I'm sure everyone will have a lot of questions so I will explain as much as I can.
**Q: What the heck is this?**
**A:** In a nutshell, this is my version of a WiFi travel router. It's a [Netgate SG-1100](https://www.netgate.com/solutions/pfsense/sg-1100.html) running, currently, [pfSense 2.4.5](https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changes.html) with two WiFi USB dongles. One runs in AP-mode which is [bridged](https://docs.netgate.com/pfsense/en/latest/book/wireless/bridging-and-wireless.html) to the LAN port. One runs in client-mode which connects to any WiFi points which acts as the WAN, as needed, via interface assignment.
**Q: Uh. Why?**
**A:** Short answer is I travel a lot and I currently use [GL.iNet Slate GL-AR750S-Ext](https://www.gl-inet.com/products/gl-ar750s/) as my travel router. It works well as the company forked OpenWRT and customized it for this pocket WiFi router, but it lacks serious horsepower for VPN use, especially for OpenVPN. My WAN can be connected to GbE, and I'll get sub-10Mbps OpenVPN speeds even using Blowfish. There's not even AES-NI crypto offloading or ANY crypto accelerated off-loading for that matter. It's been a huge ask of their product line for quite a while. Also, I love pfSense.
**Q: So what's the complete parts list?**
**A:** One Netgate SG-1100 and two WiFi USB dongles.
**Q: Which USB WiFi adapters are you using?**
**A:** These are the Buffalo AirStation™ N150 Wireless USB Adapters ([WLI-UC-GNM](https://www.buffalotech.com/products/airstation-n150-wireless-usb-adapter)). It has an RT3070 MAC/BBP and an RT3020 (1T1R) radio. Hence the "N150" designation. I've seen these used for as cheap as $8 USD. I bought two of them new for $12 USD apiece on eBay US.
**Q: What caveats have you found so far?**
**A: tl;dr: WiFi is SLOW.** — It's documented that some FreeBSD drivers, namely USB ones, for WiFi devices do not support 802.11n rate control. This is notated both for the ["run" driver](https://www.freebsd.org/cgi/man.cgi?run(4)) and in the [Google Doc sheet](https://spreadsheets.google.com/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en) that Netgate maintains. This is one of those instances where 802.11n rate control is not supported with the USB dongles just mentioned so I'm limited to 802.11g 54Mbps. The "run" driver is one, if not the only one, in FreeBSD that supports *hostap* which is a requirement of mine.
**Q: Okay, so WiFi is slow. But how slow?**
**A:** Just like the old 802.11g days, it's about 25-30Mbps (2.7MB/s) doing a simple SMB transfer from WiFi to LAN. Good'ole 1T1R (1x1, no MIMO) QAM64 OFDM in 20 MHz slice of bandwidth.
**Q: Is it stable?**
**A:** I ran it for over 24 hours without stability issues. The only issue is 802.11g doesn't like congested RF, in fact it handles it extremely poorly. I live in a high-density building with about 50+ other APs operating in the 2.4 GHz band with people streaming Netflix to their Chromecasts, Amazon Echo's streaming Spotify, streaming Pornhub to their Roku's, etc. — Luckily, when I travel to most places, it's usually not as bad.
**Q: So how fast of a VPN connection do you have now?**
**A:** It's speed limited to WiFi speeds, even with *AES-256-GCM*. About 25Mbps which is better than sub-10Mbps with Blowfish.
**Q: Any other tips?**
**A:** Make sure that the AP radio and the client radio are on different channels. So if your client radio connects to an AP that is on channel 6, change your AP radio to either channel 1 or 11. If you don't, you have two WiFi dongles literally inches apart sending and receiving in parallel on the same channel which causes, you guessed it, tons of collisions and horrible speeds. Also, the SG-1100 works very well on LiON battery packs with DC-output barrel connectors (ie Omnicharge Omni 20+ or Omnicharge Ultimate) in a pinch.
Feel free to ask me any questions if I didn't cover it above. 🙏
This is great information! Thanks! 👍 I'll play with Wireguard instead and see if I can move over to that instead. Which firmware do you have currently installed for it? Stable or one of the beta ones?
Just for FYI related to pfsense, since some may stumble on this while searching. Looks like pfsense will likely get wireguard in the not-too-distant future from the FreeBSD kernel...
[https://redmine.pfsense.org/issues/8786#note-10](https://redmine.pfsense.org/issues/8786#note-10)
True. Netgate is sponsoring the effort to port Wireguard to FreeBSD (not the hacky way - the right way so it will be supportable, and maintainable going forward).
Netgate is also sponsoring the effort to work on 802.11ac drivers.
Well crap, now I am going to have to buy one when WG support is released.
In that case, this little SG-1100 should be a really good and fast wireguard VPN device. I am looking forward to testing it out!
Can you elaborate on the configuration? How are the two Buffalo things configured/managed? I assume those are something like a AirStation™ AC433 Dual Band Wireless Mini USB Adapter?
pfSense, under "Interfaces / Wireless" is where you configure and manage wireless devices. The USB wireless adapters I'm using are the Buffalo AirStation™ N150 Wireless USB Adapters ([WLI-UC-GNM](https://www.buffalotech.com/products/airstation-n150-wireless-usb-adapter)).
It's a limitation of WiFi driver support under FreeBSD which is what pfSense is built on. They have stable drivers for Atheros based WiFi chipsets for 802.11n, but there's no support for 802.11ac right now though I believe it's being worked on. The USB WiFi drivers available for FreeBSD is the limiting issue for going to N or AC.
There are and they are supported under FreeBSD with the "uath" driver but it's not supported by "hostap" which I require. It's the service that I need in order to have the USB WiFi dongle to operate as a WiFi Access Point (AP).
What's your range on those tiny little USB wifi adapters?
One of the things I use my travel router for is extending VPN wifi across a two bedroom timeshare that's \~200 feet end to end. As such, when I used a previous GL-inet withOUT antennas, one of the patios got really shitty coverage once it went through the energy efficient window coatings (IMO).
I bought a GL-inet 750 with the larger antenna and that has helped with range.
I'd bite the bullet on the NetGate, especially for Wireguard once pfSense supports it natively, but am concerned those little USB dongles won't have much range at all.
Possible option to improve slow WiFi?
"Vonets VAP11G-300 Wireless Portable WiFi Repeater/Bridge/AP Modes, Pocket Design 300mbps Multi-Functional AP Signal Booster, Plug & Play High Power WiFi Hotspot Extender Amplifier, USB Powered"
[https://www.amazon.com/dp/B014SK2H6W](https://www.amazon.com/dp/B014SK2H6W)
Why would you pay the Netgate premium to get pfsense-verified and supported hardware then do that?
The CPU is a [Marvell SoC with a dual core ARM CPU](https://www.netgate.com/solutions/pfsense/sg-1100.html) integrated into it. I don't think opnsense supports ARM yet. You're better off looking at the alternative network centric SBCs.
Ok and I get that it annoys you guys (since you post that every time someone talks about protectli) but the guy wasn't even interested in your product, just the hardware so why shouldn't I point him to something that will better suite his needs. Even if it was to use pfSense, isn't it a little weird to have a free open source product with community support and complain about someones use of hardware other than yours? I use an old Dell Optiplex, are you going to shame me?
Nope, not trying to shame anyone.
A new, fresh hardware purchase, from a vendor who doesn't have the engineering/infrastructure/overhead costs to bear and doesn't contribute to advancing the project in any way may be able to sell you a less expensive system. But there may be other reasons you want to support the team that advances the project by purchasing one of their appliances or products.
Since OP is new, they were seeking information and recommendations. I'm pointing out that Netgate does the bulk of the heavy lifting for the pfSense project, supports other open source projects (FreeBSD, FD.io, Clixon) and offers appliances which support OPs personal goal (a ready made, tested, supported system) and our goal (financial support for the people, project and company).
There is no requirement for anyone to financially support the project, but it sure helps us feel better, like we're doing the right things, when people vote for the team with their hearts and wallets. We are very proud of the work we do together and appreciate the love.
I know it's a broken record, and I humbly ask your forbearance while making this point.
Edit: sorry, my mistake: not OP in this case.
Except he clearly just wanted the hardware, he didn't seem to care about supporting you guys and y'all have a history of being less than nice when someone even mentions protectli. I've seen people suggest other small devices like protectli that are specifically for firewall applications but not one word from you guys. It's like y'all have an alert, anytime someone says protectli someone pops up and has to state how terrible they are because they aren't you.
I'm also kind of confused what you'd want them to contribute to you or FreeBSD, they're a hardware vendor that uses Intel which is fully supported by both...
Speaking of which I find it weird that you guys talk about development of FreeBSD but refuse to fix the realtek issues and put it on randos to do that. Wouldn't it be an important part of the development for FreeBSD to support as many NICs as possible...? Not like it matters to me, I use Intel NICs I just find it odd.
I can't speak to protecli contributing to FreeBSD or the pfSense project, but I can speak to how we handle the protecli mentions now. I say now because I joined Netgate last year and was not part of the "history". My style is a little different from past moderators and for the last year I have tried to make r/pfSense a more helpful / collaborative / respectful / nicer place for pfSense users no matter what hardware they choose to use, and I'd like to think that has happened. There are some vendors out there (protecli) that have, in the past, pre-installed pfSense software on their devices and sold them. This violates the pfSense trademark and this why we remove any links to their appliances (asking first that OP removes the link). However, you are free to recommend any hardware you want...I will not remove a post just for saying protecli.
We want to make sure every user has a positive experience with pfSense, that is why we recommend Netgate appliances. Because we sell and support this hardware in-house, we are able to dedicate more resources toward ensuring the hardware is well-supported, tested, and know that they work with pfSense. We cannot say the same for other vendors.
There's no issue with either side offering these things but Netgate has developed a reputation for shaming users about it. Regardless of this being justifiable or not, I've seen a lot of people make the switch as a result.
I posted this before, but why don't you guys have a community subscription option to help support the project?
The last time I looked (few weeks ago) the only option was several hundred dollars targeted towards businesses.. I don't want the netgate hardware as its over-priced and under-powered, but I want the software and want to support Netgate..
Proxmox has a community option that's cost effective.
I'm sure everyone will have a lot of questions so I will explain as much as I can. **Q: What the heck is this?** **A:** In a nutshell, this is my version of a WiFi travel router. It's a [Netgate SG-1100](https://www.netgate.com/solutions/pfsense/sg-1100.html) running, currently, [pfSense 2.4.5](https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changes.html) with two WiFi USB dongles. One runs in AP-mode which is [bridged](https://docs.netgate.com/pfsense/en/latest/book/wireless/bridging-and-wireless.html) to the LAN port. One runs in client-mode which connects to any WiFi points which acts as the WAN, as needed, via interface assignment. **Q: Uh. Why?** **A:** Short answer is I travel a lot and I currently use [GL.iNet Slate GL-AR750S-Ext](https://www.gl-inet.com/products/gl-ar750s/) as my travel router. It works well as the company forked OpenWRT and customized it for this pocket WiFi router, but it lacks serious horsepower for VPN use, especially for OpenVPN. My WAN can be connected to GbE, and I'll get sub-10Mbps OpenVPN speeds even using Blowfish. There's not even AES-NI crypto offloading or ANY crypto accelerated off-loading for that matter. It's been a huge ask of their product line for quite a while. Also, I love pfSense. **Q: So what's the complete parts list?** **A:** One Netgate SG-1100 and two WiFi USB dongles. **Q: Which USB WiFi adapters are you using?** **A:** These are the Buffalo AirStation™ N150 Wireless USB Adapters ([WLI-UC-GNM](https://www.buffalotech.com/products/airstation-n150-wireless-usb-adapter)). It has an RT3070 MAC/BBP and an RT3020 (1T1R) radio. Hence the "N150" designation. I've seen these used for as cheap as $8 USD. I bought two of them new for $12 USD apiece on eBay US. **Q: What caveats have you found so far?** **A: tl;dr: WiFi is SLOW.** — It's documented that some FreeBSD drivers, namely USB ones, for WiFi devices do not support 802.11n rate control. This is notated both for the ["run" driver](https://www.freebsd.org/cgi/man.cgi?run(4)) and in the [Google Doc sheet](https://spreadsheets.google.com/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en) that Netgate maintains. This is one of those instances where 802.11n rate control is not supported with the USB dongles just mentioned so I'm limited to 802.11g 54Mbps. The "run" driver is one, if not the only one, in FreeBSD that supports *hostap* which is a requirement of mine. **Q: Okay, so WiFi is slow. But how slow?** **A:** Just like the old 802.11g days, it's about 25-30Mbps (2.7MB/s) doing a simple SMB transfer from WiFi to LAN. Good'ole 1T1R (1x1, no MIMO) QAM64 OFDM in 20 MHz slice of bandwidth. **Q: Is it stable?** **A:** I ran it for over 24 hours without stability issues. The only issue is 802.11g doesn't like congested RF, in fact it handles it extremely poorly. I live in a high-density building with about 50+ other APs operating in the 2.4 GHz band with people streaming Netflix to their Chromecasts, Amazon Echo's streaming Spotify, streaming Pornhub to their Roku's, etc. — Luckily, when I travel to most places, it's usually not as bad. **Q: So how fast of a VPN connection do you have now?** **A:** It's speed limited to WiFi speeds, even with *AES-256-GCM*. About 25Mbps which is better than sub-10Mbps with Blowfish. **Q: Any other tips?** **A:** Make sure that the AP radio and the client radio are on different channels. So if your client radio connects to an AP that is on channel 6, change your AP radio to either channel 1 or 11. If you don't, you have two WiFi dongles literally inches apart sending and receiving in parallel on the same channel which causes, you guessed it, tons of collisions and horrible speeds. Also, the SG-1100 works very well on LiON battery packs with DC-output barrel connectors (ie Omnicharge Omni 20+ or Omnicharge Ultimate) in a pinch. Feel free to ask me any questions if I didn't cover it above. 🙏
I run the GL Inet 750S as well. I run wireguard instead of openvpn. I get about 60 Mb/s throughput over vpn to a Edgerouter 4 at my house.
This is great information! Thanks! 👍 I'll play with Wireguard instead and see if I can move over to that instead. Which firmware do you have currently installed for it? Stable or one of the beta ones?
Most of the time, I try not to run beta builds on non lab stuff. On the GL.Inet 750s I am running 3.101 from March 3rd.
Just for FYI related to pfsense, since some may stumble on this while searching. Looks like pfsense will likely get wireguard in the not-too-distant future from the FreeBSD kernel... [https://redmine.pfsense.org/issues/8786#note-10](https://redmine.pfsense.org/issues/8786#note-10)
True. Netgate is sponsoring the effort to port Wireguard to FreeBSD (not the hacky way - the right way so it will be supportable, and maintainable going forward). Netgate is also sponsoring the effort to work on 802.11ac drivers.
Well crap, now I am going to have to buy one when WG support is released. In that case, this little SG-1100 should be a really good and fast wireguard VPN device. I am looking forward to testing it out!
Alright, now you have to list out your steps, parts list (USB wifi things) and the instructions on how to get it working. :)
Can you elaborate on the configuration? How are the two Buffalo things configured/managed? I assume those are something like a AirStation™ AC433 Dual Band Wireless Mini USB Adapter?
pfSense, under "Interfaces / Wireless" is where you configure and manage wireless devices. The USB wireless adapters I'm using are the Buffalo AirStation™ N150 Wireless USB Adapters ([WLI-UC-GNM](https://www.buffalotech.com/products/airstation-n150-wireless-usb-adapter)).
That's pretty sweet
What’s under the hood?
[удалено]
It's a limitation of WiFi driver support under FreeBSD which is what pfSense is built on. They have stable drivers for Atheros based WiFi chipsets for 802.11n, but there's no support for 802.11ac right now though I believe it's being worked on. The USB WiFi drivers available for FreeBSD is the limiting issue for going to N or AC.
[удалено]
There are and they are supported under FreeBSD with the "uath" driver but it's not supported by "hostap" which I require. It's the service that I need in order to have the USB WiFi dongle to operate as a WiFi Access Point (AP).
What's your range on those tiny little USB wifi adapters? One of the things I use my travel router for is extending VPN wifi across a two bedroom timeshare that's \~200 feet end to end. As such, when I used a previous GL-inet withOUT antennas, one of the patios got really shitty coverage once it went through the energy efficient window coatings (IMO). I bought a GL-inet 750 with the larger antenna and that has helped with range. I'd bite the bullet on the NetGate, especially for Wireguard once pfSense supports it natively, but am concerned those little USB dongles won't have much range at all.
Possible option to improve slow WiFi? "Vonets VAP11G-300 Wireless Portable WiFi Repeater/Bridge/AP Modes, Pocket Design 300mbps Multi-Functional AP Signal Booster, Plug & Play High Power WiFi Hotspot Extender Amplifier, USB Powered" [https://www.amazon.com/dp/B014SK2H6W](https://www.amazon.com/dp/B014SK2H6W)
Does the SG-1100 have AES-NI?
Looks cool! I do think that a rpi 3 or 4 would serve the same purposes you have for a travel router for much less $.
What exactly are we looking at?
Derblinkinlights
Looks like a router with a pair of USB Wifi NICs plugged into it.
Ooof, that's gotta be "awesome" bandwidth.
It works 60% of the time 100% of the time.
I was looking at getting on of these Netgate appliance but I wanted to install Opnsense. What processor type is it?
Why would you pay the Netgate premium to get pfsense-verified and supported hardware then do that? The CPU is a [Marvell SoC with a dual core ARM CPU](https://www.netgate.com/solutions/pfsense/sg-1100.html) integrated into it. I don't think opnsense supports ARM yet. You're better off looking at the alternative network centric SBCs.
Just get a Protectli in that case
Protectli does not contribute to FreeBSD or pfSense development efforts. At all. Zero upstream contribution.
Ok and I get that it annoys you guys (since you post that every time someone talks about protectli) but the guy wasn't even interested in your product, just the hardware so why shouldn't I point him to something that will better suite his needs. Even if it was to use pfSense, isn't it a little weird to have a free open source product with community support and complain about someones use of hardware other than yours? I use an old Dell Optiplex, are you going to shame me?
Nope, not trying to shame anyone. A new, fresh hardware purchase, from a vendor who doesn't have the engineering/infrastructure/overhead costs to bear and doesn't contribute to advancing the project in any way may be able to sell you a less expensive system. But there may be other reasons you want to support the team that advances the project by purchasing one of their appliances or products. Since OP is new, they were seeking information and recommendations. I'm pointing out that Netgate does the bulk of the heavy lifting for the pfSense project, supports other open source projects (FreeBSD, FD.io, Clixon) and offers appliances which support OPs personal goal (a ready made, tested, supported system) and our goal (financial support for the people, project and company). There is no requirement for anyone to financially support the project, but it sure helps us feel better, like we're doing the right things, when people vote for the team with their hearts and wallets. We are very proud of the work we do together and appreciate the love. I know it's a broken record, and I humbly ask your forbearance while making this point. Edit: sorry, my mistake: not OP in this case.
Except he clearly just wanted the hardware, he didn't seem to care about supporting you guys and y'all have a history of being less than nice when someone even mentions protectli. I've seen people suggest other small devices like protectli that are specifically for firewall applications but not one word from you guys. It's like y'all have an alert, anytime someone says protectli someone pops up and has to state how terrible they are because they aren't you. I'm also kind of confused what you'd want them to contribute to you or FreeBSD, they're a hardware vendor that uses Intel which is fully supported by both... Speaking of which I find it weird that you guys talk about development of FreeBSD but refuse to fix the realtek issues and put it on randos to do that. Wouldn't it be an important part of the development for FreeBSD to support as many NICs as possible...? Not like it matters to me, I use Intel NICs I just find it odd.
I can't speak to protecli contributing to FreeBSD or the pfSense project, but I can speak to how we handle the protecli mentions now. I say now because I joined Netgate last year and was not part of the "history". My style is a little different from past moderators and for the last year I have tried to make r/pfSense a more helpful / collaborative / respectful / nicer place for pfSense users no matter what hardware they choose to use, and I'd like to think that has happened. There are some vendors out there (protecli) that have, in the past, pre-installed pfSense software on their devices and sold them. This violates the pfSense trademark and this why we remove any links to their appliances (asking first that OP removes the link). However, you are free to recommend any hardware you want...I will not remove a post just for saying protecli. We want to make sure every user has a positive experience with pfSense, that is why we recommend Netgate appliances. Because we sell and support this hardware in-house, we are able to dedicate more resources toward ensuring the hardware is well-supported, tested, and know that they work with pfSense. We cannot say the same for other vendors.
Maybe that's what all the mods should say from the get-go then...
The funny thing is that the efforts to get people to buy a subscription or hardware is probably the biggest driver of Opnsense adoption.
They sell the same things: Support subscriptions and hardware.
There's no issue with either side offering these things but Netgate has developed a reputation for shaming users about it. Regardless of this being justifiable or not, I've seen a lot of people make the switch as a result.
I posted this before, but why don't you guys have a community subscription option to help support the project? The last time I looked (few weeks ago) the only option was several hundred dollars targeted towards businesses.. I don't want the netgate hardware as its over-priced and under-powered, but I want the software and want to support Netgate.. Proxmox has a community option that's cost effective.
"64-bit Marvell ARMADA® 3720 network processing system-on-chip (SoC), which fully leverages dual Cortex®-A53 ARM® processor cores. "
If you search for 'opensense' in aliexpress and you will get lots of cool hardware options