Hi all …. I'm still here  ;)

Clarifications: I bought the AP42 after a cursory hardware/software review (including pfsense). The Gigabit traffic is not seen by the AP42 because it's isolated locally to the primary DD-WRT router network. So IMHO 10Mbps AP42 interfaces is adequate (Gbe a nice overkill). Yes/No?

Back to the basic problem - booting the pfsense USB (built with rufus 2.17)

The USB is not recognized by the BIOS, even in legacy boot mode. Tried building on uBuntu with dd. Same issue. Downloaded again, same issue. Seems I'm overlooking something very basic.

I was able to boot a rufus built OPNsense img so it must be something else I'm missing.

Advice?

Final update:
9 days, two posts, no response. Good bye.

Hi,

Updating the doc would save time for next users following the 'Getting Started' manual…

Thanks,
Hakim

I bought the thing on October 12 last year.

That device has a 1-year warranty. Sounds like you should immediately register your device for support if it isn't already and open a ticket.

Are you running pfSense 2.3.4-p1 like you should be? If not you should probably upgrade.

Your WAN interface should be configured as: Default (no preference, typically autoselect)

@VAMike:

Maxing out around 70Mbps single core doesn't seem impossible, those were really slow CPUs. It does look like hyperthreading is disabled, so you can see if there's a BIOS setting to enable that. (It also might just not be supported on your motherboard.)

You were absolutely right, hyperthreading was disabled. I enabled it and now I have full speed. YEAH! Thank you so much, I never thought about that and probably would have bought new hardware next weekend. And thanks to anybody else for the input.

@BlueKobold:

Is there a VPN connection for the update-from-console option? For extra $?

There are many secure ways to get it, but mostly some vendors are submitting that over an encrypted tunnel
using an internal TMP module for that or doing it in software. …

Who are these vendors you speak of? Shoestring budget osdisc.com (its owner's sidejob), random & late linux format?
Sincerely,
JC Magras

Hey thanks, I saw their offer on Amazon but good to hear they use good components.

For the lower Internet connection speeds here in Germany it will be one of the best and often sold hardware
in combination with pfSense as I am right informed. It is running here for 100 MBit/s down and 50 MBit/s up
for ~ 70 employees together with IPSec VPN, Squid & SquidGuard, snort and pfblockerNG, all is fine.

One line of thinking was to start with that and if for whatever reason I don't have enough power on this one, use it as a slave in a HA setup.

You will be able to run it in one big 1U" case as well available from the Varia-Store, here is a link to that dual 1U" case;
APU2C4 - 1 U" - rack mount case

Haven't looked into that too much, but it would enable me to use a VM with plenty of power and a backup unit in case the server gets rebooted / dies / explodes / flies away.

That could be also very interesting, but I love more the real hardware HA setup, if one server is "gone" mostly also
both VMs are also "gone" please don´t forget this too!

For more power you could also have a look on the new Supermicro Atom C3000 line
But the network drivers will be not really matching to all NICs that are SoC integrated!!!

Stronger and faster then the Intel Atom C2000 series, but slower and less powerful then the Intel Xeon D-15xx series.
it is not only interesting what kind of Internet connection speed you are running, also the amount of installed packets,
running applications, offered services or used protocols will be also important likes the amount of users and their
produced traffic such mailing, surfing, gaming or audio/video streaming!

enable and auto likely do the same thing.  Only disable would behave differently.

Note EIST is required if you want to use turbo clocks.

@stephenw10:

You may want to add that as a Shellcmd so it gets stored in the config file and survives updates.

https://doc.pfsense.org/index.php/Executing_commands_at_boot_time

Steve

The fix that I put in has been working well for many days now, so I followed
the instructions in the link above and found the line in the file /conf/config.xml
and inserted the following line right above it:
<shellcmd>/usr/sbin/usbconfig -u 0 -a 3 power_off</shellcmd>

Then I saved the file and rebooted.

Everything seems to be working fine.

Don't do it. A single SSD can saturate practically all network links. Mostly because even with 10GbE you'll still have on-disk compression, caches in RAM and the possibility of using ZFS and having two disks in a pool to increase IO.

Used to run pfsense on a 433 MHz Celeron with 386 MB of memory until recently.

Perhaps the memory system is to low, the actual version will be running well, but in the near future the
support of the entire hardware will be changing step by step and so it might be a better thing to change
now, and go with 64Bit hardware that comes with AES-NI support too. So you might be able to run it likes
now for years without any issues.

What if it were not that particular hardware, can't you say where the hardware check is done and ways to disable it?

There will be not a switch to disable or enable it! As I personally know it, it was announced here in that forum or over the blog
on the netgate website, the following changes will be coming with the new version 2.4 and above;

No 32Bit support anymore, only 64Bit hardware will be supported
(but we got ARM support for two devices (at the moment) therefore or instead of) No NanoBSD support anymore
(pfSense version 3.0 will be written totally new from ground and this is also very hard work and to the cost of much time) AES-NI is a must be or must have option and not a can be or should be option
(Over the change of using Phyton over PHP and perhaps other things get also changed too)

Were they forced to stop building 32bit for technical reasons or was it a management decision?

Who should be pressing them to do so? But handling all, I mean, 32Bit and 64Bit, NanoBSD, rewriting version 3.0
totally new from scratch, AES-NI support, QAT, netmap-fwd and tryfwd or fast-fwd, failure and bug hunting, ARM
support, might be a bit to much at one time, perhaps this can be differ or changing at one days back who knows,
but I personally think it is more the lag of time to realize that all.

For a firewall only unit, with low power demands, you has more then one option at this time.
Official with support:

SG-2220 SG-1000 SG-3100
Alternatives well known and working: APU2C4 Lanner units Scope7 units Qotom Intel i3 AxiomTek units

I personally would have a look for the SG-1000 or SG-3100 or APU2C4 as a replacement here.

@ssbarnea:

I am still looking for a barebone or minipc, (nearly) silent that can reach 60-70MB/s OpenVPN (256) for under $250/£200. No 2nd hand or repurposed hardware or "run your openvpn from another place". I just want one small router, not a big collection of devices which would only increase the number of possible points of failure.

I own this one, no problem to reach 120Mbps OpenVPN (256)
https://it.aliexpress.com/item/New-Braswell-mini-pc-M150S-with-2G-ram-8G-SSD-celeron-N3150-Dual-H-D-M/32533935685.html

The UP Squared board can run pfSense 2.4.

Pentium N4200 Dual Reltek NICs Up to 8 GB of ram Up to 128 GB of storage 1x mSATA/mPCIe slot 1x M2 2230 slot (non SSDs, only PCIe devices) 1x 6Gbps SATA3 Rapsberry Pi form factor w/GPIO pins (though there are no kernel drivers in FreeBSD 11)

Though FreeBSD 11 (which pfSense 2.4 uses) is limited in that it doesn't fully support the Intel eMMC 5.0 specifications.  I'll later test pfSense 2.5 w/FreeBSD 12 when it matures a bit to see if they included the drivers there.

I'm personally running Xen on ArchLinux on my UP^2 to gain access to its GPIO and eMMC 5.0 storage, with pfSense running within Xen.

The Reltek NICs handle my 500 Mbps up/down Verizon FiOS connection just fine.  As a matter fact, I stress tested the UP^2 with this setup and achieved 890 Mbps UP and Down simultaneously.  OpenVPN I haven't finished setting up yet though.

http://www.up-board.org/upsquared/

Link to pfSense on UP Squared: https://up-community.org/wiki/PfSense

pfSense fits a fairly niche market, at least for home users).

But for those that fall into that niche, pfSense is a really exceptional tool.

To me pfSense is apples and oranges from anything Unifi/Ubiquiti.

I know this is a bit old but i'm just now getting a bit of free time!  ::)

@vizi0n:

@Fmslick:

@stephenw10:

The lcdproc package should run pretty reliably in 2.3.4 with whatever option screens you selected.

To get the NIC LEDs working as expected you need the modified drivers that set the LED registers correctly. However I've seen some reports of them not running nicely in 2.3.X. YMMV.

Steve

yeah I will have to work on the LCD a bit and I think I am one of them who is going to have the LED's not run nicely :/ I did modified the drivers and they are still the same. Guess ill have to look into this a bit more.  ::)

EDIT/ADD TO:
So I got my IDE drive and installed it, I will make a new post later on to update on the progress

I am using these:
http://www.vizi0n.com/watchguard/if_sk.ko
http://www.vizi0n.com/watchguard/if_msk.ko

Solid when link up and no activity
Blinks when there is activity

Works fine on 2.3.4

You can verifiy if the mod is running by running "dmesg | grep LED". You should see an output like this:

[2.3.4-RELEASE][admin@pfSense.localdomain]/root: dmesg | grep LED mskc0: <marvell yukon="" 88e8053="" gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0x8000-0x80ff mem 0xd0020000-0xd0023fff irq 16 at device 0.0 on pci1 mskc1: <marvell yukon="" 88e8053="" gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0x9000-0x90ff mem 0xd0120000-0xd0123fff irq 17 at device 0.0 on pci2 mskc2: <marvell yukon="" 88e8053="" gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xa000-0xa0ff mem 0xd0220000-0xd0223fff irq 18 at device 0.0 on pci3 mskc3: <marvell yukon="" 88e8053="" gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xb000-0xb0ff mem 0xd0320000-0xd0323fff irq 19 at device 0.0 on pci4 skc0: <marvell gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xc000-0xc0ff mem 0xd042c000-0xd042ffff irq 16 at device 0.0 on pci5 skc1: <marvell gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xc400-0xc4ff mem 0xd0420000-0xd0423fff irq 17 at device 1.0 on pci5 skc2: <marvell gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xc800-0xc8ff mem 0xd0424000-0xd0427fff irq 18 at device 2.0 on pci5 skc3: <marvell gigabit="" ethernet="" (led="" mod="" 2.2)="">port 0xcc00-0xccff mem 0xd0428000-0xd042bfff irq 19 at device 3.0 on pci5</marvell></marvell></marvell></marvell></marvell></marvell></marvell></marvell>

Thanks I will give this a try.

PS.
Sorry I didn't post an update like I said, it was late and I was at the DC working and on a bit of a slow night when I did the mod so I forgot to take pic's  :(

@belt9:

One of the new i3 K parts has I think one of if not the highest clock speeds of any consumer Intel CPU, that's the one you'd want for OpenVPN max speed!

Intel Core i3-7350K @ 4.20GHz

It's no longer number 3 on the Passmark Single Thread performance chart with the new coffee lake CPUs starting to trickle out, but it's still a price performance leader and then some!

It's a heck of a CPU for the money and the real sleeper of the Kaby Lake CPUs.

Also if you are a gamer, that's the CPU benchmark list to prioritize your CPU choice from.  The vast majority of games are STILL heavily single thread dependent.  In the off chance you have a beast of a video card like a GTX 1080ti so that your CPU will be more likely to bottleneck things, then you want something high on that single thread chart.

I was just wondering if PFsense benefits from using quad channel memory.

Not alone from that and at second not only based on the channels! But, if your CPU is able to push
an amount of network load and your memory system (RAM) gets saturated you will be able to limited by
that let us call it slower RAM modules. So if your RAM will be fu**ing fast and your are installing more
then one of the common available packets for pfSense is makes also sense to have much RAM inside of
your pfSense box. As an example we talk about an installation likes, pfSense, Squid, SquidGuard, SARG,
Snort, pfBlockerNG & DNSBL + TLD ClamAV and perhaps a/dpinger on top, this might be good to be right
sorted with enough RAM. Because if you then will (perhaps);

high up the mbuf size shorten down the network queues high up the Squid (default) RAM limit setting up in pfBlockerNG many lists for many IP addresses
and so on and so on, so you might be happy with much RAM too. Fast enough it should be for the most
things because all will be running through the memory system and this should be not saturated at all.

My hardware:
Super A1SRi-2758F 8 core atom processor
intel x540t2 nic
currently single channel 8gb ram. I was gonna upgrade to quad channel 32gb ram
120gb samsung ssd

If you will install pfBlockerNG & DNSBL + TLD it might be a good choice but if not the amount of RAM is
perhaps to high, and 16 GB will be then more then enough, also if you increase the amount of the mbuf size.

the router is connected to the ubiquiti us16xg 10gb switch

To the DMZ and or to the LAN side this might be a fine think.

I saw on another forum post that 10gb uses more ram as buffer between nic and cpu.

It is pending on the used NICs and the used driver for that cards, I have seen and read about that some
users where shorten down the amount of mbuf size to 65000 (broadcom cards (NICs)) and for Intel cards
nearly 1000000 was the best option there fore but also together with shorten down the amount of network
queues too!

2 GB normal usage
4 GB normal, snort and Squid
8 GB normal, snort, Squid, VPN and high up the mbuf size
16 GB normal, snort, Squid, VPN and high up the mbuf size plus pfBlockerNG
32 GB normal, snort, Squid, VPN and high up the mbuf size plus pfBlockerNG & DNSBL + TLD (intensive)

Is there other way to run PF sense on SBC boards?

You can run pfSense nearly on each x86-64 hardware, it is a software firewall for x86_64 hardware.

running on raspbbery pi, banana pi, etc?

There are two ARM images but they are only running on the both pfSense (netgate) boxes called SG-1000 and SG-3100!

I would like to know if someone as ever installed a Pfsens on a ADSL modem router ?

pfSense is a x86_64 Software firewall and so you may need to take x86_64 hardware for or as the underlying hardware!
There are also two ARM images from pfSense developers team, but only matching the SG-1000 and SG-3100!!!

All the HW I found to install Pfsens are only Router.

??? The hardware must be x86 64Bit if you want to go with the actual version 2.3.4-p1 or the newer version 2.4!

I would like only one "box" for the 2 function (ADSL and Router)

Then it would be nice to set up a "box" with an internal PCIe ADSL/VDSL modem likes the DrayTek VigorNIC 132 / 132F
PCIe card.

The netgate are very nice indeed but it is not what I called cheep ;-)

Ok, that might be but there is also not a internal modem inside, you were talking about! There for you will need
a external modem likes the DrayTek Vigor 130.

With a ALIX 2D2 + a Wifi card I could have a Wifi Router

Jep this is right but not a modem internal router you were talking about!

If you are interested to get all in one box you might be walking the line together with the Vigor 132/132F PCIe card
if this is now not any more so urgent to get box inside of the box, you may go with an external modem likes the most
users and be free to take any other box you want.

Thanks, was wondering about running on a UBNT Edge router, that answers my question.

It in the fact MIPS BE oder MIPS64 and not ARM!