I agree it reads like you're looking for an answer that doesn't exist here. If you want the highest OpenVPN speeds you can have, get the fastest single thread performance CPU you can afford. Though as said above spending twice as much will probably not result in twice the throughput. Steve

No. The Realtek NIC on the 'modem' card is connected to the host via PCIe just as a separate NIC would be. Steve

I don't anticipate any of those components failing anytime soon. Nothing moves or gets particularly hot. If you have to replace anything it will probably be from a bad component that will fail in the first few months and that's a crapshoot. Just keep a thumbdrive loaded with the installer of the same basic version (i.e., 2.4.x, 2.3.x) of pfSense that you use and keep your config.xml's saved somewhere and you should be fine for many many years to come. Old desktop workstations often work for well over a decade and they have moving parts, deal with on/off cycles, etc. Your box will likely last at least that long and probably longer. The first thing to go will probably be capacitors, and you could even replace those for a few bucks and keep marching on if you wanted.

J3355B

@tdale: Thanks! I'm out getting lunch right now when I get back I'll try that. I'm taking it down to the datacenter tonight I'm trying to figure this out before then haha. If you can't figure it out in time, just take a ton of pictures. If needed, take the whole display unit out and disassemble it and take pictures of everything.

USB Ethernet adapters are bad, don't use them. If you must: get a supported one but don't expect high reliability or speed. Desktop users often don't notice problems because the way they use it often doesn't show much problems. Firewalls/gateways have a different usage pattern and different needs, so the same hardware might not work as well as you think. On top of that, the drivers are often lacking and have firmwares missing (which is what you currently might be experiencing – the chip [ not made by microsoft ] probable is functioning in a basic 100Mbit mode because the driver in FreeBSD can't or won't load the chip firmware via USB into the adapter to enable the extra functions).

@cyberlocc: there is a pretty big diffrence from a core 2 quad at 3.5ghz and a kaby lake Xeon at 3.5ghz. No kidding.  That guide is ancient.  ~150 users/nodes shouldn't be a problem even with the most basic of hardware (that otherwise meets your 1Gbps requirements).  I'm serving that many nodes with virtual machines that have 1GB of RAM.

@Waqar.UK: @iormangund: True, it is a lot, but I have yet to find a decent small fanless equivalent other than a shuttle ds77u. At least that has intel nic and aes passmark score over 1k. Thanks to advice from this forum you can build an i5 for cheaper. The part that's causing me the issue though with building one is the motherboard, all ones I have found that would be perfect for the job would need a bios update for kabylake, and I don't have a skylake chip to do a bios update with. Emailed some manufacturers asking if the boards in question will post with a kabylake for an update but no response yet. (I know I could just get a standard board, but if i'm building my own I want ipmi and at least 2 intel nics, ie Jetway NF592-Q170. No kabylake compatible boards that don't need a bios update that fit that afaik)

I have a XTM 535 and interested in it as well. Now that XTM 53X are dropping in price as network engineers are upgrading to newer hardware, a good opportunity to revisit the new generation of XTM 5 series of routers. XTM 515, 525, 535, 545.

Thanks for suggestions guys. I will contact netgate also for models and support. Thank you.

^That. When 2.4 is released the Core-e will essentially be obsolete though there will be security updates for 2.3.X for some time should it be required. Even if that were not the case all of those boxes are now very old with likely many many thousands of hours on them and the component failure rates to match. As much fun as I had with those boxes I could not recommend anyone does so now if they have another choice.  ;) Steve

Jus got new record IPSec AES-256-CGM - 326 Mbit/s  

Update for anyone interested, the EVGA SuperNOVA 750 G3 PSU did not arrive on time Saturday by 8 PM as promised and paid for, so I called FedEx and asked that they return the package before delivery.  Got confirmation that Amazon would provide a full refund so I ordered what I hope is a correctly sized power supply. Remove EVGA SuperNOVA 750 G3 PSU -$140.85 Add FSP Group 700W PMBus V1.2 $179.99 New Total:  $930.84 I will probably continue my search for a cheaper alternative that supports AES and use this particular system for something that can actually use the horse power.  Right now the Watchguard XTM is working great! Y-ASK

@Routerb: Can this be done? In short: No. All-in-one with internal VDSL2 Modem is not easily possible and Wifi is, as you already pointed out, better served from an external AP. @Routerb: Internal Wifi or am I better off just adding UBIQUITI ACCESS POINT external AP. @Routerb: Failover 3G/4G checked. Use an external 3G/4G modem, aka stick. @Routerb: VDSL2 support nope, not in a single box. Unless you find a working VDSL2 modem that fits into an internal PCI-what-have-you slot. @Routerb: OS PFsense checked. @Routerb: All build into a minipc fanless device dreamer. @Routerb: VOIP port define your needs, this is usually just another ethernet port. If you're talking POTS then no.

This has been discussed several times before on other threads. My experience with a cheap ebay i350-T4 has been very positive since I bought it. Stable as a rock and appropriately fast - and as far as I can tell it's using genuine SoC's. https://forum.pfsense.org/index.php?topic=74158.msg569894#msg569894

"i agree and i already do this…. unfortunately only wireless n" Does this support guest??  Ie vlans?  What are you currently running for your external AP?  How many do you have? If what you want is guest or multiple wifi networks that you can segment then yes get a external AP that supports vlans is what your after.. Why not take the opportunity to update your current external AP that only does N to something that does AC, shoot for that matter AC wave 2 ;)

OK, thank you.

Hi, in the past i had used some USB wifi devices with RALINK RT5370 chipset. Most of them work in AP mode, but some won't do this very long.  ;) They run very hot and died after some days/weeks. And also only 54 Mbit! So i prefer to use an external AP! best regards Dirk

@ivor: Why dedicated hypervisor running only pfSense? I already have another hypervisor running my other projects. I understand not all motherboards do PCIe passthrough well. Does anyone have experience with this? As long as your CPU and motherboard supports VT-d, you're good. Really? I thought it needed IOMMU support, which some people have had trouble with. If this is your only concern, 2.4 is a better choice as it supports ZFS. Config backups and restore is a great way to get back online after bad configuration. You can always restore recent config from the console (option 15). These are automatically made every time you make a change within the GUI. Because of that, I believe you may be overthinking it with virtualization :) Hmm, maybe. I have a friend that does a virtualized setup so he can easily test multiple pfSenses snapshots and that like. I also might be doing some custom modifications to pfSense so I would like having separate installs under a hypervisor as well. Most x86 hardware except for super embedded platforms supports virtualization as I can gather, just concerned about PCIe passthrough. Thanks

Yeah we did get a bit carried away looking for the LED control.  ;) However the IP390 is a 32bit platform so it will not be supported by 2.4 anyway. There will be security updates for 2.3.X for some time after 2.4 is released though. I'd advise you just get a 2/4GB CF card and run Nano with that for now. Steve