@archimedes:

Perhaps offtopic, but which Encryption algorithms uses the new chipset?
AES? AES256-GCM?

Although AES-NI is specifically designed for AES-GCM it is my understanding that it can also provide acceleration for AES-CBC. I am not sure exactly what quick assist will accelerate, but pfSense does not support it yet anyway.

But ADI is an ODM and they doesn't sell at retail. Retail choices are an RCC-VE from Netgate or an SG-6840 from pfSense.  I considered both and (to support pfSense directly) I went with the pfSense device although the Netgate is a little less expensive.

However, neither Netgate nor pfSense produce any detailed hardware description, as might be needed to install additional components such as an SSD or wireless board.  Users have to rely on the ADI documentation plus additional product specific documentation from the OEM or retail vendor.  The latter should describe all product differences from the former, but doesn't in this case.

I was trying to install an SSD in the SG6840, which should be an utterly trivial task, but it doesn't seem to be possible with the current pfSense release.  It was only possible with the development version that you linked to in another forum thread.  And very many thanks for that link :)

Frankly, if one of my product managers had permitted First Customer Ship of hardware with incomplete documentation or without the availability of fully tested software needed by customers then he (and I) would have some explaining to do.  The sales folks who interface with customers would want our heads prominently displayed on poles at the building entrance as a warning.  I'm only half joking, they probably would be pleased with that remedy.

@gonzopancho:

But no matter how fast we make the crypto go, at the end of the day, OpenVPN is still going to be hampered by the fact that it's implemented in userspace, and the TUN/TAP interface.

Thanks Gonzo. Can I call you Gonzo? :-) I appreciate all the information you've shared on this forum; it's been a fun learning process since getting my 2440 just last week! I was running pfSense on an Atom D525 before then but I was definitely not taking advantage of all it has to offer.

So I take it I shouldn't use OpenVPN when I'm setting up my VPN this weekend. L2TP/IPSec with AES-GCM it is, then.

Mike

@BlueKobold:

@gonzopancho

QuickAssist will not speed up snort/suricata/OpenDPI. Intel abandoned that codebase (you can't get the firmware.)

Oh thats new for me, I was really thinking it would speeding up exactly this packages and the AES-NI
the VPN part, fine for me I thought then the most security related components are going to be pushed
in the future I was thinking, really sad is that situation now.

Correctly implemented (via /dev/crypto), QAT will accelerate OpenVPN.  There is an open issue (being resolved with the OpenVPN project) using AES-NI with OpenVPN.

I am using primary IPSec VPN and so AES-NI is speeding it up much more as I could expect before.

We are quite aware of the AES-NI acceleration of IPsec. http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html

For VPN (including IPsec and OpenVPN), QAT will be faster, even on a C2358, but we did AES-NI first, because more people can benefit.
Even other forks, which sell their own hardware which is AES-NI enabled.  PC Engines is working on a board that has Intel NICs and which supports AES-NI as well.  QAT allows the supported ESP and AH transports to be processed in parallel.  A large part of the gain of AES-GCM .vs AES-CBC with SHA1 is that AES-GCM is an Authenticated Encryption with Associated Data (AEAD)

There are also future products that are quite a bit faster than what you can get today, some of them are tuned to large Snort/Suricata installations.

I run  the RT-N66U as my AP with merlin's tweaked firmware.

turion cpus,etc are not ideal for pfsense. better to use it for a nas with xpenology or freenas,etc and build something else for pfsense

@lweddin1:

I am still unable to reset or access the webGUI for this switch. Does anyone have any knowledge on this switch?

HP 2900 Baseline Switch - Default console access disabled following password change

I know that FreeBSD was updated.

I got the connection up and running but i have to do it every time i reboot the firewall. Maybe i will try a cronscript or has anybody a better idea?

More and more people use LTE and UMTS connection so i think the support should get a lot better.

Please Update the list of modemds for 2.2.

depends on your price point.

the amd a4 and celeron j are cheap and will do the job without issue

if you need more power, you are looking towards an i3, atom c2000 series, etc

i would reccomend the amd setup with an ebay intel dual nic @ pcie

@rudyrednose:

Just got a 48-port gigabit Brocade GS648P from eBay.

Professional stuff, Cisco level, L3 capable, at an amazing $65 !!!
The Brocade CLI is very similar to Cisco's.

Best thing is that I am already familiar with those, as they are the same model as the ones we use at work  ;D

Cheers.

Nice indeed, but you forgot to mention the 20 USD shipping.
And btw, those switches seem to draw quite some power.

Cheers.

Is there any 'simple' testing I can do with just a laptop?

Yeah test it right out! But before open it and se  insite for a bootmedium
and for RAM inside. Lanner FW-7541 Website
In the case that some things are not there you need only;
1 x 4 GB RAM SODIMM - DDR3 667/800 MHz
1 x Industrial CF Card 4 GB
and perhaps a console cable from Cisco

And perhaps if WiFI is needed a UBNT SR71-E or a Compex card.
Under the link you will be able to see what the D means in the product name.

The celeron j, even with aes-ni, will devour ipsec at those speeds. You do not need a add-in card. I would go 4-8gb ram though. Not much more.

Yeah, that's an old screenshot. Pretty sure they're all full install, both eMMc and SSD. I haven't actually seen one of these IRL though. Checking…...

Edit: Confirmed

Steve

Ah! Well you have a fairly unusual requirement then. Not unique though. Ask Phil who operates a network of mostly solar powered pfSense boxes. Most of them ALIX boxes. You can probably find one second hand for very little and they use <5W.

Steve

Thank you.  That was exactly what I was looking for. :D

You may have an option for USB tethering in the device gui. The one I have (E5220) only appears as an ethernet device once it's turned on.
Plug it in, turn it on. Give us the lines that appear in the system log when you do that.

Steve

Thanks. Thought I tried that, but it may have been 38400.  Honestly when I found it already had an IP, I dumped the console cable… :)

Make sure the NICs at both ends of the link (if you're connecting directly) are set to 'auto-negotiate' for speed and duplex and that the negotiation is taking place correctly. If one end isn't it could be falling back to some lesser type like 10Mbps half-duplex. Flow control may also be a factor.

Steve

@Heimire:

I was just looking for some suggestions on what people have used.

Again, thanks…

H.

Netgear GS110TP, no fan, ~120 € for three VOIP Phones & one Camera

@dennypage:

Will it continue to be necessary and/or recommended to use a custom URL?

We point each platform to a custom URL so you get a customized update for that platform. Leave it to its default. There are certain customizations you'll lose otherwise, like no longer having the correct default config if you reset to factory defaults.

@dennypage:

If so, will there be a corresponding URL for beta testing?

There aren't available pre-release updates for those available at this time. You can manual or auto update to stock snapshot builds, then upgrade later via auto-update to the platform specific stable release, if it's a dev/testing/hacking box.