@pfBasic: If buying a powerful router for cheap is the goal then you won't beat eBay (read: used systems from any source). eBay is full of used end-of-lease workstations without HDD's containing i3-i5's that have AES-NI for <$100. Buy one of those and install to either a pair of thumb drives or a cheap SSD. Add an eBay i340-tX and you can have a very powerful system for ~$100. The only real downside is power usage, but without a HDD it really won't be that much higher, probably ~10W or less delta in most comparisons to systems with comparable performance. Translates to ~$8-18/yr in the CONUS for a 24/7/365 box. This combo would cost you about $125-150 after tax & shipping depending on where you live (CONUS) and gets you an i5 with a passmark a little better than an i3-7100 for about 15W hotter TDP and it even comes with a HDD & 6GB of RAM. That's a whole system for about the same price as an i3-7100 after tax+shipping. http://www.ebay.com/itm/HP-Compaq-Pro-4300-SFF-Intel-Core-i5-3470S-2-90GHz-6GB-RAM-500GB-HDD/152562008743 http://www.ebay.com/itm/49Y4232-IBM-49Y4231-I340-T2-2-Port-Network-Adapter-/172454305241?hash=item282713ddd9:g:wxQAAOSw6DtYWuxp Bottom line is if you want performance for cheap then buy used. You simply will not beat the price/perf. ratio. pfBasic, I just wanted to thank you for turning me on to the idea of buying a used SFF + intel NIC.  I was planning to build a much more expensive low-power box to replace my aging supermicro atom d515 that's been chugging along for years, but it was not nearly up to the task of routing a new 1Gbit/s connection.  I found a dell SFF with about the same specs as the HP you listed for $120 and an i340-t2 for $20.  Easily handles the fast connection and power is relatively low at ~40W idle.  As you said, can't beat the price/perf ratio. Thanks again.

@Balanga: Having just come across this thread, I'd be interested to know how exactly I should set up a ThinkPad as a pfSense box… and would a T42 suffice? If you have one already you can try it out. What kind of bandwidth?

Hi, has someone any clues, ideas, tracks I should explore ? Thanks.

try a different bios update does windows 7/8/10 find it in cpu-z?

Using the loader usb quirk is generally a better solution since it will be applied whenever the device is detected. So if the modem is re-inserted during runtime for example. But the value should go in /boot/loader.conf.local to ensure it survives an update. loader.conf may be re-written. Steve

I was able to solve it differently, Using PfSense 2.4.0 was and changed the file in /conf/config.xml, according to the documentation https://doc.pfsense.org/index.php/Executing_commands_at_boot_time it is possible to add command when starting the system. So my file looks like this: <pfsense><version>17.0</version>   <lastchange></lastchange>   <system><optimization>normal</optimization>     <hostname>pfSense</hostname>     <domain>localdomain</domain>     <dnsallowoverride></dnsallowoverride> <earlyshellcmd>usbconfig -d 4.2 set_config 1</earlyshellcmd></system></pfsense> Then when saving just delete the file in memory rm /tmp/config.cache as  https://doc.pfsense.org/index.php/How_can_I_reload_the_config_after_manually_editing_config.xml Now everytime I turn off or restart the modem, it is already up properly.

Perfect. Thanks for that. Great tip on installing the software on both the SSD and the eMMC.

You need to shut down, add the new card, restart, and note the new interface names and reassign or re-patch the interfaces as necessary.

Good deal.  I appreciate all the help with the issue jimp!

@Nathantrinh23: Will the Ralink RT5370 work with pfSense? Well, the RT5370 should work. I use one USB Wifi on my OPNsense Box. But, not all wifi sticks will work in AP Mode! I tried several models with the RT5370. Some works very bad (very often connection problems). Some works perfekt but run very hot. So they died after some weeks.  >:( So it will be a bit lucky to get one that works stable! best regards Dirk

@BlueKobold: Wondered if anyone had some recommendations for a small mini-ITX case for my new pfSense build. The board is a supermicro denverton with passive cooler and M.2, so no drive space, pcie etc needed. There are three well known and working chassis for that kind of boards; Supermicro SuperChassis SC101F Link Small and compact case without the ability to insert a PCIe card Supermicro SuperChassis CSE-E300 Link Small 1U desktop factor with the ability to insert an additional PCIe card mini-ITX case M350 Link Often used and well known working with mini-ITX boards from several vendors Supermicro BareBones that are using this cases. Supermicro SYS-E00-9A Supermicro SYS-E300-9A Would you share which board you are owning? I mean the exactly model and model number or name of this? To be sure that the board is matching and fitting exactly in the case I would at first open the website from Supermicro and search your board number and then see on the right side all matching and fitting cases for that board! So you can´t go with a wrong size or case. Currently I have it in a case that's pretty much the same as the Powercool Q6. However I am finding the temps start to get a little too high with zero fans. This could be very well, inside of the three named above case models you will be able to mount small case fans, in each of them I mean! They are available as spare parts or came together with the case. My ideal would be a case of similar size where in the area on top that the ssd/hdd drives go you could put a 120mm fan, that way I could still have quiet cooling running it at like 300rpm. So far all cases I have found of similar size use 40-50mm size fans which I have always found even on lowest rpm to be a bit too noisy (at least the pitch they make bothers me more than larger fans). Enermax U.R.Vegas 120mm Portable USB Fan with Magnetic Skin Pad (UCUR12-R) For usage together with a mini-itx case with an open metal mesh. I have considered taking a dremel to the top of the case and attaching the fan manually, but if there is a case out there already that can do the job, or someone has a better idea, that would be preferable! Scythe Kaze Jyu SY1012SL12L Kühllüfter - 1 x 100 mm - 1 - 1000 U/Min With opening and using the dremel Next best solution might be the Mini-Box M350 with the top fan brackets, but that's still 40mm fans therefore more noise. Might be one of the best available mini-itx cases and if the fans are to high turning you may be able to get some small fans (40mm - 50mm) from Sunon they have some nice silent fans out. Thank you for all the info, the exact board in question is the Supermicro A2SDi-4C-HLN4F. Considering one of the barebones you mentioned uses the exact same board, I am pretty sure it's compatible :D I actually already have one of those scythe fans you mentioned in my main computer (cooling a modified hdd hot swap caddy), pretty good fan. But I prefer not to dremel unless I have to, attaching a fan to mesh with magnets is a good idea, but feels like more of a temporary solution and not quite as clean as the other options. Looked at the SC101F, really quite like that case. Big advantage is the thick fans, other small cases generally don't take 40-50mm fans thicker than 10mm which also tends to mean they aren't pwm. My board will not do voltage fan control apparently (no matter how much I try) so I would have to have pwm fans. If I went for the M350 that would mean only the front fan pwm, the rest would need to be 'set and forget'. Unless I can find something 28mm that is quiet, I would think the Noctua 40x20mm PWM fans would be a good choice for that case.

SHA acceleration effectively makes CBC encryption like GCM. There are some benchmarks comparing them on the j3355 and the results are pretty much odentical. Yes, the i5 will edge out the Celeron, barely. Still probably not I'm OpenVPN. But that doesn't make it a good selection.

Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ? It is never really able to reproduce on any hardware with the same effect or on custom hardware with the same effect. As an small example; Broadcom 10 GbE NICs (not all, but many) use more narrow down the entire mbuf size (65.000) and get often success Intel NICs are often gets served when you high them up between 125000 till 1000000! So freeing some things up might be a good sounding idea, but not for nay user or any case of usage fo sure! Please accept it is more or less something or more things I´ve seen peoples are starting a service, running a packet or in general setting up some things and even after this many or some are running in a trap or getting problems after the installation. It is able to get the same result or success but not even and with a guaranty for that, it all depends on the entire hardware and also the pfSense Version itself because not each version likes the other one pending on bug fixes newer functions, options and protocols or given services, it more like a hunting game you will win. and also usable (recommended) for a Qotom i5 setup w. 8G Ram Let us both imagine you are using firewall, vpn, snort, squid, SquidGuard and pfBlockerNG and you turns on the pfBlockerNG & DNSBL + TDL with many IP lists so your ram is going down very fast nearly complete in usage, so it makes no sense to say let us highing up the mbuf size, but if you gets in problems or you see issues and narrow down the entire IP lists in pfBlockerNG that will be in usage, you could do this to solve around any other problems. BIOS settings: (if needed) activate the Hyper threading (HT) set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back) Often peoples are reporting they was imagine more from the higher tech spec hardware and because the HT function was disabled in the BIOS, so why not telling others please don´t forget to turn it on? Did your Qotom box have such a setting the BIOS, if so then try it out and give us (forum members) a feedback on this please!!! The IPMI Port on some mainboards mostly Supermicro, and we are talking here about a Supermicro Xeon D-15xx vs an Intel Xeon E3 system, are the fall back port associated to the WAN port! So if then the WAN is one time failing the WAN falls back to the IPMI and you are trying to get the access to the Internet back and again and again but without success or any clue why you can´t do so or plain why you would not be able to do so! NIC tunings: (if needed) choose ZFS file system  and TRIM support will be enabled automatically high up mbuf size to something between 125000 - 1000000 narrow down the amount of num.queues to 1 till 4 enable PowerD (high adaptive) If you need TRIM or you wish it to enable nice to know that since version 2.4.0 ZFS is automatic enabling this for you Pending on the used NIC driver and CPU for each NIC port pfSense will be open or create queues and they can be filled more (mbuf size 1000000) or less (mbuf size 65000) and on top of this the amount of this queues will be also able to set up like 1 queue till 4 or more queues likes needed or well matching. PowerD will be bringing the CPU to scale up if needed and also vice versa scaling down of your pfSense box is not so hard stressed by traffic or functions. OpenVPN settings: (if needed) enables Intel RDRAND (if supported by the hardware) activate UDP fast I/O support enable LZO compression if able to do so on both sites set the buffer to 2 MB less or higher could also be matching AES-NI is activated by default since the pfSense version 2.4.0 And this is quitly the greatest part where you weill be able to play around with for weeks to get the best settings matching to your configuration and bringing you the most benefits. Please don´t forget please you can win and be happy with only one setting and/or with all or some of them together. I personally mean that mostly, many things are playing more well together as only one hint. VPN is a both ended "thing" and if both ends are enabling LZO compression or fast I/O support it would makes more sin to me, Intel RDRAND must be supported by hardware and the buffer is more or less pending on your RAM size. And what benefit you will see at your pfSense box or based on the hardware you are using.

ugh necro.

For the cooler, I'm not sure I can do much, will test under heavy load in 1U and see how it goes… At the netgate shop they are also talking about a heating situation that can be going to high in some situations and there fore I would really have a look on this!

If your willing to spend the money 350 will get you the brand new sg-3100 which netgate is insistent can handle 1Gb symmetrical without issue. Benefit with this little guy is at 6w you get a built in switch.. Plus you support the project and get 1 year of support on top of it.

@belt9: That's certainly more better  ;D Another thought, just use your HTPC as pfSense and buy a J3355B to use as your HTPC. It does HEVC 10 bit hardware decoding. Mine plays back the higher bitrate 4k HEVC 10 bit jellyfish test files just fine. That option might save you some $$. My HTPC doubles as a gaming rig too (it has a gtx 750ti)  8) Steam link and Nvidia gamestream require the host to be not in use, so I've got no choice to to play games locally. Otherwise I'd definitely setup streaming, my network is mainly wired after all.

Today I am at 75/75 on one side of my vpn.  My current equipment keeps up. If I have to chose today a new hardware I´d waiting until the new Spuermicro Boards are both on the market. Intel Xeon D-15xxN (3rd. generation) and until the Intel Atom C3000 (Denverton) will be fully supported by NIC drivers too! And then one of this two new Chips will be mine. For sure perhaps I must wait a small time period, but then I am able to chose between board coming with, AES-NI, Intel QAT and DPDK support. Soon (1 month) I will be at 300/300 both sides and my current equipment will not be able to keep up. Again I really would wait as a minimum for the newer hardware from Netgate. In the future (maybe a year or so), I might be 1g/1g both sides (actually not full gig, but Verizons 800/700ish FIOS) Intel C2000 vs Intel C3000 AES-NI And from the 3rd. generation Intel Xeon D-15xxN I personally expect a little bit more as from the Denverton platform. So If I am going to research, purchase, configure and install new firewall hardware I want to try and do it for my eventual line speed which will be FIOS gig service.  I really don't want to have to do this twice, once for when I go to 300/300 and again when I move to gig. Is FIOS using PPPoE on its 1 GBit/s Internet connection? I'd like to determine what equipment can do full gig vpn and install that now. This might be to high in price if we are talking about 1 GBit/s OpenVPN speed, if we are talking about IPSec VPN speed this might be able to realize. With a small Intel Atom C2558 (Rangeley) you might be able to push ~470 MBit/s over a IPSec VPN tunnel and the Denverton is more strong and the D-15xxN will be topping this once more again! So it is also able to realize it with common consumer PC hardware if the CPU is strong enough and comes with AES-NI. I hope my explanation is clearer.  Sorry for the confusion. Yes for it is! You might be waiting one moth or two and perhaps netgate is bringing out then their new hardware based on a C3000 (Denverton) SoC, this might be better then for you to decide wether to go with in my eyes. So all variants are open to you, you may go with the new Netgate Hardware, the Denverton based Supermicro boards or the newer Xeon D-15xxN boards not able to get hands on today, or plain strong enough consumer PC hardware as you need or wish it!

@doktornotor Any ideas why I'm getting a board mismatch error: Calibrating delay loop… delay loop is unreliable, trying to continue OK. coreboot table found at 0xdffae000. Found chipset "AMD FCH". Enabling flash write... OK. Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) mapped at physical address 0x00000000ff800000. This coreboot image (PC Engines:PC Engines apu2) does not appear to be correct for the detected mainboard (PC Engines:PCEngines apu2). Aborting. You can override this with -p internal:boardmismatch=force. As you can see in the logs, they're the same exact board so I'm not sure why there's a mismatch? EDIT: Nevermind, I already figured it out. It seems to be caused by the space between PC and Engines so forcing it fixed the problem.

Let us imagine some other points, I said only imagine, not that this will be coming or passing through! You do understand that the QAT in the C3xxx series is incompatible with the QAT in the C2xxx series? Yes I am understanding that! But you should be thinking more positive please. If the QAT driver version 1.6 from pfSense team is not compatible with the Intel Atom C2000 but perhaps with the newer negate hardware based on Intel Atom C3000 called Denverton and the QAT driver version 1.5 from the NetBSD team is supporting also the Intel Atom C2000 called Rangeley, they only have to exchange this drivers and porting them to each of their OS, so the developers will not have any more to bother with that driver and all is fine for them and us! So it could be happen, that at November 2017 the newer hardware from netgate will be launched and fine for using QAT and perhaps in Dezember 2017 or later it could be happen that the older customers and clients of them get their "Christmas parcel" too and will be able to use QAT also. Its more cutting half the entire work time on that drivers that must only be exchanged then as the results. For sure that can be running very different each from another, or never becomes true but it will be a real chance for and us too as I see it right. And being very open talking over that point, perhaps many users will be very impressed if they know that peoples from pfSense and/or were talking with employees from the VyprVPN company about the one or other thing, who knows it really…..... The more talk there is about the QAT in the newer series, the less likely that the QAT in the C2xxx will ever be utilized. But with this words you are talking that it will be not utilized only and not it is not finding its way into the system, right?  ;) Like on Rangely, the QAT scales by the number of cores. Unlike on Rangeley, the QAT has good support. Link And, in fact, you can find the pfsense developers directly aying that it's unlikely that they'll ever bother with the QAT in the (C2xxx.) I don´t know if that driver from the NetBSD project is able to exchange only, or if this will be easy or able to realize, but if so I think this might be nice for both parties as well as for us.