@jweland:

Thanks, I assumed it was an exaggeration, this is the guy that spends thousands on SERVER parts to build systems he doesn't use much…  (must be nice). I think I am going to pull the trigger sometime between now and early December.

APU2C4 with pfSense 2.3.2 - 64 Bit here and it enough for;
200 MBit/s down and 100 MBit/s up for 70 users that are mailing and surfing!
Snort, tinyDNS, Squid, SquidGuard, ClamAV

All is running fine at 60% CPU usage without any problems.
mSATA 128 GB SanDisk
WLAN UBNT SR71-E

More interesting would for me the Internet connection speed that should be handled right.
And basing on that much devices I would guess it is better to get an adequate switch that
will be able to route your VLANs by its own power and let the pfSense do the entre WAN
job together with Snort and Squid perhaps that means you should have a closer look to
a Switch like the Cisco SG300 series or the D-Link DGS1510 series that comes on top of
this with 2 SFP+ ports for a fast connection to the FreeNAS unit.

Small:
PC Engines APU2C4 - 4 GB
up to nearly ~500 MBit/s WAN
alternate a SG-2200

Jetway NF9HG-2930 - 8 GB
up to nearly ~1 GBit/s WAN
alternate a SG-2440

Mid ranged:
ASUS Q87T & intel Core i3 @3,0GHz & 8 GB
up to a real ~1 GBit/s WAN
alternate a SG-4860

Big ones:
Mini-ITX Board & Intel Xeon E3 (4C) - 8 GB
up to real ~1 GBit/s and VLAN routing with ease
alternate a SG-8860

Cisco SG300-10 or SG300-20 would be the best option in my eyes
to realize VLANs with wire speed and a D-Link DGS1510-20 to add
the FreeNAS with 10 GBit7s into the LAN.

FTTH/FTTC/FTTB in Germany, Berlin

There are not many but some ISPs that are offering FTTH up to 1.000 MBit/s without Entertain TV
for sure because it is a commercial and not a private offer. So please have a look under the link
above and get better involved or informed in that offerings. Vodaphone is also offering FTTH(C)
Internet connections to private and commercial clients.

I would be at first say I would try out to get even a Internet connection that is offering a static
public IP address this will be more interesting and urgent then other things.

And then if that will be going right, you should be sure about the switch in front of your
pfSense firewall should be powerful enough to handle that connections with ease, so SMB
(KMU) switches will be not really nice to play with that number of connections and the entire
throughput.

Since in Berlin, is almost no Fiber availability in the City i am using MultiWan connections in a Building. Now i want to combine 15WANs to a Single in a redundant scenario.

So if you will get 15 x 200 MBit/s you will not get out of that construct 3 GBit/s as you
imagine it! You will get out of that construct 15 x 200 MBit/s. This should be clear first.
This will be only able if the IPS(s) are offering MLPPP (MPLS) services and then, but only
then you would be able to get the real 15 x 200 MBit/s = 3 GBit/s single pipe.

Since i didn't  found any Hardware based Device that is so flexible enough to do this Kind
of Magic. Its the best Job for PF Sense i think  8)

One or two Intel Xeon E5 CPUs @3,0GHz would be a really nice gain to handle and address
all that stuff, 32 GB RAM might be also a nice idea but it also depends mostly of your config.

Principal Question: What is the better Way to get the WANs in the NAT?
Connecting the PF-Sense Server to a Managed Switch trough LWL by using VLANs or is the Throughput much better when using the direct Servers own NICs (4x  PCIe Intel Gigabit 4xNIC)
=16x Gigabit NIC)

It often depends on your budget, and yes there are some interesting card alternatives out there
that could be used in that case such yours. HotLava systems

The Switch in front of that pfSense firewall should be a powerful one that is Layer2
based and fast. And it should be the 300 Euro - 600 Euro class that are more usual
in SMB (KMU) something more like the higher pricing class;

I also want to use Cashing and some other Toys like Asterisk.

Asterisk can be running on his own Appliance in the DMZ. Moby Dick is selling his
own Hardware with pre-installed Asterisk und Digium are selling ISDN, Fax and VOIP
cards that are really nice.

Laptop maker/model?

Sorry about that, there is a FCBGA1224 version of that CPU.

Hi,

just read your post again. I can see that with pf disabled you achieve the desired speed.
In that Case it looks like the problem might indeed be with your specific setup.

Do you have pfSense support ?

I imagine that pfSense support team could look at diagnostic data and drill down to find the bottleneck.
The fact that you get better speed with higher MTU means pfSense has to handle less data packages per time.

The 2758 is an 8 core Atom, but I do not know what the expected throughput ought to be with that CPU. Of course it all depends on what the FW is doing (packages, NAT ?, SNORT? etc).

Cool. I'll just go with 2GB of RAM then. Thanks for the replies guys and if anyone can recommend a motherboard I'm all ears.

Looks like that could be a nice little board but I bet its expensive.

@rysic:

dot1.x port based authentication  <===802.1 X is done on switches & AP's / not on a router |  generally some sort of radius server handles the database captive portal <=== yes bandwith limutation - 2Mb per client <=== yes: captive portal has this builtin managing logs for police (mac address, IP, time… i think) <=== no clue managing statistics for client <=== ??? content filtering <=== yes/no/maybe/pain in the ass, not worth the hassle

i'm not aware of anyone publishing test results for the sg1000's vpn performance. no clue if it can do what you want

One of the new NUC's has thunderbolt.

Does BSD support external pci cages for nics?

get a 6 core xeon @ s1366 off ebay

less power and aes-ni for vpn

add an ebay dual intel lan card as well

i also need to know what is the best USB wifi interface 2.4 GHz b\g\n?

Which version of APU2 FW are you using?

There was a FW update apu2_160211 back in February which fixed this.

nic should work

not sure about the intel matrix raid

disable the onboard lan and add an ebay dual intel nic

Yes, pretty much anything should work. The only issue is that the BIOS has to recognise the additional graphics hardware and automatically switch to it as the primary device. Most motherboards will do that.

As an alternative you might try using as serial console if you have ports.

Steve

Hmm, that does seem quite high stil but there are a lot of variables. It may be correct for your test method and CPU.

You might check that it's actually running at its rated frequency. We have seem some CPUs that run at their lowest speed unless powerd is enabled.

Steve

Hmm, hard to say with nothing logged.
I have once seen odd behaviour on those NICs with hardware checksum offload still enabled (the default setting). However it didn't block traffic completely. It's worth trying though.

Steve

@luckman212:

I can't be sure but from what you've described it sounds like your Charter modem is losing sync from time to time and reverting the DHCP that it's "passing through" to your pfSense router to a temporary subnet.  This is a known behavior especially for cable modems and it can be very annoying.

It would be great it pfSense/FreeBSD handled this "bug" a little better but there is a possible workaround that you can try…

Try going into your WAN Interface settings and under "Reject Leases From" put 192.168.100.1
See if that makes any difference...

Thanks for this tip, I'll give it a shot.  And also thanks for the references.

In my post, <wan ip="">refers to the dhcp IP assigned by Charter cable, not to 192.168.100.1.  One of the references you linked mentioned accessing 192.168.100.1.  I usually can ping that address when the WAN is 'offline', I guess that makes sense.  Unfortunately, I have to access to the internals on that modem, all I can get at that address is signal levels.

For reference, my modem is a Cisco 3208 DOCSIS 3 with no wireless.  I do not use a cable phone so it provides only internet to pfSense.</wan>

I wonder when I could buy one of these. I don't see a sales page yet… Lots in the chute with SG1000, Dual-E and Turbot Quad.

I have about 40 of the 2440's deployed, they are great units.  Have had the filesystem corruption but that's more of a freebsd/ufs bug that I'm hopeful will be resolved in 2.4 with ZFS.  Never had any issues with power/crashing/heat/boards frying etc.  I would try to open up a case with support and see if you can get an RMA.