Thanks for your help! I will get the apu2c4 with case and 32gb mSATA and the Zyxel switch. This totals at around 300€ for me which is fine. I still have to wait for some parts to get back in stock so if anyone has other suggestions I will be happy to hear them.

@pfBasic: Your best bet (within a reasonable budget) for OpenVPN performance would be an i3-7350K, it's relatively inexpensive and has I think one of the highest clock speeds of any intel CPU. It's an awesome value gaming CPU too:  https://www.cpubenchmark.net/singleThread.html Number three on the list - amazing for an i3.

Unfortunately with an attenuation of 50dB you are really far from your ISP DSLAM, changing modem won't improve your line since it ia a physical limit. Another issue could be the plug your modem is connected to and its wiring, you can call a technician to check your house phone line and see if the attenuation is related to it. Another thing is to call your ISP and ask for the distance between your house and their DLAM, if they reply you are more than 3 km far…well you really cannot improve your line.

You may be better off using a something like this https://www.amazon.co.uk/NETGEAR-LB1110-100EUS-Practical-Portable-Connected/dp/B01KKEZ7WG that provides an ethernet connection, but it depends on the budget - so if 24/7/365 is the requrement the £100 shouldn't be much of an issue. I'm sure there are other MODEMs that are cheaper out there.

You will have to download and build the drivers in FreeBSD 10.3 then copy the kernel modules across to pfSense. There are no build tools in pfSense so you can't build it directly there. I would start by generating a FreeBSD VM to build in for the version you need, 10.3 for pfSense 2.3.X or 11 for 2.4. Steve

Many thanks guys

Yeah, i've been looking at pico psu's. And those seem like a good alternative for low power machines.

@cpcnw: Tnx DL - any recommends for Gb Nic's ? I always use the Dual or Quad from Intel. If search at Ebay for a Quad Gigabit card, look for the cards with the big blank aluminium heatsink. This type works great with pfSense. The Quad Gigabit cards with the black heatsink, are sometimes knockoff's from te real, and can cause problems with recognizing in pfSense. Grtz DeLorean

Why not the SG-2440? At the pfSense shop it is able to buy for ~$550 and at corpshadow.biz able to buy for $550 too!? Any suggestions on alternative? From the same seller APU2C4 for CAN$245 & mSATA & Console cable

I guess, no more optimizations?

Do you use 32bit or 64bit ? If you use pfSense 64Bit, you must use the 64Bit version of WGXepc -> WGXepc64 After installing the right version of WGXepc, you must change the read/write permissions with this command : chmod 0755 /conf/WGXepc  (for 32Bit version) chmod 0755 /conf/WGXepc64  (for 64bit version) I always add the WGXepc package and chmod command via : Diagnostics -> command prompt in the Web UI Grtz DeLorean

@messerchmidt: for gigbit you will need a quad core i5+ or ryzen sr3+ with intel lan cards doing 250/20 with a core 2 with 4gb ram with squid+squidguard with an issue. I am the only user. used hardware when you upgrade is a good choice for a router Lol what!? 100Mbps WAN through VPN needs an i5? You have no idea what you are talking about. You need at least a passively cooled celeron  ::). J3355B will do the trick for $55.

Cisco SG300-20 Don't know about retail or used-place prices though.

@VAMike: @RazorUK: I was a little concerned on the PSU as well, but saw in this thread https://forum.pfsense.org/index.php?topic=127757.msg707310#msg707310 someone else using that same power unit. Oh, I'm sure it will work, just in the worst case under sustained load the power brick might melt. Yeah, we definitely don't want that! I'll just step the power supply up a level or two.

@mattlach: I did wind up going with AES-256-CBC and SHA256 just because I could as my router is overkill, but honestly, I didn't notice much (any?) CPU load difference between the two, so might as well use the stronger one, even if it might not be necessary. Anyway, with AES-256-CBC and SHA256, loading up the connection in one direction (it peaks at about 135Mbit, due to my traffic shaping rules) I only get about 9-10% load on the CPU.  So, under a theoretical full load in both directions I ought to hit 18-20% somewhere. I'm glad to have some room to grow should anything change, but this little i3-7100 has definitely outperformed my expectations. @whosmatt: I also use AES-256 and SHA256 on my PIA tunnels and have never noticed a tangible performance difference between the two.    I'm still on AES-128 and SHA1 on my personal OpenVPN server, mostly because I set it up that way years ago and haven't felt the need to change.  SHA1 is approaching deprecation anyhow as far as I'm aware.  Anyway, thanks for the update. I should follow up with the fact that since my initial tests (just speedtest.net) I have succeeded in getting the CPU load up much higher. I was under the impression that OpenVPN CPU load was really just dependent on raw throughput, but that doesn't seem to be the case,  More connections at the same bandwidth use more CPU it would seem. Downloaded a new Ubuntu ISO today using rtorrent, which resulted in downstream maxed, and a little upstream.  This was about 38% CPU on the router.  Still very respectable, but I wanted to update you guys in case someone takes my earlier results too seriously.

In pfSense any interface can be either an external or internal interface. It only depends on whether you set a gateway on that interface. Only the LAN interface has any firewall rules on it by default. That is to make it easier to get started. All other interfaces will block all traffic by default. I'm sure you can use em4 to connect to the gui for management if you wish you simply need to add a firewall rule on that interface to allow it. Steve

No't need to "reinstall" Shutdown –> Replace --> Power ON --> Reassign

@kejianshi: I think the Netgate SG-1000 is just ok.  Pfsense needs 2 or more processors really.  something like the Netgate SG-1000 with 1gb ram or more and with 4 cores would be really nice, but attention needs to be paid to the throughput that the NICs are capable of. Yep, this is right and there will be some or later a second device from Netgate. Netgate R1 Other device would also matching well for pfSense as a target and they will also be powerful enough too as I see it right. ClearFog SolidRun Base & Pro Turris Omnia