You need to shut down, add the new card, restart, and note the new interface names and reassign or re-patch the interfaces as necessary.

Good deal.  I appreciate all the help with the issue jimp!

@Nathantrinh23:

Will the Ralink RT5370 work with pfSense?

Well,
the RT5370 should work. I use one USB Wifi on my OPNsense Box.
But, not all wifi sticks will work in AP Mode!
I tried several models with the RT5370. Some works very bad (very often connection problems). Some works perfekt but run very hot. So they died after some weeks.  >:(

So it will be a bit lucky to get one that works stable!

best regards
Dirk

@BlueKobold:

Wondered if anyone had some recommendations for a small mini-ITX case for my new pfSense build. The board is a supermicro denverton with passive cooler and M.2, so no drive space, pcie etc needed.

There are three well known and working chassis for that kind of boards;

Supermicro SuperChassis SC101F Link
Small and compact case without the ability to insert a PCIe card Supermicro SuperChassis CSE-E300 Link
Small 1U desktop factor with the ability to insert an additional PCIe card mini-ITX case M350 Link
Often used and well known working with mini-ITX boards from several vendors

Supermicro BareBones that are using this cases.
Supermicro SYS-E00-9A
Supermicro SYS-E300-9A

Would you share which board you are owning? I mean the exactly model and model number or name of this?
To be sure that the board is matching and fitting exactly in the case I would at first open the website from
Supermicro and search your board number and then see on the right side all matching and fitting cases for
that board! So you can´t go with a wrong size or case.

Currently I have it in a case that's pretty much the same as the Powercool Q6. However I am finding the temps start to get a little too high with zero fans.

This could be very well, inside of the three named above case models you will be able to mount
small case fans, in each of them I mean! They are available as spare parts or came together with the case.

My ideal would be a case of similar size where in the area on top that the ssd/hdd drives go you could put a 120mm fan, that way I could still have quiet cooling running it at like 300rpm. So far all cases I have found of similar size use 40-50mm size fans which I have always found even on lowest rpm to be a bit too noisy (at least the pitch they make bothers me more than larger fans).

Enermax U.R.Vegas 120mm Portable USB Fan with Magnetic Skin Pad (UCUR12-R)
For usage together with a mini-itx case with an open metal mesh.

I have considered taking a dremel to the top of the case and attaching the fan manually, but if there is a case out there already that can do the job, or someone has a better idea, that would be preferable!

Scythe Kaze Jyu SY1012SL12L Kühllüfter - 1 x 100 mm - 1 - 1000 U/Min
With opening and using the dremel

Next best solution might be the Mini-Box M350 with the top fan brackets, but that's still 40mm fans therefore more noise.

Might be one of the best available mini-itx cases and if the fans are to high turning you may be able to get some
small fans (40mm - 50mm) from Sunon they have some nice silent fans out.

Thank you for all the info, the exact board in question is the Supermicro A2SDi-4C-HLN4F. Considering one of the barebones you mentioned uses the exact same board, I am pretty sure it's compatible :D
I actually already have one of those scythe fans you mentioned in my main computer (cooling a modified hdd hot swap caddy), pretty good fan. But I prefer not to dremel unless I have to, attaching a fan to mesh with magnets is a good idea, but feels like more of a temporary solution and not quite as clean as the other options.

Looked at the SC101F, really quite like that case. Big advantage is the thick fans, other small cases generally don't take 40-50mm fans thicker than 10mm which also tends to mean they aren't pwm. My board will not do voltage fan control apparently (no matter how much I try) so I would have to have pwm fans. If I went for the M350 that would mean only the front fan pwm, the rest would need to be 'set and forget'. Unless I can find something 28mm that is quiet, I would think the Noctua 40x20mm PWM fans would be a good choice for that case.

SHA acceleration effectively makes CBC encryption like GCM.
There are some benchmarks comparing them on the j3355 and the results are pretty much odentical.

Yes, the i5 will edge out the Celeron, barely. Still probably not I'm OpenVPN. But that doesn't make it a good selection.

Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ?

It is never really able to reproduce on any hardware with the same effect or on custom hardware with the same
effect. As an small example;

Broadcom 10 GbE NICs (not all, but many) use more narrow down the entire mbuf size (65.000) and get often success Intel NICs are often gets served when you high them up between 125000 till 1000000!

So freeing some things up might be a good sounding idea, but not for nay user or any case of usage fo sure!
Please accept it is more or less something or more things I´ve seen peoples are starting a service,
running a packet or in general setting up some things and even after this many or some are running
in a trap or getting problems after the installation.

It is able to get the same result or success but not even and with a guaranty for that, it all depends on the
entire hardware and also the pfSense Version itself because not each version likes the other one pending on
bug fixes newer functions, options and protocols or given services, it more like a hunting game you will win.

and also usable (recommended) for a Qotom i5 setup w. 8G Ram

Let us both imagine you are using firewall, vpn, snort, squid, SquidGuard and pfBlockerNG
and you turns on the pfBlockerNG & DNSBL + TDL with many IP lists so your ram is going
down very fast nearly complete in usage, so it makes no sense to say let us highing up the
mbuf size, but if you gets in problems or you see issues and narrow down the entire IP lists
in pfBlockerNG that will be in usage, you could do this to solve around any other problems.

BIOS settings: (if needed)

activate the Hyper threading (HT) set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

Often peoples are reporting they was imagine more from the higher tech spec hardware and because
the HT function was disabled in the BIOS, so why not telling others please don´t forget to turn it on?
Did your Qotom box have such a setting the BIOS, if so then try it out and give us (forum members)
a feedback on this please!!!

The IPMI Port on some mainboards mostly Supermicro, and we are talking here about a Supermicro
Xeon D-15xx vs an Intel Xeon E3 system, are the fall back port associated to the WAN port! So if
then the WAN is one time failing the WAN falls back to the IPMI and you are trying to get the access
to the Internet back and again and again but without success or any clue why you can´t do so or
plain why you would not be able to do so!

NIC tunings: (if needed)

choose ZFS file system  and TRIM support will be enabled automatically high up mbuf size to something between 125000 - 1000000 narrow down the amount of num.queues to 1 till 4 enable PowerD (high adaptive)

If you need TRIM or you wish it to enable nice to know that since version 2.4.0 ZFS is
automatic enabling this for you
Pending on the used NIC driver and CPU for each NIC port pfSense will be open or create
queues and they can be filled more (mbuf size 1000000) or less (mbuf size 65000) and on
top of this the amount of this queues will be also able to set up like 1 queue till 4 or more
queues likes needed or well matching.
PowerD will be bringing the CPU to scale up if needed and also vice versa scaling down of
your pfSense box is not so hard stressed by traffic or functions.

OpenVPN settings: (if needed)

enables Intel RDRAND (if supported by the hardware) activate UDP fast I/O support enable LZO compression if able to do so on both sites set the buffer to 2 MB less or higher could also be matching AES-NI is activated by default since the pfSense version 2.4.0

And this is quitly the greatest part where you weill be able to play around with for weeks to
get the best settings matching to your configuration and bringing you the most benefits.

Please don´t forget please you can win and be happy with only one setting and/or with all or
some of them together. I personally mean that mostly, many things are playing more well
together as only one hint.

VPN is a both ended "thing" and if both ends are enabling LZO compression or fast I/O support
it would makes more sin to me, Intel RDRAND must be supported by hardware and the buffer is
more or less pending on your RAM size. And what benefit you will see at your pfSense box or
based on the hardware you are using.

ugh necro.

For the cooler, I'm not sure I can do much, will test under heavy load in 1U and see how it goes…

At the netgate shop they are also talking about a heating situation that can be going to high in some situations
and there fore I would really have a look on this!

If your willing to spend the money 350 will get you the brand new sg-3100 which netgate is insistent can handle 1Gb symmetrical without issue. Benefit with this little guy is at 6w you get a built in switch.. Plus you support the project and get 1 year of support on top of it.

@belt9:

That's certainly more better  ;D

Another thought, just use your HTPC as pfSense and buy a J3355B to use as your HTPC. It does HEVC 10 bit hardware decoding. Mine plays back the higher bitrate 4k HEVC 10 bit jellyfish test files just fine.

That option might save you some $$.

My HTPC doubles as a gaming rig too (it has a gtx 750ti)  8)

Steam link and Nvidia gamestream require the host to be not in use, so I've got no choice to to play games locally. Otherwise I'd definitely setup streaming, my network is mainly wired after all.

Today I am at 75/75 on one side of my vpn.  My current equipment keeps up.

If I have to chose today a new hardware I´d waiting until the new Spuermicro Boards are both on the market.
Intel Xeon D-15xxN (3rd. generation) and until the Intel Atom C3000 (Denverton) will be fully supported
by NIC drivers too! And then one of this two new Chips will be mine. For sure perhaps I must wait a small time
period, but then I am able to chose between board coming with, AES-NI, Intel QAT and DPDK support.

Soon (1 month) I will be at 300/300 both sides and my current equipment will not be able to keep up.

Again I really would wait as a minimum for the newer hardware from Netgate.

In the future (maybe a year or so), I might be 1g/1g both sides (actually not full gig, but Verizons 800/700ish FIOS)

Intel C2000 vs Intel C3000 AES-NI
And from the 3rd. generation Intel Xeon D-15xxN I personally expect a little bit more as from the Denverton platform.

So If I am going to research, purchase, configure and install new firewall hardware I want to try and do it for my eventual line speed which will be FIOS gig service.  I really don't want to have to do this twice, once for when I go to 300/300 and again when I move to gig.

Is FIOS using PPPoE on its 1 GBit/s Internet connection?

I'd like to determine what equipment can do full gig vpn and install that now.

This might be to high in price if we are talking about 1 GBit/s OpenVPN speed, if we are talking about
IPSec VPN speed this might be able to realize. With a small Intel Atom C2558 (Rangeley) you might be
able to push ~470 MBit/s over a IPSec VPN tunnel and the Denverton is more strong and the D-15xxN
will be topping this once more again! So it is also able to realize it with common consumer PC hardware
if the CPU is strong enough and comes with AES-NI.

I hope my explanation is clearer.  Sorry for the confusion.

Yes for it is! You might be waiting one moth or two and perhaps netgate is bringing out then their new
hardware based on a C3000 (Denverton) SoC, this might be better then for you to decide wether to go
with in my eyes.

So all variants are open to you, you may go with the new Netgate Hardware, the Denverton based Supermicro
boards or the newer Xeon D-15xxN boards not able to get hands on today, or plain strong enough consumer PC
hardware as you need or wish it!

@doktornotor

Any ideas why I'm getting a board mismatch error:

Calibrating delay loop… delay loop is unreliable, trying to continue OK.
coreboot table found at 0xdffae000.
Found chipset "AMD FCH".
Enabling flash write... OK.
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
This coreboot image (PC Engines:PC Engines apu2) does not appear to
be correct for the detected mainboard (PC Engines:PCEngines apu2).
Aborting. You can override this with -p internal:boardmismatch=force.

As you can see in the logs, they're the same exact board so I'm not sure why there's a mismatch?

EDIT: Nevermind, I already figured it out. It seems to be caused by the space between PC and Engines so forcing it fixed the problem.

Let us imagine some other points, I said only imagine, not that this will be coming or passing through!

You do understand that the QAT in the C3xxx series is incompatible with the QAT in the C2xxx series?

Yes I am understanding that! But you should be thinking more positive please.

If the QAT driver version 1.6 from pfSense team is not compatible with the Intel Atom C2000 but perhaps with
the newer negate hardware based on Intel Atom C3000 called Denverton and the QAT driver version 1.5 from
the NetBSD team is supporting also the Intel Atom C2000 called Rangeley, they only have to exchange this
drivers and porting them to each of their OS, so the developers will not have any more to bother with that
driver and all is fine for them and us!

So it could be happen, that at November 2017 the newer hardware from netgate will be launched and fine for
using QAT and perhaps in Dezember 2017 or later it could be happen that the older customers and clients
of them get their "Christmas parcel" too and will be able to use QAT also. Its more cutting half the entire
work time on that drivers that must only be exchanged then as the results.

For sure that can be running very different each from another, or never becomes true but it will be a real chance
for and us too as I see it right.

And being very open talking over that point, perhaps many users will be very impressed if they know that peoples
from pfSense and/or were talking with employees from the VyprVPN company about the one or other thing, who
knows it really….....

The more talk there is about the QAT in the newer series, the less likely that the QAT in the C2xxx will ever
be utilized.

But with this words you are talking that it will be not utilized only and not it is not finding its way into the system, right?  ;)
Like on Rangely, the QAT scales by the number of cores. Unlike on Rangeley, the QAT has good support. Link

And, in fact, you can find the pfsense developers directly aying that it's unlikely that they'll ever bother with the QAT in the (C2xxx.)

I don´t know if that driver from the NetBSD project is able to exchange only, or if this will be easy or able to realize,
but if so I think this might be nice for both parties as well as for us.

The pfSense GUI might not have the code to deal with 802.11ac

Ah ok, I understand that this will be perhaps then the breaking point, thanks in advanced.

domotz takes all of a couple of minutes to setup.. If you have a bunch of vlans it takes a bit longer.. Since you have to add the interfaces or sub interfaces for your vlans on the box and make sure the box has access to all your different vlans at layer 2.  You need this because it arps the whole subnet to find devices and monitor when they go up down, etc.  You can change how often it arps for something, etc.

You can run it on anything really, a pi, a vm you have, something running linux, etc.. I have it running in on a ubuntu vm currently.  Even runs on some NAS boxes, etc.. Synology, QNAP, ReadyNAS

You can try it out for 21 days before you have to pay for it.  Its a great little piece of software for monitoring devices on your network be it new stuff that joins or wanting to know when stuff goes down or up, etc.  Since it phones home.. You will know if it goes down as well, etc.  Or you internet is down which would prevent other things from sending you alerts..

You can even have it monitor services like http or ssh, etc.  You get a few "eyes" to watch services in your normal cost.. You can add more for a few bucks, etc.  It even can monitor snmp of switches and show you what sort of util your interfaces are seeing, etc.  It really is a sweet little product for the cost..

Something you setup with arpwarch or nmap or aprping and some cron job is not going to come close to the feature set of domotz, etc.

I have built and used pfSense systems for many years, usually based on an i3 based high clock speed CPU to ensure I get 1Gbps throughput under varying configurations.

But under varying configurations means here the raw WAN throughput or am I wrong with this?

I am tempted to get a SG-4860 unit as I like the form factor and finding a decent small case with front facing network ports is a pain.  So I have a few questions:

There are many solutions to fit your needs in any kind of art and wise!

The SG-4860 is able to get also in a 1U rack mount case with front I/O ports! You may also be able to buy the board only and let produce a custom case as
you may want it in the desktop factor but w/ fron I/O ports! Schaeffer AG You may also be able to buy a small 1U dual board case and let only drill the
front plate or panel as a custom work only on your "special" demands. Case & Frontpanel

1. After the initial year of support, am I free to install a stock community image on the device as I would do for a custom built system?

You are free to do so, but if they offer an ADI image that fits to their boards and came pre tuned I would be aware of
this was to feed any SG-unit.

2. Would the Atom 4-Core 2.4Ghz CPU be fast enough to sustain 1Gbps even with OpenVPN / IPSec, and packages running such as ntop?

I only know one person that was reporting to get with an SG-4860 nearly ~900 MBit/s over a 1 GBit/s symmetric
internet line, but not using PPPoE at all. And something likes ~470 MBit/s over IPSec VPN.
Link

3. Does the unit support the upcoming 2.5 requiring AES-NI?

Yes.

4. Is there any reason you would recommend building a custom system rather that purchasing the SG-4860?  Asking since I can build a mITX based i3-8100 4-Core 3.6GHz, 8GB RAM, 128GB SSD, 4 x Intel NIC system for about the same price as the SG-4860.  It will be larger and the ports will be in the back, which is a bit of a pain in my cabinet.

You must get the hardware to fit your needs and not sorted by brands, the one way is supporting the project and the other
way is supporting your budget and offers more options too.

Thank you for the extremely quick feedback on this VAMike!

I am aware of the realtek view, I have read your discussion on this the other day (https://forum.pfsense.org/index.php?topic=123462.0).
So this question definitely didn't mean to be an intel vs. realtek topic, I was more concerned that using both port of the intel dual port adapter will have some speed limitation vs. using both intel and oboard NIC.

So thanks for answering this in the second part of your feedback. If the Intel can handle both ports at full speed without any limitation/ drawback, then I am happy to ditch the onboard realtek for sure.

@BlueKobold:

For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.

For 1 GBit/s you will need CAT.5e and if you ware willing you can also go with CAT.6(A) if you want to,

For 1000baseT you need cat5, which is the cable the 1000baseT spec was designed for. Some additional tests were added to the cable standard and the result was cat5e. The differences mainly involve crosstalk tolerance, and had more impact on connector/punchdown assembly than the cables themselves. Most factory built cat5 cables would pass the cat5e spec but weren't tested/certified as cat5e. (Field terminated cat5 was a mess, as 100baseTX didn't push the specs as hard as 1000baseT, and only used 2 pairs like 10baseT–so some installers back in the day didn't even bother to terminate all four pairs.) In practical terms, any decent cable you buy new today will work fine at 1000baseT. You won't find any cat5 for sale in 2017, and If you're looking ahead to 10GbaseT there's no reason to buy cat5e rather than cat6 (if there's a huge price difference, find a different source.) If you already have cables, they're probably fine--just try them. If you run into problems (like the link takes a long time to come up, or won't get above 100Mbps, or starts at 1000Mbps and then steps down) it's probably the termination--but unless it's a really long run it's not worth fixing rather than tossing it.

I use this board for 4 months now.
I have no problems at all.

Performance is great using ips, squid, Pfblocker.
Power consumption can’t be lower.

It’s a very solid board. I like the Ipmi feature.

Possibly just about I would say.

Is the connection symmetrical (300/300)?  Will you be maxing out the line all the time?

What type of VPN connections will you be using? Will they be on all the time and at the same time?

If you want to use squid (caching?) as well at the same time as the VPN you may max out the CPU.

Since you have the unit, try and see how well it gets on.  If the CPU maxes out all time or throughput is slow you will know for sure.

Realistically though you should try and get hold of an XTM 5 series.

2.3 will be the last 32 bit version and 2.4 will not be available as a nano install.

I have an XTM 5 running an Intel Xeon CPU L5420 @ 2.50GHz using the 771 to 775 mod , 4gb ram and an SSD.

You need to find the fastest clock rate CPU that you can as the firewall thread only runs on one core.  Faster the clock the more traffic you can shift.
In the future even the XTM 5 will not work with pfsense 2.5 as it will require an AES CPU which none of these models do.