Yeah, but RAM is cheap.  The new box I put in at home has 16GB now with room to expand to 32GB. Once 16GB SODIMMs are available I could bump to 64GB.

If you don't want to run snort then don't install it.

Thank you

Well, OpenVPN only really matters if you are going to pipe large amounts of data across a vpn, or do site to site connections. If you do it from client machines it is less of problem (I am considering using my linux server to vpn through the pfsense box to another endpoint).

Why the aversion to running 2 VMs on the same machine? There are plenty of good hypervisors that pfsense will play well with. (proxmox, esxi, xen.. to name a few) - this will enable you to use whatever software you want.

What is the purpose of doing what you are intending? (fun doesn't count for a setup this complicated)

Thanks. I wonder why it's breaking this particular site though?!

@gonzopancho:

It requires tuning.  We recently setup an internal 10G test lab.

IJS…

Yes, I have been in contact with a few people at ESF.  I have documented the tuning steps that I have taken thus far on the physical host at the beginning of this thread.  Thus far I have not been able to get it right.  That is why I have gone to the forums.

Do you have any suggestions for the virtual firewall?  The folks that responded in this thread appear to be getting the type of performance that I am trying to achieve on a virtual implementation. So far I am getting the same results on my bare metal test system.  I have one more test to conduct and then I am going to reach out to ESF again and get their suggestions.  Hopefully that LAB you mentioned will help!

Thanks!

@AhnHEL:

@gonzopancho:

and they're sold out.  :D

Not according to the pfSense store site.

In stock, ships within one business day.

I'm pretty sure I can walk out to the warehouse and look.  :-)

a lot of people used to use Palm Pilots for this, there were apps to make them into serial attached LCD displays, as their USB interface was quite amenable for that sort of thing.

I am using an R320 but I had to disable the Broadcom 5720 onboard nics with pfsense 2.0.3.  I did not try enabling the 5720 nics on pfsense 2.1 or pfsense 2.1.1 PRERELEASE yet.

@gonzopancho:

@luckman212:

I think the Lanner FW-7573 looks like a really nice next-gen platform (8-core Atom C2000) for a pfSense firewall. Problem is finding a place to buy it (in the US). I just sent an email to Netgate about possible availability.

I think we're going with the Supermicro variant for now.

The A1SRi-2758F?  I've got one my desk which will be going in at home tonight.  I like it.  It's going to be an awesome platform once we get USB 3.0 support (so that the internal ports work) and once SuperMicro fixes the fan speed control which isn't working…

@gonzopancho:

@Jason:

You can buy directly from Lanner if Netgate won't get it for you, but that won't work under 2.1.  You'll need to wait for 2.2 or run pfSense inside a virtual machine.

EDIT: Or maybe 2.1.1, the newer Intel drivers are back in and they don't seem crash-happy this time.

2.1.1 should work.

Yup, the drivers in 2.1.1 work.

thanks

It seams that your modem crashes ("Could not find IPv4 gateway for interface (wan)") at high load.

Maybe it helps to shut off flow control at WAN interface of pfSense by adding "hw.vr1.fc_setting=0" to your /boot/loader.conf.local. If it doesn't exist yet, create it at first.

http://www.gigabyte.com/products/product-page.aspx?pid=4747#ov

pfsense.png
pfsense.png_thumb

Ok, you're done thinking about the problem of this post and you're only doing the troll. Thank you, bye.

Read here regarding OpenVPN with accelerators.

A 1GHz Geode will probably be able to push 16Mbps of VPN traffic but it will be loading it quite heavily. If you then need to do other stuff on top of that you may run out of cpu cycles. If you get a 50Mbps WAN I doubt you'll be able to fill that with VPN traffic with that CPU.
A new Haswell box is the other end of the scale. It will be sitting idle most of the time. Choose something in between those two like, say, a core2duo box.
If you can get Intel NICs then do so. Since you are using VLANs you can have as many interfaces as you need with just one NIC but often it's nice to have more than one internal NIC. If only so you can get back into the box if you mis-configure the VLANs.  ;)

Steve

@stephenw10:

The BCM5720 is supported by the bge(4) driver in FreeBSD 8.3. So the question is has HP used their own PCI IDs that may not be recognised.
The bge(4) driver has no HP vendor IDs listed so if they have it won't work. It's not listed in 10 either though. The BCM5720 is not new, is that definitely the chipset used?

Steve

Hi!
Nice to get som feedback. Thanks!

Late reply for me here though.
The machine I probe as a pfsense contender is this one:
726042-425 HP ProLiant DL320e Gen8 v2
Which has the NIC mentioned above.

hp info:
http://www8.hp.com/us/en/products/proliant-servers/product-detail.html?oid=5379527#!tab=features

Needs a slick machines with a little more power. Got 10-20, rather active, simultaneous OpenVPN connections to sustain performance on.

@robina80:

i imagine this will be the same, ie cant run pfsense?

… as pretty clear from the description:

powered by the new Atheros 600MHz 74K MIPS network processor

you can consider this mainboard http://www.msi.com/product/server/MS96D9.html

The apu.1c4 sounds awesome although I would like to see performance data compared to the older model.

As I said, the pfSense strategy is AES-NI.

Stay tuned.