@wallacebw:

<snip>Assuming I want to be able to run at / near line-rate, is the Xeon-D (1541) enough? 
I am specifically looking at to leverage existing SFP+ ports and migrate to a LACP dot1q trunk of the above 3 'lans' onto the 'core' switch , which leads me to the server listed earlier (adding a SFP+ card) or looking at the over the top (1018D-FRN8T)

https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm

The 1018D is getting into the cost territory of a HPE DL360 class server (replace with your preferred flavor), but cooling and noise in the 'LAN closet' (which is close to accurate) is also a consideration, which leads to the Xeon-D options.  I 'could' build my own
M-ATX/ITX solution, but a commercial solution and rack mount form-factor is preferred

Thoughts?</snip>

Your requirements mirror what I have in production right now.  A few months ago I went with the Supermicro 5018D-FN8T and it's definitely more than able to handle that kind of load you mentioned.
It can also easily saturate my 250 Mbps upload using IPSec (haven't tried OpenVPN yet…) with plenty of CPU power to spare.
We had a thread going on there: https://forum.pfsense.org/index.php?topic=128646.15

Thanks guys.  I now see the distinction between Port Trunking and Ethernet Trunking.  In a sense one is the inverse of the other?

And Derelict, I will give your test suggestion a work out as soon as I can.

@marjohn56:

It's not a 'must', but anything that reduces risk is worth doing.

We have just carried this out on the Qotom G355G4, see the Qotom thread.

Yes. Greatly appreciate this message: "anything that reduces risk is worth doing".

I have a Qotom G355G4 too, and a Atom D525 box will be changed to C3xxx or 7th or 8th generation i3/i5 when pfsense 2.5 is available.

I've opened a case and I hope Netgate support can provide some advice.

I agree it looks like it's power-related, but I wonder if it's just a failing power brick (which I can replace), or a more serious issue with the 4860 board as has been implied earlier in the thread.

The cable just arrived and it worked like a charm. I had to restart pfSense though. Thank you!

Looks like you missed part of the difference between those lines. It should be:

The output from the other sysctl looks good though. It lists valid Wattage numbers next to each step at least. The driver is ceratinly loading and attaching correctly.

Steve

@arrdoggsxne:

I had looked at using a USB flash drive to boot from and then use a RAM disk but am not opposed to a cheap SSD.

Thanks

If you're gonna boot from USB flash drive, might as well use 2 and take advantage of ZFS mirroring of the root pool.  If you're like me you probably already have a couple that will work lying around anyway.  Also it's dirt simple to move pfSense to different storage thanks to the monolithic config file if you decide to go SSD in the future.

Please Check the Docs –> https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#MSI.2FMSIX

Yup that's one of the more wonderful things about pfSense, recovering from a failure is trivial as long as you have your config backed up.

You can leave the entry in /boot/loader.conf.local, the update/upgrade procedure won't touch the file in any way.

I ordered a bunch of Intel NICs (actually Desktop PCI adapters) a while back, some had the mark, some didn't, yet they all were identical (except production date).
It seems some older cards were produced around the time the YottaMark was introduced and that's why some simply don't have that sticker.

i have a qotom J1900 with 4 intel nics and 4gb ram for sale. i moved to a rackmount system.
PM me if interested. I am from germany.

We did a basic ME_Cleaner on the Qotom firmware in the Qotom hardware topic, works fine (both IME firmware strip as well as HAP bit). So there's one way to get a low-risk reduction of attack surface.

is it better to buy a bare bone Device and add RAM & SSD or buy a configured complete Set ?

If you will find something that is really matching to your needs take it, if not you are able to sort this with other
hardware you will be able to get for cheap or they are matching better to your needs.

Get a small Intel i3 or Core i5 with dual or quad cpu cores likes you like or need it.
Intel® Core™ i5-5200U Processor 3M Cache, up to 2.70 GHz = 5th generation Intel Core i5 CPU
QOTOM-Q355G4 2017

DHL - shipping fee to Germany US $33.68 - time between 8-17 days - status: Available
This item is in stock an will be sold from the Qotom flagship store on aliexpress.com
They accept paypal, VISA and Master Card payment, if you prefer to order online they
are able to provide you an amazon link, but you must ask them before placing the order
because this will be not even able to realize, as I understood it!!!

I would get it with 8 GB RAM and an Intel 60 GB mSATA.

And the older CPU's might be affected by the Intel AMT bug from may-2017
That might be "disabalabe" in the bios (atleast on my Lenovo)

But i dont think i saw disable in the Qotom Bios.

/Bingo

I have been using a Supermicro Xeon D-1518 based board with pfSense for about 8 months now and have had no issues (starting from 2.3.3 all the way to the current 2.4.2 version).

https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-TP8F.cfm

Hope this helps.

Just to follow up, NIC arrived and installed…had only two problems which had been resolved that was posted here: https://forum.pfsense.org/index.php?topic=140315.0

So now, I am waiting for the processor (AMD Athlon 64 X2 6000+ 3.1GHz Dual-Core Processor 89W) to arrive. However, here's an insight of the performance after running Snort, Suricata, pfBlockerNG, and Squid. After the processor is installed, I'll continue with further fine tuning. I am extremely happy with results so far despite the machine will last just a year (AES-NI issue).