@FranciscoFranco:

Well primarily because I am booting off the SD Card. They have low cycle counts so I baby them with pfSense NanoBSD builds.

The Phison cards from PCengines are a good deal for 6 bucks.
I bought a handful for some of my troublesome Arm boards like BananaPi which like good SD cards. They seem durable.

Using the nanoBSD version seems logical as you are booting from media with limited write cycles (USB stick, CF card, etc.).

As a standard rule: pfSense stores everything in an easy to transport XML file and reconfigures all services to the settings in that file at startup. It is practically always easier to reinstall pfSense in the desired fashion and simply re-apply that XML file (either from the installer or from Backup/Restore in the WebUI) than trying to customise what's already there.

Ah, good news.  :)

The log message from Strongswan is normal. When the SA is rekeyed the old value is destroyed and if the other side sends further packets using it you see that logged. You would normally see the new SA negotiation complete also logged there and should not see any loss of traffic.

Steve

It says on their page the controllers for those ports are supposed to be marvell?

Yeah I'm a big ESXi person but I'm with shutterBC on this one. I like to keep core network separate for just this reason.

Xeon D is now my first choice in router hardware recommendations. I think it even beats i3 processors when compared in terms of having multiple hosts in VM.

Instead of going with the older Xeons, it’s best to invest in newer technology which supports pretty much all pfsense requirments and added functionalities.

@ghkrauss:

Has anyone used the following Intel network card successfully with Pfsense 2.4.0 RC

Intel PRO/1000 VT Quad Port Server

Many thanks for any input. From the hardware compatibilty specifications it should work.

Yes it works fine.

Made an account to say thanks!

The MBT-4220 board from Netgate is $195.58.
The MBT-4220 system is $350.

Please have a look for the brand new SG-3100! Its able to get for ~$350 from the netgate store or plain for ~430 €
from voleatech europe and also similar likes the minnowturbot board if we talk about a pfSense installation this might
be perhaps a better deal, or am I wrong with that.

Why would the same case, the same 32GB SSD and (likely the same rating) PSU command double the premium between the dual and quad core systems?

It can be different but then the next customer is asking another question!

I agree, $77 is a good deal - but the same can't be said for $155.

I saw or found the following parts:

MinnowBoard Turbot Dual Ethernet Dual Core Board - ADI Engineering - MBT-2220 Board - Price: $171.39
This is the Dual Core CPU board only option

MinnowBoard Turbot Dual Ethernet Dual Core System - MBT-2220-0000 system - Price: $249.00
This is the bundled option with psu and case and 32 GB SSD

Difference is here $77,61 and there fore you get the psu, 32 GB SSD and a case, nothing wrong with it as I see it right.

MinnowBoard Turbot Dual Ethernet Quad Core Board - ADI Engineering  - MBT-4220 Board - Price: $195.58
This is the Quad Core CPU board only option

MinnowBoard Turbot Dual Ethernet Quad Core System - MBT-4220-0000 system - Price: $350.00
This is the bundled option with psu and case and 32 GB SSD

Difference is now $155 but the same psu 32 GB SSD and case.

please let us both now thinking about that they (netgate or the pfsense development team) will be or must be get something
on top of all devices such the both named here by you. And let us now think about the both very small differences based on
the dual core cpu vs the quad core cpu and you are willing to buy now a dual core cpu bundled system and you have to pay
the same amount on top of your unit likes the dual core cpu unit, what you are thinking is then written by the customers???

Why I have to pay on top of this smaller unit the same "fee" or contribution as the guy who is buying the greater unit, this is
not fair! And so they where splitting it to a less fee for the smaller unit and a greater fee for the greater unit, nothing more.

For sure this can be also based on other or different points, like the smaller units will be not so hard on sale and the bigger
ones a running to fast out of stock and they (netgate) will be pushing that in another direction by taking more or less fee.

So we will never really able to get an answer why or why not this will be like it is and for sure this can be also based on many
other points and arguments. If there must be in former days something like $99 on top of all devices, it makes sense for
me that they (netgate) perhaps now have split this fee.

One port dual core + $55
Dual port dual core +$77
Dual port quad core + $155

Makes then all in all or total $287 and so they walk to us and it is total $23 fee they (netgate) where taking!
Or do you not consider and you may prefer to pay $99 on each device from them?

What makes it worse is I'm in the UK so I have to consider import tax too (not Netgate's fault, but I have to consider it for the total price).

This might be also not being less or lower buying it at a partner such voleatech, they take more units for less money
and save perhaps here and there something at the tax, but need to sale this units to get on top their income too.

Too bad it's crazy expensive compared to Qotom

$759 at Walmart!

Supermicro SYS-E300-8D ~670 €
Supermicro SYS-E200-8D ~820 €

A bit late but perhaps it helps out @belgarath.

I have an issue where PFsense on the smae hardware gets about 2-4 GB/s out of those interfaces but FreeBSD is getting 9.5 GB/salso load on the FreeBSD side is lower.

Linux and FreeBSD is not doing any NAT job and passing pf rules on top of this so it must be faster. And the
second thing is that you will be able to play around with some and/or more settings to get different numbers
of this tests. But the main and most urgent thing is here to test with NetIO or iPerf 3 through pfSense, either
from LAN port to LAN port or between the WAN and LAN ports and not on the machine itself. By the way I
really think that pfSense is not only FreeBSD plus some new GUI running like an ordinary program , it is
more then that, too many changes and other things will be turn it into its own group or level.

It seems that cpu is exhausted while doing the work with PFsense, as the cpu seemed to be an issue I tried disable firewall processing on those interfaces but the results would improve by decimal parts so it does not look like it is the firewall issue.

If you are using PPPoE you will be CPU core single threaded and if not CPU multi core  usage will be the result!
For sure with a pfSense version that is using all core + HT you might be able to get once more again totally other
results and numbers. Only this can be different!

I tired different versions of pfsense and the results are more or less consistent, I'm getting anywhere between 1.8 and 3.5 Gbps

As normal it will be something around 2 GBit/s and 4 GBit/s as real throughput between two 10 GBit/s connections
based on the used protocols and/or used programs or offered services, but if you would see more between the test
together with iPerf you could try out to produce more streams something like 8 or 10 streams could be doing the job.

General:

HT enabling or disabling in the BIOS PowerD (hi adaptive, adaptive or maximum) Fast and enough RAM

Tunings:
Now this section can as above tried out as a single change or all together or only some combined changing´s.

mbuf size to 65.000 or to 1.000.000
Together with a broadcom NIC the 65000 was one times matching well and together with Intel NICs the 1000000 was fine changing the entire amount of network queues from 2 to 4 (less or more try it out)
each cpu core (also the HT) is opening for each lan port one or more queues, driver pending!
You can now try out to limit or high up this numbers, that it will be matching at best to your hardware and
delivering the best results to you.

I found the link to that test - https://forum.pfsense.org/index.php?topic=127793.0

63Mbps while running OpenVPN @ AES-256 (this is pointless, run it at AES-128) + Suricata with a solid ruleset, + Pfbng + DNSBL.

This part sounds perfect for you.

Details in this thread steve.

https://forum.pfsense.org/index.php?topic=126637.0

Basically when PPS got higher than around 2000 I was seeing random dropped packets which even traffic shaping could not resolve.

Also before the firmware flash I had discovered that toggling AIM had no affect on generated interrupts which I think whilst not the sole cause of the problem did make it worse.

I'd look at along the lines of a E3-1275v6 (for value) or D-1531 (or hold out for the newer D-1533N for future capability) for this application before looking at anything in the new medal color lineup.

Thanks all of you for the replies.

The answers you sent were about what I imagined. I have a spare router for just in case. It's good enough to do the job. I've even experimented with pfSense on a spare laptop with one usb3 - lan adapter. It worked fine although I wouldn't trust it for long as it seems so uncommon.

belt9, I agree about the value of used equipment. Most of my tablets and laptops are used and/or refurbs. The used off lease laptops are A-stock 3rd gen i5 models and each cost about 80% off list. All were upgraded to Win10 (free) and have SSD and AC wireless now. This is a big savings. One is a 24/7 media server now. If usb3 lan adapters were reportedly more reliable, one would be my next pfSense router.

I've thought about swapping out pfSense when AES-NI is required but decided against it. I have too much time invested in learning pfSense and none of the others work as well or are as flexible in the areas I consider important.

Get a board with an AES-NI CPU. Get Intel network cards. All your problems should go away! :)

@seifer44:

@ptt:

@seifer44:

My embedded NIC is a Realtek ALC892,

That's what I get for assuming that "Oh hey, since I can't find that particular Realtek interface on pfsense's forums, it must be fine!"

The Realtek ALC892 is the Audio Codec, not the "NIC"  ;)

http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=28&Level=5&Conn=4&ProdID=284

facepalm it's a Realtek 8111GR. Bad copypasta.

Well, they are all crab, copypasta or not…  ;D  :P