better what is the bottleneck?

PPS

I have the exact same CPU on VMware hosting 2 vms (pfsense and Ubuntu BIND DNS/DHCP) with barely any load on the CPU. My load average is 0.34, 0.24, 0.17

Have squid, squidguard, suricata, pfBlocker smoothly routing a 155/25 WAN connection.

I ran pfsense on very similar (1 step down cpu) setup (in an ESXi VM) for years. very stable and performs great. Add a hypervisor if it adds value for you, skip the extra complexity if it does not.

@swatpup102:

Try having them set the PS4 to a static IP while wired, and port forward the following to it:

TCP: 80, 443, 3478, 3479, 3480
UDP: 3478, 3479

Also, enable UPnP and Nat-PMP in the services menu.

PSN sometimes gets cranky when it detects a possible "strict nat" type, and pfsense will always show a type 3 strict nat until the forwarding is done and you make sure UPNP is enabled and can function. If they have a web server running, you can leave off 80 and 443 from forwarding to the PS4.

I have set it up with a static NAT, uPNP. Haven't forwarded the ports yet.

Side note I am seeing a lot of duplicate packets, TCP out of order packets, and retransmission packets. I am going to attach a packet capture that I have scrubbed to only show PSN related traffic. Could someone take a look at this and let me know what they they think?

I am wondering these packets are causing state issues in pf. TCP out of order from what I can tell points to an Asymmetric routing happening outside his network.

[PSN Packet Capture.pcap](/public/imported_attachments/1/PSN Packet Capture.pcap)

More information needed.

Sounds like you're trying to add another interface and give it the same subnet which in not valid.

How are you connecting those things? How is the 'wireless router' configured?

Steve

I found I have one of these devices. I'll plug it in for a few days and see what is logged. I don't have a SIM in it, not sure I have a valid one, which might make a difference. Though yours appeared to disconnect entirely.

[2.3.3-DEVELOPMENT][root@alix.stevew.lan]/root: usbconfig -d ugen1.2 dump_device_desc ugen1.2: <huawei mobile="" huawei="" technology="">at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)   bLength = 0x0012   bDescriptorType = 0x0001   bcdUSB = 0x0200   bDeviceClass = 0x0000  <probed by="" interface="" class="">bDeviceSubClass = 0x0000   bDeviceProtocol = 0x0000   bMaxPacketSize0 = 0x0040   idVendor = 0x12d1   idProduct = 0x1001   bcdDevice = 0x0000   iManufacturer = 0x0002  <huawei technology="">iProduct = 0x0001  <huawei mobile="">iSerialNumber = 0x0000  <no string="">bNumConfigurations = 0x0001</no></huawei></huawei></probed></huawei>

Steve

Another worthwhile application of this is having continuous access to multiple servers. For example, I use PIA and I've found that every now and then the server I typically use will start to slow down noticeably with a significant increase in ping. In the past I've simply switched to a different server manually, then switch back a few days later.

With this I've set up the second client to connect to a different server. This way if one server starts to slow down (or goes down completely), I'm already connected to an alternative server.

For this reason it might even be worth considering a third client for some.

It really is crazy to me how effective of a tool pfSense is.

@chrismacmahon:

OpenVPN would not be able to utilize crypto hardware.

Actually, for the transforms that the crypto supports, it could, via the cryptdev driver.

Of course, now you're making 3-4 round trips to the kernel, per packet.

Two for OpenVPN, because tun/tap.
One or two more for AES and, if you have it enabled, SHA or MD5 as authentication.

Hmm, it's been a long time since I did this… definitely worth trying. I would have expected to still hear the three beeps when freedos boots even if you don't see a console but I have a vague memory about that not happening.

Steve

@whosmatt:

@pfBasic:

I've never attempted gigabit internet, but I can't believe that 4 cores capable of 2.9Ghz all day long combined with a 10Gb modern intel server NIC should get "almost gigabit"!? Really? Without VPN of any sort, no snort, suricata, squid? It can't be that intensive to get gigabit internet, can it?

See my previous post.. It really depends on the NIC that is handing off the connection from the ISP.  If that NIC only supports 1000Mbps, then yeah, the connection will be almost gigabit, up to what a typical 1Gbps link can really support.  In my experience it's upwards of 950Mbps but not the full 1000.  It's not about the CPU at that point, it's about the negotiation speed of the WAN link.  What would really be nice, I suppose, is if the ISP handed off the fiber and let the customer deal with it. But that's not how it happens with AT&T in my experience.  They provide a media converter which hands off to copper ethernet.  Then, that ethernet goes into an AT&T supplied router (In my case a Cisco 3000 series IIRC) and then the customer gets approved to plug a patch cable into a designated port on the Cisco.

Oh I see, thank you for clarifying!

@kpa:

Link-local only is perfectly fine if you don't need a routable IPv6 addresses on the APs, they will be reachable on the same network segment by their link-local IPv6 addresses. If you use the automatic setting the device will keep sending router solicitation messages periodically and that's where your log spam is from.

I would expect them to send solicitation messages every 2 hours or so as 7200 seconds is the lease time but they were doing it every few minutes

I'm fine with my cat6 :P

I have
2 wans
2 lans

lan 1 is over 2TB/month
wan 1 is over 2TB/month
lan 2 is under 1MB/month: Isolated for security reasons.
wan 2 is under 2GB/month: This forwards to a vendor owned sonicwall which is only used to VPN to said vendor. Silly, but necessary.

I put wan1 on wan, lan1 on lan, lan2 on opt1, and wan2 on opt4

Should be all good.

Thanks for the help!

Celeron is just fine. If the price difference is not much then go for the i3.

I'm sure it'll work, but I'd need an incredibly good price to pick it over an apu2 (which is faster, has aes-ni, has virtualization extensions, has 3 NICs, and still draws less power).

Kingston 60GB msata. It actually booted off of a CD. I hooked up an external CD drive and with that it booted.

But the gold-edition memstick image is a no go.

I never felt FreeBSD was up to date with wireless, always some steps behind. The steps grew bigger.
Knowing what FreeBSD is used for mainly it shouldn't be too big a surprise.

I am fan nº 1 of the now old am1 platform.
My previous (and first) pfsense rig was build accordingly, that is, affordable, with good perfomance and low tdp.
The asus board is super stable, and for a 500mb connection is more than enough.

For gigabit realm another kind of muscle is needed.

You are absolutely right. G4400 would be more than enough. But i was rather curious about kaby lake, and it seemed to have very good tdp in idle, so i went for it.

Has i said, Xeon was my plan, but money doesnt grow on trees and i chose i3. If i got a Xeon, my firewall cpu would be better than my main desktop pc. Seemed quite weird.

Besides help and feedback, i wanted to help to share the idea that a cheap cpu can give the perfomance for this «new» gigabit speeds. Anyone planning an upgrade for a SOHO environment can go the pentium way, or others more tdp friendly. Does not need to spend a fortune.

I was surfing amazon and newegg for supermicro and asrock boards with c2758 and D-1520 cpu's, but here in Europe they give a new definition to «pornography» when we talk about computer parts prices.

Got a server board(although Asus) with ipmi, it can be a security issue but gives me options for remote administration for about 180 euros.

4 ghz give me a short future proof for IPS/IDS and AV.

The appliances selling at pfsense store are top notch, would be my first optin, but it is just my home network and i wanted to build it myself.

The am1 cpus are becoming scarce in amazon.es, amazon.de or amazon.co.uk.
The new 5370 is more recent but not near the perfomance of the newer cheap Pentium line.

Lets see if Ryzen brings any surprise.

I repeat once again, i am satisfied with this build.

The isp guy that came to do the install of the service, last December, told me the faster he had seen was 950 in a top rig of a gamer that had invested a fortune on his rig.
Its not a competition, but im able to squeeze 940 out of my connection, in a consistent way.

My next (planned dreaming) addition will be 10GB nics, but only when i believe the high price being asked for them.
Maybe i get results more close to the 1000.

Do you have an available PCIe x16 slot?  If so, just grab something like this: https://www.amazon.com/HP-NC364T-Gigabit-Server-Adptr/dp/B000P0NX3G.

You don't need the x16, but you do need a slot capable of housing an x4 card, which the x16 will.  Otherwise you (probably) only have x1 slots and there's a dearth of server NICs available for those.

Oh, and to answer the rest of your question, yes, that hardware will be quite suitable for pfSense and your FIOS connection.