Netgate 4200 pfsense Firewall Review
HTML-код
- Опубликовано: 6 июн 2024
- lawrence.video/pfsense
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Chapters
00:00 Netgate 4200 review
02:01 Unboxing and specs
03:42 Production Setup and Testing
07:07 CPU and VPN insights
09:07 EMMC Memory - Наука
Just installed one this week, working great so far.
The look and feel of the Firewall gives me 3com switch vibes!
Finally some Netgate and pfsense content ❤
More coming soon!
@@LAWRENCESYSTEMSAwesome!🎉
Been using the 4200 for a few months now in a home office environment and I’ve been impressed with the performance, so far so good
Thanks for your always great videos!
I was JUST considering buying this and adding it as a second firewall to my protectli vault
Pretty cool device. Glad they support FreeBSD and got their license drama sorted out.
I’ve been out of the loop for about 6 months, what license drama?
I have a 4100 and am happy with its rock solid reliability. I am an unsophisticated user - still learning a lot about this stuff. No doubt I have things set up in a wildly insecure manner but it's just for tinkering and personal interest. I'm guessing it would not be worth my while to upgrade.
This came just at the right time for our MPLS decommissioning. I’ve done a proof of concept for getting remote CCTV connected back to the central NVR using a couple of 4200s and an IPSec tunnel. Will add more sites now. The big increase in IPSec performance with these is perfect for that project.
It will offload static data to swap.
replacing a Nov 2020 SG-5100 whose mmc died, added an ssd, it ran for one year, and now the mmc is stopping the device from booting.. short of physically removing the mmc I'll just replace the unit... Though I am still worried about the Sg-4200 MMC dying in a few years... Thanks for your videos they are great!
PS. I saw others mention removing the MMC to get the unit to boot; I did that with a SMD hot air workstation I have, and surprisingly the uint now boots right up again.. So I'll update it and consider it a spare for the 4200 thats on its way..
Hi Lawrence, great overview, could you maybe comment on real world power consumtion of the device. Thanks!
Awesome video. Thanks for putting it together, and especially highlighting the advantages of the Atom over something like a J4125. As someone teaching myself (or trying to) OPNSense as a hobby at home, it's easy to get overwhelmed by internet discussions from power users trying to min-max their configurations that want to put Xeons in everything. It's nice to see that the hardware acceleration in Atom CPUs has real, noticeable benefits to things I actually care about doing. It makes figuring out if I want to invest in something like this easier.
I realize pfSense and OPNSense are not the same software, but the rule in the OPNSense guides seems to be not to use multiple downstream LAN ports on the firewall itself on a single LAN interface, as this requires some sort of bridging that can kill performance. Is that the case with OPNSense as well, or is this a case of it only "killing performance" in massive corporate deployments but being okay for a home or small business?
Also, I'm curious if this device is appropriate for use in a network with 10 GbE LAN segments. I'm assuming the 2.5 GbE LAN ports would be a bottleneck in the case of iner-VLAN routing, so the expectation would be that the VLANs would be configured to prevent that when 10Gbps throughput actually mattered. Is that correct, or am I missing something?
I have the devices and I have 10G LAN segments. I don't need 10G through my firewall so it's not an issue.
@@LAWRENCESYSTEMS Thanks!
Nice overview of the unit. I installed 24.03RC on my spare XG230 Rev3 unit yesterday, although had to rebuild it due to the UEFI / BIOS issue which they're looking at now. Couple of Q's re the VPN aspect, PIA don't do port forwarding for torrents do they if I recall, unless it's offered via their static IP address service? Also QAT vs IPsec-MB Crypto?
That it has one of the regular bios providers was the first selling point to me. What is/was the issue you refer to?
Excellent device. We've already sold many of these in the UK. It's really fast and offers great value for money.
I'm not sure if I really like the new look of these. My 5100 is 1U tall, black and fits well into my rack right on top of my switch.
This video made me buy it. Too bad you don't have an affiliate link. Thanks!
I still am a little amazed at the fact that they finally get a new model atom, but found the one without QAT. The model has an ark page, but doesn't even show up on the list of "C" family of atom processors. Even the link to the Arizona Beach Processors on the Ark page for the processor goes to a dead link. sigh
pfSense Plus doesn't need QAT support anymore. IPSec-MB makes IPSec and OpenVPN faster even with it missing.
AES-NI is plenty and is in many lower power chips now.
Hi Tom, Have clustered 2 of the Netgate 4200s' or run them in an Active/Active mode?
You can run them in HA.
Hey, Tom. I'm curious about your snort config. Is it set up IDS or IPS? What rulesets do you use?
ruclips.net/video/2q_g9GgkvWA/видео.htmlsi=zdNWCavCxOsavbyn
I'm waiting for fiber in my area to do more.
Just remember to disable the pxe boot
Hi I love your videos. And I have a request can you do a video on how to setup dual wan fail over and how to make the box reroute where my no-ip address points to along with the firewall conf stuff?
I assume you need to copy the rules from wan1 to 2? Have not tried would love more info in it hopefully before I break something.
My box is overkill for what I use. I7 3770 and 16gb ram along with two dual port Intel network cards.
I have a Fibre optic 250/250 line that I use as my primary. Then I have a cable 100/10 line that I want to have as a failover for my network. Both running on dynamic ips from the providers.
ruclips.net/video/acDvlzmsnaE/видео.htmlsi=zLg6ocZRh_xz6GDo
I see 24% on swap usage. If there is enough free ram on the machine, why would it bother with swap. I am just a tad concerned as there might be more ware and tear on the solid state storage. Is this a FreeBSD thing?
I was looking for something to replace my DIY server-based pfSense router, and this may fit the bill.
I haven't watched the video through yet, I will later. But one thing I've found disappointing is the form factor that suddenly doesn't support rackmounting anymore. Sure you can put it on a shelf, but that just takes up more space (and it's ugly lol). Also no SFP(+) ports anymore. We're sticking with the 6100 and 2100 (I also don't like this one not being rackmountable but it's tiny so whatever) if we don't need alot of performance.
Question about Snort/Surricata, do you run your own certificate authority?
Nope
all of this went way over my head lol i just want to travel the high seas for movies while keeping my 2.5ghz speeds.
Quick question, what use case would require a lot of additional storage?
I never need it but my assumption is people who store logs or packet captures
Noticed QAT not enabled. What advantages would enabling provide?
Netgate implemented IPSec Multibuffer recently in pfSense Plus, which basically makes QAT much less important for IPSec and OpenVPN acceleration.
Completely sold on the multicolored blinky lights
All of us in tech love the multi color blinky lights.
locking power connectors are nice, being one who's knocked out power cords a billion times. but something else will always happen to "break" things. lol
Is Netgate/pfSense also going to do a Linux reboot ala ixSystems and TrueNAS Core -> Scale?
They already have TNSR
Can Pfsense do what OPNSense does in protecting a home LAN with a Transparent Filtering Bridge? Dave's Garage channel on youtube details how to set up OPNSense on a miniPC and how to configure it as a transparent filtering bridge. He also sets up IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) via Suricata and deploys the ClamAV antivirus solution on a router. Could you make a video about this on Netgate's 4200 pfsense to showcase its features? Thanks in advance for your consideration. I really like your content, opinions, and straight talk about networking and IT administration.
Yes, but I don't think it's very useful here in 2024 for actually stopping threats.
Love your videos can you do a video on traffic monitoring ? For both LAN & WAN….How much data should be upload / download depending on what you’re using and doing on your network and how to detect traffic that could be malicious. That would be super helpful !
I have videos on pfblocker, Snort, Suricata, & NTOPNG that cover those topics lawrence.video/pfsense
I see Tom is using ISC DHCP - I'd like to see a detailed video on this, covering 24.03 release, problems / gotchas, is it ready to use?
I am still using the original DHCP server.
@@LAWRENCESYSTEMS sorry, it is the original, the new one is KEA, my bad. I'm wondering if 24.03 will fix any issues people have with KEA. I think 24.03 is imminent, so I look forward to you covering that.
@@JonathanSwiftUKit's basically for testing and they haven't implemented a lot of the UI to for it yet. I wouldn't bother with it until they switch it to the default.
Why snort if it is no longer being maintained for future versions?
Snort is no end of life.
@@LAWRENCESYSTEMS Maintainer says not updating snort pfsense package past what it is. Says unless someone picks it up, 2.9 for pfsense will be it. No move to 3
Interesting, Thank you. Any Logfiles should definitely go onto removable Flash or remote servers.
Would love you to review the Unifi Cloud Gateway Ultra (UCG-Ultra) and Gateway Max (UXG-Max), I know they just got released and stock is sparse but they seem like an interesting alternative to the UDM-Pro and UXG-Pro!
Cool device, but I am wondering about the actual power consumption. Devices are stacking up in my home: nokia fiber router -> homebuild proxmox firewall/server -> 5 unifi switches and 2 wifi access points.
I find your lack of Ipv6 disturbing 😉
Yeah, I just disable it. 😜
Can you get gigabit over wg site to site?
Not sure, I have not tested.
550 is crazy when you can get a N100 with 4 2.5gig of Ali Express for about 150 bucks shipped.
That's cheap when you have a business and need a support contract.
What you don't get with a random AliExpress no-name appliance:
1. pfSense Plus perpetual licensing for the life of the appliance
2. A warranty
3. A company that you can actually call with technical support questions
A company isn't going to run their critical infrastructure on a no-name, no support appliance off a sketchy Chinese seller's page that will likely be shuttered in 3 weeks, then reopened with a new name after.
Also, Netgate develops pfSense Plus and Community Edition, so buying one of their appliances funds the development of the software and FreeBSD development at large.
Support contract is worth nothing if you are a home/private user..Netgear should make an home user alternative
@@venti4268 they do, it's the 1100 or if you need more horsepower you can install pfsense in your own hardware.
This is not meant for the average homelab, but for a business. No business worth their salt wil buy an Ali pc for their firewall
Really expected more discussion on price and value.
What would you like to know?
@@LAWRENCESYSTEMS Just commentary on how it stacks up against other net appliances. Homelabs wouldn't justify the price in most cases, so what you get for the cost over an 1100 or opnsense boxes.
I will probably make a dedicated video on that topic because the value proposition product quality and supporting Netgate who is one of the top upstream contributors to FreeBSD.
SNORT all day!
Will the max have an sfp port?
No, just a bigger drive
Type for everyone to get symetrical 1gbps fiber internet speeds ( at least ) and none of this will be needed anymore.
This looks like a missed opprotunity. if they had sfp+ or 10g-base-t ports, I'd totally be down but this 2.5g crap that's been going around is just disappointing.
Their internal dataxfer can’t keep up with 10Gb ports running vpn and/or anything but port filtering. At 7:00 he was only able to backup offsite at 50-60 Mbps. Painfully slow!
Guys, stick with OpnSense, continue to support open source and ditch mercenaries like Pfsense. Yeah, just my opinion.
An opinion that ignores that Netgate is one of the top contributors to FreeBSD and that OPNSense is slow on updates when it comes to security lawrence.video/opnsense
For commercial users Opnsense does not make any sense. Really. Just look at their store. For $549 you can't get even cheapest DEC box. The cheapest one is DEC675 for $615,16 with much, much worse performance, it's not even comparison.
Don't even get me started only 1 year of business license included. After that you are back to opnsense community edition or subscription.
Compare that to netgate, which offers stable software support for their devices for many many years and includes basic email support for the life of the device. The value of opnsense box / license gets even worse.
I was long time user of opnsense in VM in my homelab until I started thinking of installing Opnsense in my company.
There is just no value to Opnsense for commercial use, none.
@@LAWRENCESYSTEMS You know what is funny? I used to recommend them, Now I can not even see them in my front, any client I get thats needs a Firewall, I tell them go OpnSense iimmediately.
for home lab probably "too good" - one can have similar one from uncle China for kind of 30% of the cost of this one
That 30% is well worth it for the reliability factor and the built in PfSense Plus. I am using a 4100, switched from SG-1100. I don’t mind paying a little more, since it is my main device, not just lab.
@@hunordori you either did not read my post fully or simply did not understand it ;-)
@@zyghom Yeah, I misunderstood it. You said, you can get devices for 70% less from China.
N100 based firewalls are indeed really cheap nowadays. But if i need to choose between which uncles i will be spyed upon, i choose uncle sam
first
The Hardware Break Very Easily Esp Netgate 4100 & 6100 Very Unreliable ... For Netgate I Will Go For 1537 & Above ... Below That I Custom Make With Intel 350 T4