingle customer who would not utilize at least a small rack for his network. not one. cheapest netgate option rackmount is 2k. so they absolutly refuse giving the SMB market a rack option