This is great. Thank you so much!

It's really old at this point. It would have to be very cheap or something that you are doing for the experience in my opinion.

But you probably can install to it. Checkpoints other devices were not locked to prevent it on those I have seen. You may well need to swap out the boot media, I have no idea what that boots from but Nano no longer exists since this thread was started.

Steve

Hello!

I thought I should update this thread on what I've finally settled after trying a few different routes.

First I tried to go the official way, which ended up being super expensive if you live in Spain. There's some more accesible options on Germany through Voleatech but still quite a bit with the power you get. Don't get me wrong, this would be the perfect option if this was a mission critical equipment, but this is just for my home network.

Then I tried going the virtualisation route but I found some problems and/or limitations with KVM when trying to route gigabit speeds. I'm currently on 500/500 but pretty sure in a few years from now we will have 1000/1000 as my ISP has been almost duplicating speed between 2-3 years. Not so future-proof. Also was a bit of a pain in the ass if I had to do stuff on the server that my internet will be also off.

And finally arrived to what I think it will be the perfect solution, yes you guessed it: bare-metal installation. I had lying around a cheap PC I built last year for my crypto miner project: Asus prime z270-p + Intel G4400 + 4gb RAM (that was around 160€ new). I'm going to add a SF450 PSU, SSD next week but already got the Intel i350-t4. Power consumption currently is around 28w on idle and 35 when routing gigabit with ntop, suricata, pfBlockerNG and a few more). Should be a bit less when I receive the SSD, currently is on HDD.

Hope this could be helpful for someone else looking at build its own pfSense box. I will update with final numbers once I've all in place. Maybe even some pics!

Thanks :)

Are you still facing this issue? Try fake credit card numbers that work for online shopping. It might help you.

Stephen,

I appreciate you taking the time to reach out. I will have to check this out in the morning as I seem to have accidentally migrated the giant box of USB cables to my business' storage unit. However, in the event that the drive is bad, I wonder if Netgate has access to a replacement module that I can re-solder to the board. All-in-all, I'm quite impressed with the quality of the PCB that Netgate uses.

Thank you,

~Morgan

Read through the whole thread to get the full low-down 😉

https://forum.netgate.com/topic/39639/watchguard-xtm-5-series

Steve

Thanks! Will order one right away.

Do they even make 32 bit hardware any more for PC? Has to be YEARS and YEARS.. Is your PC like 10 some years old?

Even the PI 3 for $35 is 64 bit cpu..

@stephenw10 Agreed. Plan is to install pfSense just to get a feel for the OS/experience. My networking knowledge is not great so if I can't figure it out then I want to know before I buy a new LAN card. I've seen some videos online with screenshots and those screenshots had many terms I don't know so I'm a little worried. Just created the USB installer so I'll see how it goes.

The port placement and LCD look like a Lanner box in which case I would expect the SDEC driver to work. That's connected via the parallel port.
However almost all Checkpoints other stuff is Portwell/Caswell. That's not the EZIO LCD though.

But yeah it will only run the now obsolete 2.3.5.

Steve

I have made FreeBSD 12 package.
https://drive.google.com/file/d/1Ch4Z_w7gpbrpavQ4KhPUXUzYhRyzqnye/view?usp=sharing
I dont consider it my work - I have just packed it in one archive. It is stable for me on 12.0 p3 more than
"sed -i -e 's/TAILQ_FOREACH/CK_STAILQ_FOREACH/g' if_re.c"

And throughput? VPNs? Packages?

I have been using this system for a couple years now with a symmetric 1Gbit fiber connection and it is definitely capable of passing gigabit speeds even with IDS/IPS enabled (in my case I run Snort). Here a couple more suggestions:

Networking tweaks - put these four lines below in your loader.conf.local file (if you're using the SFP+ ports replace igb with ix):

hw.igb.rx_process_limit="-1"
hw.igb.tx_process_limit="-1"
hw.igb.txd="2048"
hw.igb.rxd="2048"

I'd also recommend disabling flow control and energy efficient ethernet, unless you have a specific need/use for them.
Another good thread with tuning tips:

https://forum.netgate.com/topic/101391/loader-conf-local-tuning-for-modern-hardware/

Finally, if you disable Suricata temporarily, do you get full speed with a client behind pfSense, or does it not make a difference?

Hope this helps.

@stephenw10 said in pfsense on rasppery PI:

You can do that with Radius accounting in pfSense but it's quite a complex setup. It also doesn't scale well to a large number of users if you have individual accounts in Freeradius. The GUI is not setup for that. Better to use a separate Radius server if you need that.
It would not run well on an SG-1000, if you go that route it should be installed on larger hardware.
Thanks!

Ah, nice so it probably was a multimode/singlemode mismatch. Good result!

Steve

So I managed to solve this with a BIOS update in the end. Part of the update process was clearing the CMOS so I had to change a bunch of settings back. The only setting I know was different that I chose to leave default this time was the ACPI HPET Table option. Previously it was enabled, now it's disabled. I don't really see how this would affect performance to the extent I was seeing, so I suspect it was something in the BIOS updates that solved the issue. Also MSI interrupts are definitely slower than MSI-X, they took me down to 50mbit.

For the next sod that goes googling this, the Motherboard was an ASRock N68-S3 UCC. Initial BIOS version was 1.4, updated to 1.6. I'm now running all defaults except that I've restricted my queues to 1 per NIC with the following in /boot/loader.conf.local

hw.igb.num_queues=1

I'm doing this because I have a dual core CPU and 4 NICs, so I'm trying to reduce the amount of context switching. It may work fine as a default, but after the nightmare of getting it to this point I'm just going to leave it be.

@johnminaa said in 4g modem info:

I will also recommend Huawei E398 LTE USB Modem.

I never owned, used or recommended it. Personally I would recommend Huawei E3372H as a replacement. Fortunately some people already posted here some receipts on using it in the different modes.

@mats thanks for the reply and please forgive the long delay in responding.

Thanks for the advice regarding the electrical side. Have a APC UPS powering the cable modem. The coax feeding the cable modem is run thru a surge suppressor . The pfSense box is powered by a separate APC UPS. Anything else I should consider?

Thank you gentlemen. I appreciate your time and feedback.

Good decision! 👍