I've added a fan on top of the Qutum for one reason only. I'm not comfortable with fanless machines locked up in a cabinet with no airflow around them together with 2x NAS units that warm up the ambient air considerably.

To be clear this is not an issue with the device, it run super stable without the fan, I just don't like HW running at 50c continuously especially when the fan is silent and the cabinet insulates all the noise anyway.

Any fanless i5 unit would be in the same position due to the 14watts needing dissipating somehow so your real alternative is to look at lower TDP parts if you want fanless and are not comfortable with a 50-60C operating range. The CPU will work till 100C or so, so it's not like the unit is overheating.

@umuzidan:

USB WiFi Adapters that have removable antennas which work very well with pfSense / FreeBSD.

there isn't any, that work "very well" that is. There are very few usb wifi adapters that work with freebsd to begin with and of those they are typically just a dongle/stick. You might have better luck asking Here. But your top response is going to be just don't do it and get a dedicated WAP

@johnpoz:

…

As to spending money on the HD AP.. Do you have wave 2 clients?  Are you getting wave 2 clients anytime soon?  what is your internet speed?  How much data do you move about locally via wifi?  The cost different between a AC Pro and the HD model more than 2x -- the HD models are wave 2 AC, while the PRO is just wave 1 AC..  If your not going to be changing clients in the next few years that will support wave 2, and actually have the network to make use of those speeds.. Or are just moving files locally over wifi which seems odd if you have a gig wired network, etc.

But hey its your money..  I would love to have some HD to play with, but not in the budget currently since don't have any wave 2 clients to take advantage of them, etc.

Thanks. Our internet connection is 32/8 now but will be getting fiber this fall or in the spring 2018. Wave 2 clients again no, will be updating our hardware this fall as well with new apple releases, our server is straggling sometimes with HD content.

Wow, I did not see that coming when you suggest to get UniFi Security Gateway. To be honest I was not aware it was existed in UniFi product line. I like the idea one brand integration but does it compares well to SG-2440 pfSense?

The device ID is in 2.4:

https://github.com/pfsense/FreeBSD-src/blob/devel/sys/dev/amdtemp/amdtemp.c#L83

Also see: https://forum.pfsense.org/index.php?topic=106261.0

Steve

@Actionhenk:

What you thought is right. That is what i currently have. It is working but i would like to know what the benefit would be switching over to physical nics.

So you already have 2 physical NICs and they are connected to the 2 virtual switches? In that case you probably won't see much benefit from adding more interfaces.
What you probably should do is measure what line rates you get.

Example:

iperf between outer subnet and inner subnet on the physical ingress and egress ports iperf between pfSense LAN (virtual) and physical LAN (so one iperf instance on pfSense, and one on a LAN box)

if you get good NAT speeds, you probably don't need to change anything, if you get bad NAT but good LAN-LAN, you probably need to tweak your settings, but if you get bad LAN-LAN and bad NAT, you may need better interfaces indeed.

What network cards are you using at this moment?

@Ryu945:

I just need to know how the software is capping the hardware so I can try to find the best hardware for handling the problem.

This might help you understand the limitations of OpenVPN, it certainly helped me :)

https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

Here you will see some proper tests on OpenVPN and ways to optimise it with the right hardware. Don't forget if you are using mobile devices its unlikely that you can support the fragment command hence the above won't work and you'll be stuck with an unoptimised OpenVPN connection. However for point to point server connections or connections from Laptops/desktops to "home" it should work. Also this WILL NOT work for connections as client to VPN providers as they do not allow you to alter the connection parameters (tun size, fragment etc). In that case multi-openvpn gateways is the answer and you will be comfortably hitting 500-700mbps with a dual core quad connection OpenVPN configuration. Finally the tests are done on Linux so your milage may vary with FreeBSD which PFSense is based on.

Summary from the link above:
1. First bottleneck is the OpenSSL encryption / decryption routines perform better with larger packet sizes due to the way the algorithm works. This also helps reducing the context switching between user space and kernel space as more data are fed in one packet hence reducing the switching overhead (less switching is done)
2. Second is AES NI acceleration on the CPU and support being compiled into the OpenSSL library
3. Encryption itself. Without encryption they managed to hit almost gigabit speeds with jumbo frames in the TUN

In general you will need a CPU with the highest possible CPU clock as OpenVPN is not multithreaded. Even with that though you will NOT hit gigabit speeds due to the encryption overhead.

From my personal experience with the above settings I am hitting about 300mbps from my Digital Ocean web server to my gigabit connection at home. CPU utilisation on the Digital Ocean Ubuntu box is about 90% on the OpenVPN process so it could be the virtual CPU limiting me or the network stack/virtualisation drivers they are using. On my personal devices I use IPSec where I get a comfortable 400-500 mbps throughput and I would strongly advise you the same unless the IPSec ports are blocked for whatever reason.

It's sometimes good to have access to both NIC types. If you have a fast PPPoE connection for example you are probably better off using an em NIC for that currently.

https://redmine.pfsense.org/issues/4821

Steve

Just to put a number on it I would expect an Atom N280 to be capable of passing somewhere in the 350-400Mbps range with default firewall and NAT.

It's the right decision not to spend money on that at this point. Besides the previously mentioned lack of AES-NI (pfSense 2.5) it's a 32bit CPU which means it won't run pfSense 2.4. We will be supporting older versions for sometime after the newer releases but we expect 2.4 to be released relatively soon.

Steve

For PPP some kind of tutorial is here.
With 22.X firmware your modem cannot run PPP, firmware needs to be changed to 21.X, keep in mind the difference between 3372s and 3372h - firmware files are different!

For HiLink modems (i.e. those running 22.X firmware) you can read here.

Thanks everyone, really appreciate it.  :) :)

Thanks both for replying.

I already bought this one: http://www.ebay.com/itm/1U-Server-Supermicro-X8STI-F-Intel-Xeon-L5630-Quad-Core-16GB-RAM-2x-3-5-HD-Bay-/152606623062?hash=item2388104556:g:2FEAAOSwiQ9ZVqEs

The CPU is great for what I want (running VMs and pfsense), has AES-NI, Hyper-Threading, and a TDP of 40W!
The other parts are also perfect, It has 2 Intel NIC, 16gb of RAM and I can put the server in my rack.

Is going to take a couple of weeks before it gets here (Uruguay, south america), I will let you know how it went by then.

@BlueKobold:

my pfsense is sitting on an intel pentium e5300 2.6ghz and 4gb of ram

This CPU is not supporting AES-NI and in some years perhaps you might be taking a newer one, if you want
to stay with the actual pfSense releases, or am I wrong with that.

correct, no aes-ni, i'll upgrade when the time comes. when i was reading about it, it was projected at over a year away. lower end intel cpu's didn't receive aes-ni until 4th gen. So I'll probably look at an intel core i3 4330 or comparable Pentium….depending on how they ebay, other wise if the price hasn't dropped that much ill just go 5th or 6th gen.

On top of all that, a cheap (crappy?) chinese box probably would be a beter fit, with Intel nics and a more fitting CPU/SoC for the same or a lower price point.
I get it, new boards and marketing are cool, but don't get yourself trapped in the 'shiny new thing' cycle.

lol, I haven't browsed the boards for awhile, but like normal there is a lot of useful information in detail here.  You guys are funny and very informative.  I think you scared the OP off lol.

If you come back Nitewolf, I have used the HP v2 for years now and love it because it's quiet and reliable for homeuse…at least from my experience.  I previously used corporate class switches (Nortel and Cisco), but I got tired of the jet fans and noise.  The HP switch has enough power and config options for most home use.

Current have 115/2 but end of this year will have just under 200/80.

Hardware plus customs, plus shipping fee plus tax on top of this not so easy to say for Australia.
https://www.yawarra.com.au/products/servers/apu-servers/  APU2C4 will this something for you?

Otherwise as recommended a Qotom-Q355G4 would be nice and powerful enough, also it comes with
AES-NI (Intel Core i5 embedded CPU) and pending on the GHz, RAM, mSATA size and WiFi or not
it starts at ~$230 till $340 would be a nice pfSense firewall, but if you end up then with ´customs,
tax and shipping fee over the offer named above from Yawarra, I would think about that once time again.

@BlueKobold:

ahh okay, great…Intel is prefered, but there is a handful of Qlogic netextreme cards that offer that connection and are supported

Many able to get between $5.99 - $30 with 1 to 4 ports actual.

And have a 1000BASE-SX interface.

That can be more then you perhaps might be imagine.

OM1 LWL-Multimode 62,5/125 µm ~220m
OM2 LWL-Multimode 50/125 µm ~550m
OM3 LWL-Multimode 50/125 µm >550m ~2km

LC - MM - 850nm - OM2
LC - MM - 1310nm - OM2/3

I have found an "Intel PRO / 1000 PF Dual Port". As far as I can read, it is supported by pfsense.
It also has 2x LC multi-mode 1000Base-SX

I would say it is mostly better to start and the other end of the fibre connection end, look their what
you will need really and then buy a card that matches 1000%, so you are absolutely worry free.

I appreciate your help.

I have an OM2 cable pulled up to my rack cabinet. I have a fiber box with  2x lc 850nm 1000BASE-SX connectors

@biggsy:

You may not be aware of this forwarding service from Aust Post.

I haven't used it but friend recommended it some time ago.

They mark up - so basically it doesn't work out that much cheaper anyhow.
Although it's nice such a large business is now offering this stuff.

Anyone trying to answer this thread without knowing what you need to accomplish is just flipping a coin, they have no idea.

garbage in, garbage out.