It's really old at this point. It would have to be very cheap or something that you are doing for the experience in my opinion.
But you probably can install to it. Checkpoints other devices were not locked to prevent it on those I have seen. You may well need to swap out the boot media, I have no idea what that boots from but Nano no longer exists since this thread was started.
I thought I should update this thread on what I've finally settled after trying a few different routes.
First I tried to go the official way, which ended up being super expensive if you live in Spain. There's some more accesible options on Germany through Voleatech but still quite a bit with the power you get. Don't get me wrong, this would be the perfect option if this was a mission critical equipment, but this is just for my home network.
Then I tried going the virtualisation route but I found some problems and/or limitations with KVM when trying to route gigabit speeds. I'm currently on 500/500 but pretty sure in a few years from now we will have 1000/1000 as my ISP has been almost duplicating speed between 2-3 years. Not so future-proof. Also was a bit of a pain in the ass if I had to do stuff on the server that my internet will be also off.
And finally arrived to what I think it will be the perfect solution, yes you guessed it: bare-metal installation. I had lying around a cheap PC I built last year for my crypto miner project: Asus prime z270-p + Intel G4400 + 4gb RAM (that was around 160€ new). I'm going to add a SF450 PSU, SSD next week but already got the Intel i350-t4. Power consumption currently is around 28w on idle and 35 when routing gigabit with ntop, suricata, pfBlockerNG and a few more). Should be a bit less when I receive the SSD, currently is on HDD.
Hope this could be helpful for someone else looking at build its own pfSense box. I will update with final numbers once I've all in place. Maybe even some pics!
I appreciate you taking the time to reach out. I will have to check this out in the morning as I seem to have accidentally migrated the giant box of USB cables to my business' storage unit. However, in the event that the drive is bad, I wonder if Netgate has access to a replacement module that I can re-solder to the board. All-in-all, I'm quite impressed with the quality of the PCB that Netgate uses.
@Veldkornet said in PC Engines apu2 experiences:
Is anyone using the CoDel / FQ_CoDel Traffic Shaping on the APU2?
Working well? Any problems?
I have an APU2 box at work to provide a separate network for personal devices. It is setup with the FQ_CoDel limiter / floating rules method described towards the end of the Playing with FQ-CoDel Thread. It has been rock solid and seems to provide equal bandwidth sharing for the 30 - 50 devices connected each day and 16 - 20 GB of traffic that is passed on our 150/150 FiOS link.
Hi @Commander - I think you'll be quite happy with your choice. I have been running pfSense on this exact system for about two years now without any major issues -- this little box offers great performance. Let me know if you have any further questions regarding configuration or performance tweaking once you have got things setup. Hope this helps.
Hi @imthenachoman -
I'm sure you'll get a lot of different suggestions, but here's one possibility - I put something similar together recently (although it was not for pfSense):
CPU - Intel i3-8100:
Motherboard - ASUS Prime H310I-PLUS CSM:
NIC - Intel i340-T4
This includes a pretty speedy (high clock speed) quad core CPU and mini-ITX board combined with a fairly recent Intel quad port NIC. This should have no problem passing 1Gbit (though not over OpenVPN). Of course don't have to use this particular case, was just an example of what's out there for mini-ITX.
Hope this helps.
@stephenw10 Agreed. Plan is to install pfSense just to get a feel for the OS/experience. My networking knowledge is not great so if I can't figure it out then I want to know before I buy a new LAN card. I've seen some videos online with screenshots and those screenshots had many terms I don't know so I'm a little worried. Just created the USB installer so I'll see how it goes.
@ac0hen said in Zotac CI323 Installation - Controller Failures:
bsdlabel -B -r -w ada0s1 auto" command, it stops at 77% (every time). Then a "ahcich1" Timeout on slot 21 port 0" and "(ada0:ahcich1:0:0:0): CAM status: Command timeout
With that same error?
The port placement and LCD look like a Lanner box in which case I would expect the SDEC driver to work. That's connected via the parallel port.
However almost all Checkpoints other stuff is Portwell/Caswell. That's not the EZIO LCD though.
But yeah it will only run the now obsolete 2.3.5.
I have made FreeBSD 12 package.
I dont consider it my work - I have just packed it in one archive. It is stable for me on 12.0 p3 more than
"sed -i -e 's/TAILQ_FOREACH/CK_STAILQ_FOREACH/g' if_re.c"
I have been using this system for a couple years now with a symmetric 1Gbit fiber connection and it is definitely capable of passing gigabit speeds even with IDS/IPS enabled (in my case I run Snort). Here a couple more suggestions:
Networking tweaks - put these four lines below in your loader.conf.local file (if you're using the SFP+ ports replace igb with ix):
I'd also recommend disabling flow control and energy efficient ethernet, unless you have a specific need/use for them.
Another good thread with tuning tips:
Finally, if you disable Suricata temporarily, do you get full speed with a client behind pfSense, or does it not make a difference?
Hope this helps.
@stephenw10 said in pfsense on rasppery PI:
You can do that with Radius accounting in pfSense but it's quite a complex setup. It also doesn't scale well to a large number of users if you have individual accounts in Freeradius. The GUI is not setup for that. Better to use a separate Radius server if you need that.
It would not run well on an SG-1000, if you go that route it should be installed on larger hardware.
So I managed to solve this with a BIOS update in the end. Part of the update process was clearing the CMOS so I had to change a bunch of settings back. The only setting I know was different that I chose to leave default this time was the ACPI HPET Table option. Previously it was enabled, now it's disabled. I don't really see how this would affect performance to the extent I was seeing, so I suspect it was something in the BIOS updates that solved the issue. Also MSI interrupts are definitely slower than MSI-X, they took me down to 50mbit.
For the next sod that goes googling this, the Motherboard was an ASRock N68-S3 UCC. Initial BIOS version was 1.4, updated to 1.6. I'm now running all defaults except that I've restricted my queues to 1 per NIC with the following in /boot/loader.conf.local
I'm doing this because I have a dual core CPU and 4 NICs, so I'm trying to reduce the amount of context switching. It may work fine as a default, but after the nightmare of getting it to this point I'm just going to leave it be.
@johnminaa said in 4g modem info:
I will also recommend Huawei E398 LTE USB Modem.
I never owned, used or recommended it. Personally I would recommend Huawei E3372H as a replacement. Fortunately some people already posted here some receipts on using it in the different modes.
@mats thanks for the reply and please forgive the long delay in responding.
Thanks for the advice regarding the electrical side. Have a APC UPS powering the cable modem. The coax feeding the cable modem is run thru a surge suppressor . The pfSense box is powered by a separate APC UPS. Anything else I should consider?
Ah, interesting. I have seen that with an incompatible SFP module but never with just the connection like that. But yes in that case simply removing the module and rebooting was not sufficient to clear the state in the NIC. It had to be completely powered down to see the correct module again.
Then any relatively cheap i3 like the 4130 will work. That will give you a faster CPU with hyperthreading and AES-NI.
I think someone fitted one earlier in this thread. (edit: several people in fact)
Ok, you will need to change it's mode. For example:
It would be better to permanently switch it which might be possible from it's interface in Windows or Mac.
Otherwise if you can switch it to device ID 1C05 it should be detected:
If you boot an image that does not use a serial console by default you won't see anything unless you have the VGA header hooked up.
The XTM5 does not have a UEFI bios. It you try to boot an image that requires UEFI it won't boot.
Are you trying to boot USB? Do you know the pfSense installed boots USB, you've made the required BIOS changes?
You might have more luck with a Broadcom NIC and patched FreeBSD driver:
I have no way of testing that myself....