Netgate 6100 pfsense Firewall Review

Great review and led me to purchase the 6100 Base model a few years ago. A few days ago, the firewall wouldn't boot and isolated to the on-board eMMC had failed. From the video you can see there are M.2 slots to add a NVMe M.2 128 GB SSD and highly recommend that you do. Once you add one, it will be a pro model and easier to replace in case of a failure in the future. The Netgate website list the NVMe model that needs to be purchased, but I couldn't find any instructions or videos on how to install the NVMe SSD or configured for the 6100. I did find other videos or blogs on how to do it.

Dear Tom, keep up the great work. I've learned a lot from your videos. Although you have bias (since you are a human being afterall), you are one of the more humble RUclipsr and I love the way you break down and simplify the technical tidbits. Cheers.

It's amazing how many companies out there are still living in a world from 4-5 years ago where only medium-enterprise companies had gb or multi-gb pipes. FTTH is changing everything. Fibre is being installed here with speeds including 2gbps and 10gbps available and as competition increases these bigger speeds will start to migrate down the chain whether people need them or not. Looking to put in kit that won't constantly require changing out for a few years is proving difficult. Yes most people won't use these speeds properly now but as more people get access to them then things will change quickly.

Excellent tutorial and review. Thanks for pointing out the stream's information, which was quite enlightening.

btw. love your direction and stucture in your vids! You are a Professional! Thanks and keep the content comming!

I HAVE NO NEGATIVE COMMENTS ABOUT THIS VIDEO - GREAT JOB!

I know it's silly, but that screw type barrel connector is what sold me on the Netgate 2100. Good stuff Tom!

Excellent video. I was wondering when I'd see you review this device. I have the device on pre-order myself and am eagerly awaiting it.

Thanks for the review Tom!

I would never complain about you... you are awesome!!!

Yes!!! Been waiting for this

Would be great if it was also rack mountable

Enjoyed your review! Excellent work

Thanks for the review, i've been looking at this recently.

Thanks for the tear-down mate.

At last i was Waiting for review

Really loving the Netgate 6100

Awesome timing! Looking to buy this one any day now.

HEY TOM - THANK YOU!!

That incredibly useful, I actually wanted a 10gb down to a switch, didn't realise the ports could be re assigned

Great review!

THANKS FOR REMINDING ME TO COMPLAIN

Hi Tom. Thanks for the valuable video. Question re the storage. What's the purpose of the storage on this device? Cannot decide which model I should buy, basic or max. Thanks for your advice!

The other 10G products were overkill and out my price range. This seems like the perfect upgrade / replacement.
My WAN is slow but I want faster inter-VLAN routing. To-date I have been using a thin client with SFP+ and then using VLANs in my switch for WAN etc.

Great review Tom

I purchased 2 Netgate 4100 for a client, I mentioned your name / company so hopefully they will give you "something" Thanks for the great videos and information...

Been waiting for this review -- I appreciate the real-world numbers. I do wish there was a more modern processor on this, but I sure do appreciate the 2.5G performance at least!
I also wish they had included ears -- the dimensions are *roughly* 1U, and silicom-usa has rack ears, so I'm wondering why that wasn't done (heat? time? product differentiation?).
Now we just need unifi to actually ship a 6E 2.5Gbe AP.... :)

Great review, thank you! Beautiful device. Also thanks for clearly stating in the beginning of the video that Netgate did not have any say in the content provided.

AWSOME VIDEOS! REALLY LOVE HOW DETAILED YOU ARE! 🤣
I'm needing 10g fiber and 2.5g fiber, is the combo port capable of performing on at 2.5g network or do they only work at 1g?

I obtained a 6100 and while it may be a bit overkill for my home network setup currently, I can grow into it more as time passes. Especially with the SFP 10G WAN ports should I ever get fiber in my area. Right now, it's just [coax] cable internet. And of course the firewall blows just about any wifi-router that you might buy at Best Buy, WalMart, or what have you out of the water for performance, flexibility, and scalability. My setup is cable modem > 6100 > Netgear 2.5G managed switch > Unifi 6 lite AP. Handlily outperforms the previous Asus routers I have had before. I also dig the VLAN setup, something that most store bought routers don't have.

I completely moved to DAC / fiber. I’ve had all kinds of strange issues with rj45 10g.

Tom, your pfsense videos have been the most helpful for a novice like myself. I am having a problem finding a solution to whether or not I can have another router behind my diy pfsense box on its own lan interface be given access to a public ip. I have Xfinity residential service and cannot get additional public ips. I have installed a Deeper Connect Mini DPN device on pfsense box nic igb3. Is it possible to for this to be done and if so, what is easiest method? There are a lot of people looking to answer this that are either installing Helium miners and/or Deeper Network devices, so it might be a great topic to cover in a RUclips video. I keep keep seeing this question on Discord and lots of different answers. DMZ, NAT 1:1, virtual ip, port forwarding etc but not any solutions for pfsense users. Thanks for the great tutorials.

One question about the SFP+: Netgate and you mentioned the two ports are for fibre and DAC only basically. I have a 10Gbps home internet connection and it uses HuaWei EchoLife HN8245q which only has RJ45.
Now I would like to use 6100 for the setup. You mentioned there are ‘compatible’ modules that would work for 6100. Would mind sharing the models if possible? Or there are other solutions?

I'm sure this is in the Fine Manual, but what is the default configuration?
I preferred the WAN, LAN, OPTn labeling.
That anemic (and quite old in this case) CPUs is the biggest reason I have been buying my own hardware. Current device is a Protecli 6-port with an i5.
This is interesting as I am wanting to move up from 1 GbE, but I like having the additional horsepower.

HORRAY! Caught a video!!! You put out great content by the way!

I agree the silkscreen of the ports should be port # and speed since they all can be reassigned anyway. Great looking product!!

What is the maximum throughput over PPPOE? For the sake of a few dollars I wonder why they didn't go for a newer chip.

So if you get the base model can you add the extra storage later? Either internally on board or use some external storage?

nice video tom helping us much

Is OPNsense compatible / possible with any of the Netgates? Excellent vid!

Would it be worth labelling them yourself with the internal names?

At the 00:06:55 mark you mention the copper SFP modules are not supported officially. Any chance you know of any that unofficially work?

Hi, great video. I was wondering if this device would be able to handle IPS/IDS snort all at the same time as I have read that online that it can't?

Are hardware firewalls another term for routers or is it just nearly all hardware firewalls are routers also

Tom, I have AT&T 1G fiber, is it possible that this can replace my AT&T router?

CAPS LOCK ON ✅
COMPLAINTS ❌
GOOD VIDEO 👍

You MUST increase the TCP Window Size if you want to send/ack more than 1Gb/sec!!

Great review Tom! And I am glad there is a pair of discrete SPF+ connectors on that device now so you could start building more efficient networks and not having to bottleneck to your servers/services at 1Gbps. This is very a very neat device for Netgate. +1
Edit: Also, no switch port on this model which is another big plus. I never really understood why Netgate put that on some of their models.
Edit2: To be able to do 10Gbps in a single stream, you need to have your packets inspection go into dedicated ASICs and not rely on a multi-purpose CPU - although some could do it, but you need 4GHz+ per core for that which will start defeating the low-power benefit of those solid state appliances.

Please excuse my lack of knowledge - can it have something like an Intel M2 wireless card installed then set up for multiple SSIDs some of which have direct VPN connection? (Thus negating the need for VPN setup on the device once the wireless password is used) Thank you

Do you have a video of setting up hardware ha? I would love to see that. Thanks in advance

thanks for another great tutorial!!! Can we bound WAN1 and WAN 2 together?

It would be nice if it had the ability to be rack mounted.

Are we going to get a 2021 diy pfsense build with 10g ports

hi Lawrence, does the netgate 6100 have ecc ram?

Why would they silkscreen it that way? So frustrating. I AM glad they didn’t do that split chip crap here. I manage four of those of various sizes. They work fine, but are unnecessarily complex.

Thanks tom. If you're open to requests, I'd love to see a pfsense appliance that can handle single stream 10G. Basically what do you need to actually achieve that in a real world scenario. Preferably something with two PSU so there's a bit of redundancy in the mix as well.

Question: you mentioned in one of your older pfsense build videos, that using an sfp+ 10gbe port would lock the speed at 10Gbps. Could that be resolved by using a transceiver that's capable/compatible with 1gbe, 2.5gbe, etc?

When my Protectli hardware fails - this looks like a viable replacement. More expensive, but a good value.

YOUR BIASED...I like it!

Thanks Tom for the review. Forgetting about 10GB, thinking purely on 1GB, can it run Suricata + Traffic Shaping/QoS + pftop/NTOPng and still sustain gigabit?

With the testing you did, was that just routing without any NAT or Firewall rules in place?

Solid, stable and reliable device I've been using mine for over a year now

Really they should label the ports like “p1-p8” or whatever. But really thinking about upgrading my virtual instance at home with this. I been really wanting the 10G connectivity

@ Lawrence. When do you think the Wireguard tutorial will be available?

I also disapprove the way that Netgate chose to name the ports on their appliances. A port is a port, an interface is an interface, these are completely different concepts. Their naming should not use the same vocabulary. Surely it is easier for beginners, but once you get to use more advanced features such as LAGG, VLAN, Bridge, then it just creates more confusion and can even lead to errors and longer outages. In my opinion, it would be fine to name the port with a simple number (ex: Port 1) or the system port name (ex: igb0). We can always add a label later on the appliance to identify the ports more conveniently.

@Lawrence Systems -- I really like your review of the Netgate 6100 pfsense firewall. Thank you. I was wondering if you knew, off the top of your head, about ECC memory supported on it. Can it support ECC memory? I think it can but I didn't see it in the specs but I know the CPU can do it, just unsure if the motherboard chipset support will. And if so, in the 8gb single slot, does it support the same memory speed? I believe from the specs it as two memory slots on the motherboard. And I believe it says higher capacity memory DIMMs may run memory at slightly slower speeds, it's a trade off sometimes in terms of hardware capability. I'm aware you can't mix ECC and non ECC memory, it's one or the other. This is a fantastic device as is! I do want to replace my current consumer router in the future because of lack of security and slower performance at higher internet speeds.
The reason I bring up ECC capabilities, and maybe some of your customers specific needs may have too, is because of higher cosmic rays reaching the earth's ground surface. Scientific studies have increasingly shown that cosmic rays and other energetic particles are breaching the earth's magnetic field due to Sun changes (think solar minimum, superflares, etc.). Bit flips will be more common according the research so resiliency in the future will be needed. I think the DDR5 memory spec with built in ECC and DFE will lead the way in the future, in addition to more capacity and speed than previous DDR4. In short, ECC and DFE is all about speed, capacity, and stability magic for DDR5 memory to run flawlessly.
For those unfamiliar with DDR5's new DFE capability, I'll share with you this brief description of it from the website I've sourced. "At a very high level, decision feedback equalization (DFE) is a means to reduce inter-symbol interference by using feedback from the memory bus receiver to provide better equalization. And better equalization, in turn, allows for the cleaner signaling needed for DDR5’s memory bus to run at higher transfer rates without everything going off the rails." Source Anandtech.com

Great Firewall Device.
One Issue I Have Is The Boot Load Corruption Of Files Once Their Is Power Interruption.
Which Is Better UFS OR ZFS File System?
The Device Comes With UFS As Default But Cannot Cope Well In An Environment Where Power Is Fluctuating

is memory and ssd upgradable on this

What’s the point of 10G WAN if the LAN is only 2.5G if I want to put a Ubiquiti 10G switch behind this? Have to port bond (LAG) all 4 LAN posts to the UniFi switch. Silly, should have 10G LAN ports.

just a quick noob question. why does it have so many lan ports? wouldnt it be enough to just have one lan and one wan port... maybe two each for redundancy but whats the point of the other ports?
is it just so you dont need vlans?

Cab you do tut how to connect ISP fiber internet directly to pfsense box

8 G of ram? Can you rund block list filtering? Snort? without running out of memory?

Uhm.. this has the exact same processor as the SG 7100.. I have a whole fleet of those and I've never been able to push more than 3gbps through the chip with iperf or mix traffic no matter how many parallel streams or interfaces I throw at it...
I've even tested the internal fabric throughput by turning iperf3 back on itself by hitting localhost with 10 to 30 streams and I can only ever get 7gbps to localhost.. I've just accepted that that Xeon in the SG7100 is just bad. This is depressing.. my laptop will do 70 gigabit when I run iperf against localhost. I'm not sure if this is just a major bug with pfSense 2.4.5 or not, but it still sucks. And you can't even upgrade to pfSense Plus when you're using FRR because there's so many system breaking bugs (that are documented and not fixed yet) in the FRR package when using any of the pfSense Plus builds. 😑

Can someone please clarify if you can assign IP addresses on the "discrete ports"? or tag/untag VLANs on them?

I would love one of these personally. Anything would be an upgrade from my use on a symmetrical gigabit line lol

Great Review Tom.
Is There NETGATE SG6100 Datasheet Available For Download?

I'm considering upgrading my Atom C2758 based router so I can do 10GB routing, do you know if Netgate has a router that can do 10GB single-stream routing? Or can you say what level of processor can handle 10GB single-stream routing (say bulk file transfer between two systems on the LAN)? (Atom C3758, or C3958? Xeon D?)

Someone make a rap video on his hand movements. Fully sick man!

The 4 year old cpu is a bit of a disappointment, but probably ok since Intel has not really released much in the last 4 years 😅. 4x 2.5GbE ports is pretty forward thinking and modern though. Great new box, finally something modern from netgate, most other boxes they sell are a bit dated, especially the horrendous SG-3100 which features a 32bit-only arm cpu from 2011 and is still currently sold by netgate.

so this box comes by default with pfsense+. Are you allowed to install packages such as freeradius, ovpn, ?

Please do a DIY hardware alternative to replicate? Im sure of us would love a semi-regular look at the alternative.

what was the MTU on the device ? with jumbo packets you should be able to get higher single stream speeds

Might be cool to label their ports XAN :-)

Does pfsense now have an option for vpn before login

We'll probably be able to get those in the UK in 12 months, odd how they've printed designated names on ports that can be reassigned.

Is it recommended to use a separate switch with the 6100 or is ok to use the 4 LAN ports on the 6100 if I do not need more than 4 ports.

Hey there! I was curious if the 6100 can do inline ips mode with suricata or snort? I know it can run in legacy mode, but I don't want to block I just want to filter and manually block. Thanks!

Still C3558? What are the speeds of those after you get all your mitigations done, anyone know?

Thanks Tom for the un-bias info! My opinion: A little disapointed with Netgate hardware. The SuperServer 5019D-4C-FN8TP has smoked SG-6100 out of the box. And cheaper. Thought they would have came up with something better; @ Price /Harware /LTE Compatability; as the SM SS

It's not clear what MTU the interfaces were set at. You're not going to get 10Gb without reconfiguring it.

@ 0:26 🤣

So it seems this device is meant to serve 2.5Gbps to your clients with a 10Gbps uplink. Still an amazing leap forward but at this rate it seems like 10 Gbps home networking/broadband is going to arrive long after I'm dead. lol

Can I install OPNSense on this thing?

INSERT HUGE COMPLAINT HERE

GOOD JOB lol

Holy price hike, Batman!

At this price People can Buy Fortigate 40F and 60F UTM Bundle .

This is a good but slightly misleading review. The speed limitation is not a limitation of firewalls in general. Its more of a limitation of freebsd. Linux firewalls are not as gimped by stream count.
Also, your Suricata process is NOT running in inline mode and you ran it with only the base included rules without full suite of ET rules enabled like 99% of people would in order to properly protect their network.
Nothing against Netgate hardware but with Suricata now supporting VLANs natively without disabling hardware VLAN offloads, this firewall doesn’t have enough RAM to keep up a serious multi-VLAN enterprise environment. While I wholeheartedly support the price as PfSense is very highly capable, one can do much better by purchasing a used server that will perform exponentially better for the same or less money.
QAT is of limited use since most users who need that level of IPSec throughput will just go the TNSR home/enterprise edition route or use Wireguard to get similar throughput as QAT accelerated IPSec without the need for on-die QAT or QAT expansion cards.

Not a great CPU. 2360 CPU Mark.
I’ll just keep using the J4105/J4125 which are 2928 and 3036 CPU Mark.

It’s a Netgate 6100, not SG-6100