@cluelessvictory:

I am looking for a router just to do traffic shaping since I can't do traffic shaping on my router because it has multi lan setup.
I have looked at J1900 based mini pc and 3215U mini pc but I think that might be overkill for my needs. I have looked at NETGATE SG-1000 but it can't do more than 100mbps. I am looking for something that that do at least 1Gbps in bridged mode but is also compact/affordable and isn't too power hungry.

Yes, the 3215U is overkill, but you won't find anything much cheaper than will handle the load. Maybe an APU2.

Yes. check to see what the actual electrical connection is on the slot you want to use for the nic. might be a 16x or 4x slot, but only work at 1x speed

What I don't understand in your reply is, why pfSense (2.3), which is based on FreeBSD 10.3 shouldn't support the Banana PI board, too?

Because ARM uses Device Tree so for every board there is a Device Tree Source file that describes the hardware to FreeBSD as there is no Plug and Play or ACPI. Notice a separate FreeBSD ARMv6 image for every supported board.. ARM64 is looking better with a generic Kernconf.
So Netgate is building a custom DTB for their device. This is in your best interest as the stuff on Arm is in a constant state of change. They need to ensure a quality experience and not worry about supporting a $35 platform.

pfSense is open source so you could port it to Allwinner. Enable FDT. Write a DTB.

There is a new BIOS that is supposed to fix it, but it has not yet completed internal testing to be suitable for production release.

Side question: Are there plans for NetGate to come out with a newer Firewall Gateway soon that might have 10GbE ports for everything?
ADI Engineering is constructing the hardware that Netgate is selling then, but as today this

That's not completely right. The XG Series 1U Units are IMHO rebranded Supermicro Superservers. We got the same from our Supermicro Vendor with the exactly same NIC layout as the pfSense ones, so I assume one has to ask Supermicro why for example die 1518 Unit has 2 SFP+ Ports 10GE and the 1540 (as sold by pfSense) has 2 RJ45 10G Ports… would be nice to have more options though.

@DB9:

Hi,

I'm running into a rather strange problem using these interfaces on pfSense 2.2.6.

I have two Digitus DN-3023 USB 3.0 NICs in my system which use the AX88179 chip:

ugen0.7: <ax88179 asix="" elec.="" corp.="">at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=ON (124mA)
ugen0.8: <ax88179 asix="" elec.="" corp.="">at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=ON (124mA)

I've successfully configured pfSense as follows:

Internet
    |
Provider's router
    |
10.1.1.0/24
    |
  WAN
pfSense
LAN1, LAN2 (vlans 3, 4)
    |
10.1.3.0/24
10.1.4.0/24
    |
  Switch
  |    |    |
Clients (distributed over the two vlans)

Everything was working as expected until I tried to update a Ubuntu PC (hash sum errors on downloaded packages). I noticed that also the md5sum of a downloaded Ubuntu ISO image was incorrect. (http://releases.ubuntu.com/wily/ubuntu-15.10-desktop-amd64.iso).

When I connect directly to my provider's router I can update and can download a non-corrupted ISO image without any problem. So it has to be something in pfSense.

Comparing the corrupted ISO on a binary level against a non-corrupted one along with some packet dumps, it seems like the corruption occurs at the beginning / end of packets in the download stream.

At first I wanted to blame the 802.1Q setup, maybe these NICs aren't supported that well. I tried playing with the MTU on the LAN interfaces, reducing it to 1496 to compensate for the inserted vlan tags. This seemed to fix the issue. I was able to update and download the iso, but some websites would not load at all. I think this is due to the destination unreachable due to fragmentation ICMP traffic the WAN interface was sending out. So back to the standard MTU of 1500.

Now I've disabled all vlan setup and the LAN interface (only one remaining) is running directly on the interface. But I'm still experiencing the corrupted downloads.

I still have a feeling this issue is related to these NICs, hence I'm posting in this topic I think it's strange that such a low level issue, has so little impact. Only some HTTP streams are affected, everything else seems to work like a charm. There's a third realtek interface in the system (on the mainbord), but this is not yet supported by the FreeBSD driver, so no other Interfaces to troubleshoot

Does anyone have the slightest idea what might be going on here?</ax88179></ax88179>

I know this is old but i wanted to supply a likely very plausible answer to this in case anyone else runs into this issue.

If the provider is a DSL provider, and the providers modem is in bridge mode to connect to the pfsense, you MUST in almost all cases change the WAN port on the pfsense to an MTU of 1492, not 1496.  DSL uses a tagging on the packets simular to your vlan tags, and any packets exceeding 1492 cannot get through properly.

This is confirmed on XO Communications DSL, CenturyLink DSL, Qwest DSL(bought by CenturyLink), and Integra DSL as well.  This could, and most likely was the cause of the issues quoted above, and most likely had nothing to do with the ASIX nics, or the fact they were USB.

You could run an iperf test from one port to the other and that will tell you the MAX forwarding rate your little box can do. It will NOT tell you the max internet speed with routing, rules, packages, etc..

To be honest, I would be surprised if you get more that 800Mbits per sec. with realtek.

Edit:
OR you could be less silly and do iperf from your desktop to your router.. haha I need to sleep.

Ah that's great to see some actual real world figures across different hardware.

I also wasn't aware that you could group multiple openvpn tunnels into one group, that's great information thanks. It would be great to see this information graphed somewhere as a guide, especially now with some of the bills being passed in the UK for those that want to push all traffic via a VPN and the high prevalence of OpenVPN providers.

In the end I just bought a cheap second hand Xeon E3-1220 box and I'll be happy to post some metrics about my hardware once I've gotten my hands on it.

Excellent. Thank you.

So if I notice that the APU2C4 cannot handle all of the traffic I would just get 1 more APU2C4 ?

Go and buy a SG-4860 from the pfSense store.

The TP-Link TL-WA801ND is a great access point for the price, if you're still looking for a separate AP.  Comes with a PoE injector, supports VLANs and multiple SSIDs.  And it's cheap, at $25 USD or so. Not the fastest, but otherwise great in my experience.

Your answer will depend much more on the throughput of your WAN connection than the number of users.  My suggestion is to buy from the pfSense store.  Any of the currently available devices should handle 250 users just fine, and you'll get the support that comes with your purchase.  If you seek maximum reliability, buy two devices and run them in a failover pair.

@VAMike:

this is actually important, not just snark. 500Mbit/s would be kinda meh. 500MByte/s would be pretty decent.

Yeah, that was my point in asking.  I'd have been shocked to see that kind of throughput from any pfSense box running on a hypervisor.

It's alive, it's alive  ;D 8)

After switching the cpu from another XTM 5 , the firewall works great.
Just saved that thing from being a door stop for the rest of his life

Grtz
DeLorean

Where is written that switches are not working on the layer3?

In common usage, switches referred to layer 2, Ethernet.  A separate function, at layer 3 was done by routers.  The layer 3 switches simply move the routing function into dedicated hardware, rather than software, as was previously done.  Regardless, if you're not routing a layer 3 switch won't accomplish much that a layer 2 switch couldn't do.

What if I use virtualbox for pfsense instead installing physical pfsense router?

This might be not the problem as I see it right but, then you will need a second NIC or you must
working with other things such VLANs.

Do I need to add or buy 1 NIC for pfsense, right?

It is not a must be but the best in my eyes would be to have one WAN and one LAN interface.

BTW. Can I apply router on a stick in cisco 2960 for pfsense?

Definitely not able to realize as I am informed!

What are you trying to say?

That we are running Intel Xeon VPN Servers together with plug in cards to realize a set up such
you want it and I mean not only on one side! This GB VPN (symetric) stuff is nothing to deal with
cheap and fancy devices or tiny hardware what home users and/or hobbyists are using! That is
what I want to say with that above! It is something around ~900 € for each server and each side
what we was deploying and we get no something around of ~840 MBit/s - 920 MBit/s, plus on top
counting the TCP/IP overhead and this might be for 24/7 in a commercial network.