@swatchdog:

I do have a recent intel i-7 NUC laying around, but it only has one NIC, but maybe with a USB 3.0 NIC adapter?

As already advised, no USB NIC.  But a cheap smart switch and VLANs are certainly an option.  By "cheap" I'm talking $30 or so for a 5 or 8 port gigabit switch that will do what you need.

@BobaBrett:

would the non-boosted clock speed of 1.6GHZ be cause for concern?

Not for the requirements you've stated.

@Stan464:

Love me some learning curve :D

Me too!  And you're not asking stupid questions.  We're all here to help and hopefully learn something.

Hi everyone! I'm currently looking for APU2C4 System Board and I have some questions related Varia Store I found few posts ago.

I found 4 boxes in different colour (grey, blue, red and black) with different Prices  but without any technical differences. Is there any technical differences between them I did not see?

All these boxes come with 4 GB DDR3-1333 DRAM embedded in the system board or must I add the 4GB DDR3 memory in the Shopping Cart ?

The box comes with MSATA 16GB memory. Could I think all components needed to boot Pfsense firewall software are embedded in the box or some other component is needed to start the system?

And the last and more important question: This is for a very small office, just 4 PC connected to internet DSL of 20MB as much. And the only requirement important is to be able to configure a VPN client to site ( remote access vpn) to connect a laptop from home to a little NAS in this office. I supose this APU2C4 is enough for this kind of needs. Could someone confirm me this last point please?

Thanks so much for your answers.
regards,
Laurent

It got deleted by mistake with some spam. Already discussed on another thread.

@pfBasic:

@Evronius:

I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

Thank you very much! Does that CPU usage change much between 1 & 4 clients? Is that utilizing the full potential of the WAN?

@Evronius:

This is a bit offtopic, but i think it have a part of this as well.

It is your topic my friend!  ;)

@Evronius:

I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

Here is a few questions i have.
1: Does this apply to DIY and prebuild pfsense riggs as well?
2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

Do i need to elaborate here, or are you all with me on where i am going with this?

10Gbit LAN is a totally different ball game. What were the tests you were using?
I would imagine that 10Gbit WAN would be very resource intensive, but wouldn't know. I would have thought 10Gbit LAN would more or less just need good 10Gbit NICs and a good 10Gbit switch? I've read that Intel is actually not necessarily the best in town for 10Gbit NICs yet, it sounds like Chelsio is the winner in that category for now but I couldn't expound on that at all and it may not even be true anymore.

Performance wise the pre-built boxes sold by pfSense don't have any edge over DIY, you could buy and build the exact same specs yourself if you wanted to. Generally speaking you will get a lot more performance for your money DIY than prebuilt.
pfSense is exceptional at running on old used hardware and still providing features previously only found in very expensive industrial grade equipment.

What the pre built pfSense units do have is a stamp of approval that they will work as intended for the rated specs and they come with a year of support from the pfSense team!
These things are very valuable if you are applying pfSense in a professional environment to a paying customer.
They can also be very valuable if you are looking to learn pfSense as you get a year of Gold access.
It's up to you to decide if it's worth it to you or not for personal use, the prebuilt hardware absolutely has advantages but they won't necessarily be any faster than what you can build yourself. In fact you can very likely build a much faster unit for less money if that's the only goal.

Sort of… With 1 klient running hard the CPU usage is around 11%. I think it is quite high usage, but then i do have fast internet.  I have not checked out the usage when 2 or 3 klients are going rampage on the network and internet. And yes, i utilizing the WAN 100% when i checked the CPU usage on 4 clients. I just noticed that i havnt checked the RAM usage yet. So i overlooket that. But 8GB would be more then enough.
And here is what i whas thinking on the performance on 1Gbit vs 10Gbit test. When this box is driving the upcoming easter lanparty, it will have around 50 PCs on it. And games today are internet based. Almost no new games runs local TCP or IPX. And with so many PCS pushing both games and alot of other stuffs on the internet it would be alot of stress on the CPU. So i figured that a quick speedtest on 10Gbit would give a clue on how hard many clients would impact. But i also see why this isnt applicable here. A big miss from my side. Got sidetracked by my own hype here
But compared to the prebuild boxes my machine would handle a high number of clients quite easy. I will now this for sure when the LAN is up and running.

When i tested the Intel X540-T1 NICs it whas both small files and big files up to 40GB each in ordinary Windows file transfer. No programs used. These cards is for an upcoming project that is pure fun and has no other purpose than that :) But it would be quite nice to use these. But the high CPU usage when transfering files dont feel great.

I too never saw it go past 33% but the problem with that is for a D525 that means all cores were pegged and is why connectivity would drop.

It can good be, that the cpu might be strong enough but the entire memory system might be saturated and based on that the
throughout will be screwed down.

Do you know what those were compiled against? I guess they were those posted in the old thread unless you re-compiled them yourself?

Steve

I had a similar problem with SG-2220 and SG-2440 devices have seen it on over 20 of them now. Customers have a nasty habit of power cycling devices by pulling the power cable to "restart it".

We got around it by doing the following, it may help some people:

1. We rebuilt all our devices with nanobsd, we got a 8GB USB stick, popped the the FreeBSD 10.3 installer onto it and expanded the partition, then we loaded the nanobsd pfsense version 2.3 image onto the usb stick as a file. We boot from the usb stick into the freebsd installer, we exit the installer to shell and then dd the nanobsd file to the on board memory of the 2220 and 2440.

2. In the web gui we assigned the /var and /tmp to use memory instead of disk.

3. Last thing we set the device to mount in read-only after boot, we added the command:

exec("/bin/mount -o ro /"); ```to the  file: /etc/rc.bootup (item 3) - This is not advisable for the inexperienced as it will break with the following: 1\. when you upgrade you'll first have to make your root slice writable. 2\. upgrades will likely wipe out your change. 3\. After configuration changes make sure to mount read-only sometimes gets set to rw. With this setup we connected a 2220 to a timer and power cycled it every 15 minutes, we used nagios to check and and left it cycling for 7 days (>600 power cuts) and no corruption. The other thing we did was to purchase push button switches which are installed into the front right antenna slot and connected to the pins for power switch at the top of the board (just behind the status LED). Now when a user presses this button the OS powers off correctly. We advise customers that if they want to power cycle they have to do it that way. Haven't tested 2.4 with zfs in regards to power but will at some point in the future.

Unfortunately, this is just not good hardware. Can you return it? If so I highly recommend it. There's way better hardware out there in the same form factor for cheap. I don't know what you paid for that board but a J3355B will blow it out of the water and you can get them for $55 from newegg or amazon. https://forum.pfsense.org/index.php?topic=127793.0

If you can't or don't want to exchange for better hardware then you get an Intel PRO/1000 MT
https://www.amazon.com/Intel-PWLA8492MT-PCI-X-Server-Adapter/dp/B00006HX1V

You can probably find one on eBay for a few bucks, but I haven't looked.

@heper:

You wont get anywhere near 10gbe with firewalling enabled

NAT process later in pf, and so if the NAT or entire pf is turned out he ís only able to use flat Routing, so @stephenw10
could perhaps by right with the 10 GBit/s and routing.

i use squid+squidguard + snort

really old 250gb sata hd. no issues

In total ~200 Euro incl. VAT.

APU2C4 bundle with 16 Gb or 32 GB might be coming also on 200 Euro - 220 Euro here in Germany
and the Varia store is selling and shipping world wide!

Which ports should I assign (I am guessing not all 4) ?.

And why not all 4?

I searched the forums and googled for compatible NIC's and did not find anything.

Can someone please tell me what 1GB PCI NIC's are compatible?

Every 20th tip (felt) here is ending or holding something about, take Intel if you can instead over the Realtek once.

Used or refurbished once from the eBay might running well for 10 Euros.

In line with the fanless / no moving parts theme I would get a cheap SSD.

https://smile.amazon.com/ADATA-ISC3E-Industrial-Grade-Temperature-ISC3E-008GT/dp/B01LYD5FXT/ref=sr_1_10?s=pc&rps=1&ie=UTF8&qid=1490286944&sr=1-10&refinements=p_n_feature_three_browse-bin%3A14027456011%2Cp_85%3A2470955011

https://smile.amazon.com/Transcend-MSA370-mSATA-Solid-TS32GMSA370/dp/B00K64HXRS/ref=sr_1_8?s=pc&rps=1&ie=UTF8&qid=1490286944&sr=1-8&refinements=p_n_feature_three_browse-bin%3A14027456011%2Cp_85%3A2470955011

If you want you can even do a flash drive install on 2.4 BETA but I wouldn't unless you have enough RAM for a RAM disk.

https://smile.amazon.com/SanDisk-Cruzer-Blade-Flash-SDCZ50/dp/B00HR36OC6/ref=pd_sim_147_3?_encoding=UTF8&pd_rd_i=B00HR36OC6&pd_rd_r=DB9C6EMGB784ZEZQW7RA&pd_rd_w=livND&pd_rd_wg=V2PGn&psc=1&refRID=DB9C6EMGB784ZEZQW7RA

If you want totally fanless check out picoPSU's. You can get an 80W non-WI and 60W AC/DC adapter shipped for ~$40. Great if you are looking for a totally silent box.

http://www.mini-box.com/picoPSU-80-60W-power-kit

@VAMike:

the elephant in the room here is that linux can route 1gbps on that hardware just fine–the issue is scalability limits in freebsd/pf...

@newabc:

In my memory in college in China around 1999, the teachers in network center use a FreeBSD machine with pentium 166 as a BGP router for the whole campus. At that time, FreeBSD is perfect for network already. pfSense is based on FreeBSD.

I think he was commenting on that? Which btw, are there any long term plans to upgrade PF in FreeBSD to address this?

EDIT: answered my own question

https://www.netgate.com/blog/further-a-roadmap-for-pfsense.html

pfSense software version 3.0 is a longer-term project. pfSense 3.0 is a major re-write consisting of 4 major components…

...Third, the core of pfSense (pf, packet forwarding, shaping, link bonding/sharing, IPsec, etc) will be re-written using Intel’s DPDK...

...We have a goal of being able to forward, with packet filtering at rates of at least 14.88Mpps. This is “line rate” on a 10Gbps interface. There is simply no way to use today’s FreeBSD (or linux) in-kernel stacks for this type of load. Since this work is only available on certain, select Ethernet cards (mostly 1Gbps/10Gbps/40Gbps Intel interfaces as well as various VMware and Xeon ‘virtualization’ NICs. Other vendors, including Broadcom, Myrianet, Chelsio and Cisco have shown interest. This also means that the underlying kernel and system will be 64-bit only...

https://www.netgate.com/blog/pfsense-around-the-world-better-ipsec-tryforward-and-netmap-fwd.html

Back in February, I wrote a blog post that discussed our plans for pfSense software version 2.3, which is now in alpha, and our plans for pfSense 3.0. While I promoted DPDK then, we’ve since found that netmap provides a simpler API, and substantially better safety, as the device drivers remain in the kernel, rather than running in userspace with DPDK. Still, DPDK provides a set of libraries, such as longest-prefix match, which uses a variation of the DIR-24-8 algorithm for routing lookups, which we should find useful in our pursuit of the ultimate open source software router.