I'm looking for something with AES-NI and possible Intel QuickAssist, 4-cores, and low power consumption.

I would look for a C2758 (produced later then 12/2016) now or for later this year for a Supermicro board with Intel Xeon
D-15x3N SoC that will be stronger and more power using.

QuickAssist is actually FINALLY coming soon. The official freeBSD driver has dropped and some tweets have gone out from the Netgate team about integration. Bad news is that it appears to be v1.6. So Rangely C27*8 processors are not likely to be compatible. So don't go to Rangeley, especially with the C2000 bug is my advice.

The bug is solved and new boards made since 12/2016 are bug free.

Bad news is that it appears to be v1.6. So Rangely C27*8 processors are not likely to be compatible. So don't go to Rangeley,…

I personally think that will change at someday, because nearly the entire SG- series from Netgate is based on that SoCs.
SG-2220, 2440, 4860, 8860 and the XG-2758 too. Could be that I am wrong with this for sure, but I think there will be
changing something and it gets into the source code of pfSense.

GPS pin PPS
Scroll down and find the ToDo HowTo.

https://www.freebsd.org/cgi/man.cgi?stress(1)

@VAMike
After reading your last post it is now more clear to me why you are complaining in each thread against the presence of QAT
in pfSense hardware. For sure all peoples and users who where thinking to get a rocket fast OpenVPN machine based on the
presence of QAT in their new hardware will be fairly a bitt disappointed, but each CPU core can hold or drive a OpenVPN tunnel
and yes this is never real multi-cpu core usage but better to let run all the tunnels over one single CPU core alone.

….and paid ~20-30% more for the equivalent CPU in order to get the QAT.

For sure that is right, but if I am looking at the Netgate or pfSense site, it must be something why they are
staying to use this Intel Xeon D-15xx and QAT based hardware, or am I wrong with that and I was mislead
only by my own? But to read then something like that thread here and you can get all in one platform was
let me thinking "this must my next hardware platform for pfSense for sure"! But often there will be also a
second feeling that tell you is it right or is it wrong? And if someone opens a thread such this here, I feel
once more again that this could or must be the right road to walk on. Who knows?

I'm very confused about who's being prevented from talking about what.

This was only pointed to the circumstance that each forum thread about QAT and pfSense I was watching, you were
against that or I was thinking you were speaking against the presence of QAT in that or this hardware. Nothing more!

I guess it's just one of those perennial pastimes on the net that someone has to be oppressed?

From my point of view it was more in that direction that even if someone or more were talking about QAT you were
running against this "wall" or argument that this will be a nice to have thing. But as said once more again after your
last post this is now more clear and acceptable.

Or are you trying to prevent me from talking? It's super unclear

I will never do something like this, not to you and to no one else here and everywhere! I am only a guest here!
I think mostly peoples could misunderstood things based on my poor English language skills.

I currently have a 1gbit internet connection on a dell poweredge 1850 server with pfsense - 2x Xeon single core 3.0ghz socket 604 8gb DDR2 ECC - So basically very old hardware.

It can be that the CPUs are powerful enough for that but I had to guess, you're being limited by your DDR2 ram speed more than anything. The packet filter, the IP forwarding parts, and even NAT (part of pf, but run at a different phase) all hit the memory system. It's likely not that your CPU can't keep up, it's that your memory system is saturated.
Gigabit routing hardware

I will soon get an upgraded internet connection with 4gbit, so i think it is about time to replace the old router with some newer hardware - But I'm really in doubt how much CPU power i need to handle 4gbit.

It will be at first more interesting for me, how that line will be offered to you by your ISP!
And how it comes out of the wall at your location will be the second important question?
If you are the lucky one you could get that Internet connection using MLPPP as a service from your ISP
that would be luckily the best option in my eyes to get it working well. The other one will be, if it is only
one cable out from the wall at your location you should better take a 10 GBit/s NIC or port to handle that
line speed reasonable. In normal or real life you will get out of a 10 GBit/s Port or NIC something around 2 GBit7s and
between 4 GBit/s as raw speed, for sure protocol and service used pending and based on.

Initially i was thinking about getting a Pentium G4560 with a server mobo (c236 chipset) and 8gb DDR4 ECC rams, but after reading the recommended requirements I'm thinking that it might not be good enough ?
So maybe ryzen 3 series could be a good option ?

For electric power saving and horse power a small Intel Xeon E3-12xxv3/v5 will be the best option in my eyes.
It can be also a refurbished one but with enough RAM if it comes to NIC tunings and/or other things so 8 GB to 16 GB
would be nice to see or own.

I'm gonna use simple services like captive portal, some monitoring and TCP dump with 200-400 users on the network.

Perhaps, and for also pending on the offered services and used protocols you may be also lucky with one Intel Xeon E5-26xxv3
and >3,0GHz let us say 4 - 6 Cores.

I'm planning to use two intel pro/1000 pt quad port network cards with link aggregation - I already have those on stock anyways - Are these cards good enough for my use case ?

A Link Aggregation Group will be a thing with two ends! And this must be then on the ISP site and your site!!
Please don´t forget this here in that case.

I'm planning to use Two intel pro/1000 pt Quad cards - so 4x1gbit in LAG for WAN and 4x1gbit in LAG for LAN

For the LAN you will need something on the other end that is also supporting the LAG and for sure that is not different if you
will switch that LAG to the WAN site!

That's a bit of a bummer, as it will limit my performance at home to around 600Mbps, and I have a 1Gbps/1Gbps link.

Would you please so friendly and tell me what is the normal or ordinary WAN speed what you get normally together with your
SG-4860 pfSense unit? It would be not really pointing the theme here but it would be for my own interest to know it, thanks
for taking the time to answer.

This is probably fine. As long as it works there isn't all that much to worry about. The driver, chip and functions should be right. The only remaining concern would be reliability, but only stresstests and time will tell about that.

When version 2.5 arrives, all the cheap Thin Clients that now are used for pfSense become totally useless,
unless you keep version 2.3.4 using.
Even the nice XTM5 boxes will be useless then.
The Thin Clients that have a AES-NI supported cpu, are at least 2 or 3 times more expensive,
at not so attractive anymore for the use of pfSense.

Grtz
DeLorean

yeah EIST has minimal affect on temps and power consumption, c-states is where the real gains are.

If you have a cpu that has turbo mode tho, then you need to enable powerd (and eist) to utilise the higher clocks, I personally run my unit with powerd set to the stock clocks as the min speed, so basically I get turbo mode alongside no throttling.

if you want to have least impact on performance with best power efficiency I wouldnt let the cpu go to idle clocks, but keep c-states enabled, c-states save's far more power than eist and c1,c2 are both very quick and cheap for performance. c3 is a jump up from c2, but a trick is to only enable c3 on say half the cores, so half the cores will still respond instantly for interactive stuff, whilst c3 will still wake up quick enough to deal with loads that need all cores.

Thank you for the update. I was given this NIC and thought I would investigate the situation. I have another operating Intel NIC in production but might try the Intel Pro 100 / VT and see if it will operate in that environment.

@johnkeates:

@peehoo:

Don't get that APU, it has no AES-NI.

wrong, APU HAS AES-NI
check this https://www.pcengines.ch/apu2c4.htm

@TheHermit:

I think I have set this up wrong. Also under WAN within the pfSense Terminal I have an additional "/24" at the end of the WAN Address. I don’t know what that means.

/24 is shorthand for a 24 bit subnet mask.  On clients, you'd typically see this as 255.255.255.0

They are the same thing.  For the most part, it means there are 256 addresses available in that subnet.  It does a few other things like specifying broadcast and network addresses, but you can read up on that from the link below.

Further Reading:  https://en.wikipedia.org/wiki/Subnetwork

Reference for the Future:  https://www.aelius.com/njh/subnet_sheet.html

You can get the PCI IDs from the pfSense command line by running:

Steve

@lions78:

Hi All,

Could anyone recommend hardware for a pfsense home router that meets the following:

Under $200 or less 2 GB Nics 1 GB speed over network small form factor

Thanks

APU2C4 bundle for ~189 Euro including a 16 GB mSATA SSD from the varia-shop or over their eBay shop.

You can grab the CAR-3030 Series User's Manual here (slightly too large to attach to post). BIOS configuration instructions begin on page 34. For Boot / Boot Priority settings, see pages 41-43. If there are no USB options in Boot Priority, maybe you have an older AMI BIOS version? Not sure where one would look for BIOS updates for these systems…
You might try writing a pfSense image to an old CF (Compact Flash) card, and inserting it in the CF slot inside the CAR-3030 chassis. Configure BIOS to boot from CF and try installing pfSense to your hdd/ssd if you prefer.

@jgiannakas

What traffic do you have to require 1,000,000 mbuf size?

In normal or under normal conditions you could try out to tune your pfSense firewall if some problems
occurring, but the same things can be done before something occurs to prevent your firewall by going into trouble!

So it might be pending on your own or personally person and willing what way you should walk on, this
is nothing I can tell regular and even to someone, but based on the historical development and history
of FreeBSD and pfSense the kernel space is not very high, and if there will be today a workaround for
us users to solve around this older behaviour it could not be false to do so. So one of us is more willing
to do it after problems are there and the other one is doing it at first, if this was not matching your
own and personal nature you will not consider to this step for sure.

I currently have about 20 lan clients using 5570 of 131072 mbuf's with normal household traffic (torrents as required, Netflix, amazon video on demand, smart tv, smart thermostats etc).

It is not only based on the used hardware it is also pending on the use case that is right, but how many
queue per CPU core and NIC ports are opened and is different and also how fast they will be saturated!
this must be found out by each user itself, but to be on the save side, or better not be wanting to run
into trouble or problems might be not a bad thing in my eyes. If your pfSense box is never going into
trouble you might be lucky and don´t have to care about this things, other may have to narrow down
the mbuf size to 65000 that there 10 GBit/s interface will be running smooth and liquid without any
pain and another one have to tune and set up more then the mbuf size. Its nothing special to free
some kernel space if this might be able to realize.

Also I did not notice any increase in memory used by DNSBL and Im using geo filters and ad blocker on the component.

Its not only the one or two packets you will be installing and/or using, it is from the whole configuration and the use case
and the total amount of users and checked lists or the activation of TLD too and if you are running squid also and in which
wise! Based on that behaviour, you will be able to find many different reports about that:
DNSBL TLD feature
DNSBL TLD feature

Why would that push the memory use by another 8gb in your recommendation above?

Use case, hardware, enabled or checked lists and many more things could be driving it into the one or other
direction but as said above many things could be worked out be installing enough or much RAM and since years
all peoples are talking about "RAM is cheap to get the hands on" and why now should I not go the easy and cheap
way to solve around those things? Why is 8 GB too much if I want to high up the default Squid memory amount
and tune the mbuf size. Many other may sort it not like me, but this might be then perhaps based on another
configs, case of usage and other things.