NM This thread is 3 years old.. Yikes!

Make me an offer on your old hardware, because I need to build a NAS box. :)

Then use the money to buy a Netgate device. :)

I can answer some of your questions but not all of them. I'll give you my experience and suggestions for the areas that I know.

Regarding the build, I would recommend something newer than the N3700 series. I'm currently running an Asrock J3455 based system now with a PicoPSU, and it's pulling 11 watts on 110v power here in the US.

The J3455 board was about $65 from Newegg. The PicoPSU + power brick was $55. If you have some DDR3 memory laying around and an extra case, that is all you need to get started. If you need to purchase those items, add them to the cost.

For a NIC, Intel based is highly recommended. I have also had good luck with Broadcom NICs after some tweaking however, Intel NICs can be found very affordably on ebay from a working server pull. When you order the NIC, make sure you're getting one from a server recycling vendor that is selling an actual OEM product, do not order from China or you will very likely get a fake Intel NIC. Some good options are the HP NC365T, this is the same NIC as an Intel Quad I340. It uses the latest Intel IGB driver on pfsense and is very easy to tune. I have one of these NICs and it is rock solid stable, and quad port gives you room to grow.

I have also used HP NC382T NICs (dual port Broadcom 5709) and HP NC360T NICs (dual port Intel 82571). Both of these also work well, they aren't quite as new as the I340 and can be found cheaply, the broadcom NIC regularly sells for under $10. These are good budget options and both of them are very stable.

If going with a J3455 setup, PCIe slots are limited, and there is usually only one full bandwidth slot for an x2 or x4 PCIe card. I would recommend you buy a quad port card on the J3455 setup so that you can have a single card in the fastest PCI slot and maximize your bandwidth.

IMHO, I don't like to use onboard server NICs because of Intel Manage Engine issues (security hijack point). I much prefer a separate physical NIC to assign to WAN port and LAN ports to. Because of this, using a J3455 wasn't an issue for me because it had low quality Realtek NIC onboard, and I just disabled it and used my own PCIe NIC of choice.

People have issues witht he J3455 because FreeBSD had a regression in 11.1 release, which is what pfsense 2.4.3 is based on. If you run the development release (2.4.4.a), it will install natively in UEFI without any issues, that's how I run on my J3455 setup. Traffic shaping is now easy on 2.4.4.a and fq_codel is built in to the GUI on the latest pfsense builds in 2.4.4.a.

I don't used pfblocker, snort, or VPN on the firewall, so I can't give you direct feedback on those items. If you're on a budget, the J3455 is a very good setup, especially if you can re-use some older components (like an old ATX case) and just stick it under the stairs. You didn't mention your budget requirements so I'm not sure what targets you're trying to hit.

The Chelsio card will work. The HP branded card probably won't after Googling it. Looks like a QLogic/NetXen device.

Are you able to get the actual PCI device and vendor IDs for that?

Steve

Thank you very much.
I will test this with a cable like you said.

ok. 2pcs.* k9f1g08u0a 128m8bit controlled by Phison ps3002t controller
0_1531677767977_K9FxG08xxA.zip 0_1531677801633_PS3002 CompactMedia Controller Specification.zip It even has PhoenixBios E686, 44pin pata interface which i want to populate with 1 gb flash. the reason to do all this- its nice looking 1U 51Gbit ports with removable soc479 CPU, right now-celeron 370, with 1 DDR upgrade...+ PCMCI support and miniPCI slot and YES, it has db9 female port labelled console...Marvel 88e8001-lkj, Vitesse vsc7385xyv Ethernet Switch 6-Port 10Mbps/100Mbps/1Gbp, Zyxel SecureAsic cip-2001

@stephenw10 Unfortunately, my box has Broadcom NICs and I am in a CenturyLink area (PPPoE land.) We do have a municipal fiber provider (Utopia) but it’s not available in my area yet. They can provide from 250 Mbit to 10 Gigabit symmetric. I am just waiting for them to make it down my street and take my money.

Carlos

The problem is that I already have a red box, and that is why I would like to replace the motherboard in it; buying a newer box just to replace the motherboard doesn't make much sense to me, at that point I might as well buy a second hand server such as the Dell R210 with an E3-1220 which already has all that is needed, for pretty much the same price as the solution that I am looking to implement.

The issue here is that I am trying to avoid is sending another piece of equipment to the landfill (or at least not all of it)

The Supermicro Motherboard boasts an Intel Pentium Processor N3700, which already has the AES support that is required for the latest versions of pfSense.

thank you for the tip of the Lanners offerings, I will look them up.

Neither PID listed here 9030 or 9032 are included in the most recent usb device list:
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_4/sys/dev/usb/usbdevs

So I would not expect it to be detected in either if those modes. It might be detected in RNDIS mode if you load the kernel module since that can seemingly attach to things that reports to be an RNDIS interface. No promises though.

It's almost always better to use a device that provides an Ethernet connection if you can. Especially if you want 4G speeds.

Steve

@stephenw10 Yeah, you are right. It´s only me who has administrative access. Therefore I dont see a huge risk of exploiting security issues like Meltdown. It is still important to fix those issues because not every setup is different and those issues might be a problem for other users.

Cheers,

Henry

You can purchase official pfSense appliances from our website. Find the complete list of pfSense appliances here https://www.netgate.com/products/appliances/

I would leave those settings at the defaults unless you're actually seeing issues.

Steve

@stephenw10 said in Quad Port NIC not detected:

Try the NIC without the riser directly in the slot, if it will fit with the top removed.
Try a PCI NIC in one of the other slots, with the top removed.

Those are probably 32bit 33MHz PCI slots so limited to ~1Gbps for the slot. You might not need more than that across the ports in it. The bix might not be capable of more anyway depending on what CPU it has. That's pretty ancient hardware.

Steve

Unfortunately, the card won't fit without the riser : (

I believe the PCI-X slot is 133MHz, but I'm pretty much going to find another box.

Oh well, you live and learn. I did gain some FreeBSD knowledge through the experience. Thanks to you guys for your advice!

I agree with has been written here so far. As someone who currently uses D-1518 based setup I can confirm that this hardware is capable or moving 10Gbit/s across the firewall even with Snort enabled, but with standard size ethernet packets (e.g. 1500 bytes). As you decrease the packet size, however, the amount of packets you are able to move across the firewall starts to become the limitation. My thread that @heper linked to provides some rough numbers based on some basic testing I did at 10Gbit. I think for an average case usage scenario where you don't see yourself maxing out the a 10Gbit connection regularly, the D-1518 would probably work fine. Otherwise, I do recommend faster hardware as well, both more cores and cores operating at higher frequencies. More cores should help to process the traffic in the NIC queues - for 10Gbit NIC hardware I have seen that it's possible to use up 16 separate queues (and maybe even more). If you are set sticking with Supermicro, here's an alternative suggestion that looks nice, but is probably a bit more expensive (next generation Xeon-D):

https://www.supermicro.com/products/motherboard/Xeon/D/X11SDV-8C-TP8F.cfm
https://ark.intel.com/products/136434/Intel-Xeon-D-2146NT-Processor-11M-Cache-2_30-GHz

Hope this helps.

Excellent!
I will try to get one of this HP's or with Intel chipset, thanks for your help.
Robert

I wouldn't load the spectre patches on a dedicated pfSense box. You neuter your CPU performance for very, very minimal risk. As @stephenw10 if virtualization isn't involved Spectre really isn't much of a threat, especially for something as minimal and tight as pfSense.

It's always been a good idea to let a firewall be a firewall, and use other boxes/resources to do IPS/IDS, content filtering, etc. UTM's and pfSense started to reverse that for the convenience factor of having everything in one box, but with gigabit speeds becoming commonplace people once again are running into performance problems.

So split the load. Luckily pfSense is an appliance so it's easy to set up additional pfSense instances. I've started to split the load - doing a bare metal pfSense install that just does routing, NAT, firewall and QoS if I need it. For everything else (VPN, pfBlocker NG, DNS, DHCP etc.) I spin up a second instance of pfSense in a VM. It's a bit more work, but I suspect it's the only way you are going to be able to get max throughput on your Internet link, and also be able to do the other stuff you want to.

If you clear that and reboot do you see it again?
If not it was probably just temporary during the upgrade when those php libs are updated.

Steve

The CF card slot does not support DMA so if you are using a CF card that is UDMA capable (almost all of them) you need to disable it:
https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html#pfsense-2-2-and-later

Steve

Did you try all three ports? It's not necessarily the first one that provides modem access.

Steve