Netgate SG-1000: The Little Firewall That Could!

Looking to find a semi decent firewall solution that has amazing functionality that doesn’t cost an arm and a leg? Looking for a firewall that doesn’t require large amounts of power draw and a server you really don’t want running because it’s too old, loud, and clunky?

The SG-1000 is a match made in heaven.

To preface, this isn’t the first SG-1000 I’ve owned. This isn’t the first Netgate box I owned. But let me tell you, with the advancements in ARM processor technology paired with the solid, trusted solution that PFsense offers – This is one hell of a box. You get a lot for your money, and it keeps chugging away like the little engine that could.

Under the hood:

Not much to see here, but let me start with the dissection. The model I purchased was the SG-1000 red variant from Amazon.com. After calling Netgate directly, this is the only variant of the SG-1000 they sell through Amazon, and it seems although I’m getting this from Amazon (Fulfilled by Netgate), it comes faster than when I ordered directly from Netgate. Odd, right? Ok, right, the dissection.

Under the hood you’ll notice a modest little board with 2x Gigabit nics. The little ARM processor has a cute heatsink on it, and there is a slot for a microSD card slot. The back case is held on by one Philips-head screw, and the board is held down by an additional two screws. The bottom of the case has a service sticker, claiming a power draw of 5V, 2.5amps. This little guy is quite efficient on power, and the country of origin is USA! Way to go Netgate!

The box is fairly simple, but ill touch on it. You get the SG-1000, a USB micro cable, charger, a quick start piece of laminated paper, 4x little rubber feet, and a plastic shell for shipping. Note: not included in this box are the Netgate or PFsense stickers – those come on their bigger models.

Here’s the tech specs from Netgate’s website.

CPU: TI ARM Cortex-A8 AM3352 CPU at 600 MHz, including crypto accelerator

4GB eMMC, 512MB DDR3

Two 1 Gigabit Ethernet ports

Two USB 2.0 host (Micro-AB OTG, Header)

Console UART over Micro-USB B

Micro-SD Slot

Expansion connector: GPIO, I2C, UART, Analog In

LED: Power, Debug

Board size: 74 x 43mm

Enclosure: Anodized aluminum 78 x 51 x 24 mm (3″ x 2″ x 1″)

Input Power: 5 VDC coaxial power input connector, or 5VDC power input header

Power Spec: 5 VDC @ 3A, 2.1mm center pin positive barrel connector

Operating Temperature: TBD

Certifications: CE, FCC, RoHS

On with the fun stuff! So how does this little guy, the SG-1000, do?

Last year: Absolutely terrible.

Flash forward 8 months: Absolutely wonderful. My first SG-1000 was in a home environment. This device got so incredibly hot I had to suspend it in the air. Doing so did help, but it seemed during times of peak CPU usage the device would stop routing, and basic functions like VPN tunnels would stop. Now, with the latest software updates it seems like these issues have been solved. The device still gets rather warm, but it’s not a deal breaker (what do you want for a device with passive cooling??)

I have a 2nd SG-1000 running in a business environment with about 10-25 employees on premise and 3 using an IPsec tunnel to get in. performance is great, and after 365 days of consistent up-time, the device has been more than wonderful. My client loves the fact there is no noisy firewall appliance running (like a PC or a Poweredge) and the power consumption is great. If there is one thing I would do out of box, is get the latest & greatest version of PFsense / firmware on this device ASAP. Depending on what stock you get, you may be on an older build. Let me save you the trouble.

Problems / issues: Besides heat, only one other issue. My first SG-1000 noted in the home environment did an update to 4.x, and did not come back to life. Rather questioned by this, I ended up having to put the firmware on an SD card, and flash it back to the device, all while watching my Putty window. If I have not had the PFsense Gold subscription, I probably wouldn’t have had an easy time with this. So, my recommendation is to get a microSD card, and plop the firmware on it – just in case you ever lose access to it via the Gold subscription running out.

VPN & Performance:

Let me save you all the trouble: I had the chance to speak with the support center @ Netgate (Who are incredible people, by the way – kudos), and I have confirmed that OpenVPN does not support full CPU utilization. This may have changed, (correct me if wrong) but using IPsec was always wonderful and streamlined. Performance of IPSec was 5x to 10x better in some cases (like RDP connections), and my clients always liked that they didn’t need to install a 3rd party app to use the VPN, unlike an OpenVPN tunnel would. I have done everything from RDP connections to security camera monitoring over IPsec on top of this SG-1000, and it handles it wonderfully. I wouldn’t push past 5-10 clients, however. Pretty sure it’s an ISP limitation on my end, but I haven’t ruled out if it’s the SG-1000. The SG-2440, however, seems to run 15+ clients like a champ, with no issues to report.

Things that make my OCD go crazy.

The little rubber feet. There’s no good way to mount these. Where I have them now is the only way to mount them (in order to keep device level). Placing them anywhere else won’t work out, and, with the force of the CAT6 cables / everything plugged in, the device likes to tip over. Not a huge deal breaker, but something to note.

So, off to my 3rd Netgate SG-1000. I’ll update the community here on getting a VPN tunnel up / running, as well as pushing this little guy to the max. I’ll have an update when I can.

Pros: Efficient, light, and powerful.

Cons: Heat, Shipping time: Honestly have had 2-3 times where my Negate order didn’t ship for a week after purchase. Would get on Amazon.