Ok, So… After waiting a month and a half for parts from china I can confirm this bios chip has some kind of security lock on it. The reason I say this is because If i take the chip out of the board, Put it in my programmer, Read the chip then try to write the same data back to a different chip it fails EVERY TIME. I have tried several different chips from different vendors, I even pulled one out of an old mobo that I had laying around, Still failed. I though hrm... Maybe this is an issue with my programmer. So... I bought a new one. Bought new adapters to go with it.... Tried the same thing. Got the same result.... Failed to write at 0x0FB. This was odd to me, I figured that there must be a code offset. So i tried setting the offset at the point of failure and offset before the point of failure. This results in... No solution. Still failed to write. The best read I have ever gotten from the chip was the one attached. It has diffrent data than all the others and seems to be the most "Complete" version I was able to pull. This was done after I bumped the chip power from 3.6 to 5v (Dangerous i know but I was getting irritated.) Can anyone else confirm if this bios has some sort of stupid lock or security bit programmed in that makes it unreadable? One more thing, This is an annoying chip. The chip its self is stamped as SST 49LF004B however no matter what programmer I drop it in the chip identifies as a SST 49LF004A. Trying to read/write using the settings for the A version resulted in no change. Looking at the data that is coming out of the bios pull It would appear that there is an included package in the rom file that is for the PCI driver, this file (assuming is the culprit of all this frustration). It is named "ROM\BA1228L2.LOM" I came to this conclusion when I tried to extract all the files from the bios image and this file fails to extract. I have found a supermicro bios online with the same pci LOM file but was able to extract this one. Any one Skilled enough to re-write a bios from scratch with all the extracted/good files up for the task? Attached below is a zip file containing all the extracts plus the working BA1228L2.LOM Since I have multiple chips I was thinking about just finding a compatible rom and editing it to match the settings and Chipset registers to match what I pulled and just pop it in the board and try it out. What do you guys/gals think? UPDATE: Does anyone have a KEMP LM2500 that I could get to dump the bios for me please. Looking at the update history of the KEMP LM2500 NSA-1043 I see that at some point the bios was addressed in this unit by KEMP Tech. I am willing to bet that if we can get a dump of that system that it would allow us to have a flashable bios. ts100-3.zip TS_100_extract.zip

I've decided to go with the xeon option.  Instead of being too concerned with what h/w is in the pfsense box, I've decided to concentrate on what I'm going to do with the replacement board once the C2558 is repaired/replaced: So, I'll skip the D-1518 and go for a 6 core D-1528.  That should make a nice VM host machine once the repaired/replaced C2558 comes back from supermicro. :) Take care Gary

@Hegemon: That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you enable the PowerD (hi adaptive)? I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty. An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving. I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me. I have an i3 @4.1  with snort and suricata(for testing purposes)  and i get 950 of a gigabit link with 40/50 % of cpu usage. If they are correctly configured, it proves that one must not underestimate an i3.

Just to be clear you need a 10Gbps VPN tunnel? Steve

Stick a small vlan switch off the LAN and pull the APs off that.

thanks, i missed that thread, looks like netgate is handling this alot better than synology is.

better what is the bottleneck? PPS

I have the exact same CPU on VMware hosting 2 vms (pfsense and Ubuntu BIND DNS/DHCP) with barely any load on the CPU. My load average is 0.34, 0.24, 0.17 Have squid, squidguard, suricata, pfBlocker smoothly routing a 155/25 WAN connection.

I ran pfsense on very similar (1 step down cpu) setup (in an ESXi VM) for years. very stable and performs great. Add a hypervisor if it adds value for you, skip the extra complexity if it does not.

@swatpup102: Try having them set the PS4 to a static IP while wired, and port forward the following to it: TCP: 80, 443, 3478, 3479, 3480 UDP: 3478, 3479 Also, enable UPnP and Nat-PMP in the services menu. PSN sometimes gets cranky when it detects a possible "strict nat" type, and pfsense will always show a type 3 strict nat until the forwarding is done and you make sure UPNP is enabled and can function. If they have a web server running, you can leave off 80 and 443 from forwarding to the PS4. I have set it up with a static NAT, uPNP. Haven't forwarded the ports yet. Side note I am seeing a lot of duplicate packets, TCP out of order packets, and retransmission packets. I am going to attach a packet capture that I have scrubbed to only show PSN related traffic. Could someone take a look at this and let me know what they they think? I am wondering these packets are causing state issues in pf. TCP out of order from what I can tell points to an Asymmetric routing happening outside his network. [PSN Packet Capture.pcap](/public/imported_attachments/1/PSN Packet Capture.pcap)

More information needed. Sounds like you're trying to add another interface and give it the same subnet which in not valid. How are you connecting those things? How is the 'wireless router' configured? Steve

I found I have one of these devices. I'll plug it in for a few days and see what is logged. I don't have a SIM in it, not sure I have a valid one, which might make a difference. Though yours appeared to disconnect entirely. [2.3.3-DEVELOPMENT][root@alix.stevew.lan]/root: usbconfig -d ugen1.2 dump_device_desc ugen1.2: <huawei mobile="" huawei="" technology="">at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)   bLength = 0x0012   bDescriptorType = 0x0001   bcdUSB = 0x0200   bDeviceClass = 0x0000  <probed by="" interface="" class="">bDeviceSubClass = 0x0000   bDeviceProtocol = 0x0000   bMaxPacketSize0 = 0x0040   idVendor = 0x12d1   idProduct = 0x1001   bcdDevice = 0x0000   iManufacturer = 0x0002  <huawei technology="">iProduct = 0x0001  <huawei mobile="">iSerialNumber = 0x0000  <no string="">bNumConfigurations = 0x0001</no></huawei></huawei></probed></huawei> Steve

Another worthwhile application of this is having continuous access to multiple servers. For example, I use PIA and I've found that every now and then the server I typically use will start to slow down noticeably with a significant increase in ping. In the past I've simply switched to a different server manually, then switch back a few days later. With this I've set up the second client to connect to a different server. This way if one server starts to slow down (or goes down completely), I'm already connected to an alternative server. For this reason it might even be worth considering a third client for some. It really is crazy to me how effective of a tool pfSense is.

@chrismacmahon: OpenVPN would not be able to utilize crypto hardware. Actually, for the transforms that the crypto supports, it could, via the cryptdev driver. Of course, now you're making 3-4 round trips to the kernel, per packet. Two for OpenVPN, because tun/tap. One or two more for AES and, if you have it enabled, SHA or MD5 as authentication.

Hmm, it's been a long time since I did this… definitely worth trying. I would have expected to still hear the three beeps when freedos boots even if you don't see a console but I have a vague memory about that not happening. Steve

@whosmatt: @pfBasic: I've never attempted gigabit internet, but I can't believe that 4 cores capable of 2.9Ghz all day long combined with a 10Gb modern intel server NIC should get "almost gigabit"!? Really? Without VPN of any sort, no snort, suricata, squid? It can't be that intensive to get gigabit internet, can it? See my previous post.. It really depends on the NIC that is handing off the connection from the ISP.  If that NIC only supports 1000Mbps, then yeah, the connection will be almost gigabit, up to what a typical 1Gbps link can really support.  In my experience it's upwards of 950Mbps but not the full 1000.  It's not about the CPU at that point, it's about the negotiation speed of the WAN link.  What would really be nice, I suppose, is if the ISP handed off the fiber and let the customer deal with it. But that's not how it happens with AT&T in my experience.  They provide a media converter which hands off to copper ethernet.  Then, that ethernet goes into an AT&T supplied router (In my case a Cisco 3000 series IIRC) and then the customer gets approved to plug a patch cable into a designated port on the Cisco. Oh I see, thank you for clarifying!

@kpa: Link-local only is perfectly fine if you don't need a routable IPv6 addresses on the APs, they will be reachable on the same network segment by their link-local IPv6 addresses. If you use the automatic setting the device will keep sending router solicitation messages periodically and that's where your log spam is from. I would expect them to send solicitation messages every 2 hours or so as 7200 seconds is the lease time but they were doing it every few minutes

I'm fine with my cat6 :P I have 2 wans 2 lans lan 1 is over 2TB/month wan 1 is over 2TB/month lan 2 is under 1MB/month: Isolated for security reasons. wan 2 is under 2GB/month: This forwards to a vendor owned sonicwall which is only used to VPN to said vendor. Silly, but necessary. I put wan1 on wan, lan1 on lan, lan2 on opt1, and wan2 on opt4 Should be all good. Thanks for the help!