2U case (Rosewill?  Aren't too many good manufacturers out there). CPU:  Intel Xeon (Haswell) quad core @ 3.1GHz. Mobo:  Some SuperMicro server motherboard.  4 Intel i250 Gigabit NICs.  Separate IPMI port. RAM:  16 GB ECC Kingston DDR3 (Japanese Elpida chips). Storage:  64GB Crucial SSD I had lying around. PSU: Seasonic 80+ Gold.  Can't remember the output.

With that hardware you will be able to use pfSense as a full UTM device! With Snort, Squid, ClamAV
and pfBlocker-NG.

To this day, it's been overkill for my home setup.  The 16 GB of RAM isn't even close to touched.  The CPU isn't even close to utilized.  The machine idles at maybe 50W, possibly due to the case fans.  I'd like something that barely sips power (<10 Watts) and maybe go with fanless.  The 2U case is too big: I'd rather go with 1U next time or even a SOHO sized unit like the 4860 that isn't rack-mount.  It's hard to DIY for 1U unless you buy the case and mobo together (Supermicro?  Dell?)

high up the mbuf size to 1000000 increase the amount of RAM for Squid if it is in use set more RAM for RAM disks if in usage

Hold that machine and after a longer time you will be the lucky one of us!

To be fair, I haven't really fine tuned Snort or done much more basic firewalling and pfBlocker with lots of rules for malware C&C blocking (and Spamhaus DROP, Abuse.ch, and other IP block lists).  I just enabled FreeRADIUS for a WPA2-Enterprise EAP-TLS setup.

What about Squid & SquidGuard or Dansguardian and ClamAV and Snort?

I plan on building or buying a lower power rig and migrating to that hardware.  The 4860 in the pfSense Store looks nice and has 6 ports, which would come in handy so I can have separate DMZ and Internal Server zones, WAN, LAN, Guest Wi-Fi, Dev/Test zone, etc.

Please search first the forum for reaching full GBit/s over PPPoE if you use it!
But the unit looks fine for me.
Here is another one for ~$700 (Supermicro SYS-E300-D8)

But I don't need that much CPU or RAM.  Until the day I get Google Fiber as well as have some kids or something.

A powerful CPU able to drive pfSense as a full UTM and much RAM likes 8 GB or 16 GB will be not a bad thing
as I see it right it is more for long time usage and installing more packets if wished or needed in some days
and if electric power is cheap where you are living it may be a real gain to go a long time period with that
set up! $700 : 120 month = ~$6 a month for a full UTM device is a really cheap price in my eyes!

Go for an APU2c4 kit and add an msata SSD or another mini pc with integrated intel nics. Cheaper, better and smaller.

Limited to 4gb ram, but by the time you reach that limit you would be out of cpu power.

Google 'add hard disk pfsense' and that will fix you up.  Squid just needs you to edit Services - Squid - Local Cache - Squid Hard Disk Cache Settings - Hard Disk Cache Location.

@YipYip:

In your XP do the mobis play as much a part in problems as the NIC's ?

Thanks

YipYip

Honestly, in the 10 years I've been acquainted with pfSense (and running in production for 8 years) I've never really had a hardware problem. But I'm also not running at the edge of performance. In general, any hardware that runs FreeBSD runs pfSense, so if you're on the fringe, look at the supported hardware list for FreeBSD.  I've run on Intel, AMD, and Via CPUs and Intel, Broadcom, Realtek, Via,  and Marvell NICs without problems.  Running both virtualized on VMware and on bare metal. Not sure this is the answer you're looking for, but unless you're on bleeding edge new hardware that isn't supported by FreeBSD, any issues are likely not caused by the hardware (unless it's defective).  EDIT:  or unless you're pushing the envelope of what the hardware is capable of.

Well i found out what the problem is from TP-Link forums

From one of their forum users

"We worked with TP-Link technical support and discovered that there is an issue that was only able to be resolved by removing the earth connector from the plug on the TP-Link power supply, and voila it works!"

and TP-Link response

"After the testing, we have confirmed the conjecture before, the NIC in the Asus motherboard does not isolate the MDI from the frame ground according to the IEEE802.3 requirement. As we said before the power adapter of the TL-SG2210P does not isolate as well and then the incompatible problem happens when they work together. The adapter of the TL-SG2210P and Asus motherboard are both to be blamed for this problem.

We are deeply sorry for that and we have already begin to apply new energy efficiency power adapter which will solve this problem perfectly. Thanks for your understanding in advance!"

Full details here http://forum.tp-link.com/showthread.php?85051-Switch-shuts-down-when-connected-to-modern-Asus-motherboards&p=188035#post188035

Something to keep in mind if you're buying this switch and have these motherboards brand/gen.

I'm hoping TP-Link will issue a replacement for AC adapter soon.

Derelict, thanks for the help. I did all that but it didn't work. FSCK never listed a problem. What worked was re-installing. Thanks.

Hey @seniorpine,

I have the exact same device, and I'm tryin with nanobsd version, but still no luck!

Did you just wrote the installer to your CF and installed to the HDD from it? If so I will also try that.

I just want to use this box as the firewall in our office.

Ultimate is subjective, no?

There are so many other things responsible for the network to be amazing.

The reality is that without purpose built from user experience UI all the way to the gateway device there will always be headaches and unforeseen scenarios that the user ultimately comes across for whatever insane reason.

This really is a Frankenstein's monster of hodgepodge tech where most of us just cross our fingers and hope that it works.  I'd wager that no one knows every single facet of the technology they're using.

Not supported.

The processor is not x86

See : https://forum.pfsense.org/index.php?topic=43574.msg435635#msg435635

@josh4trunks
This is a very old threat here and this problem is resolved in or since pfSense version 2.3

Redmine Bug #4397
The fix above noted in "do control plane MTU tracking" is in 2.3/10-STABLE and works, which fixes this.

That was kind of my thinking as well. Interesting to tinker with but impractical in the long run.

@Philip7:

Would it work to take a NUC and add a StarTech USB Gigabit NIC (chipset ASIX AX88179) to create a fast OpenVPN pfSense box?
My Zotac CI 323 works fine but the cpu is still the bottleneck when downloading via my VPN provider (17 MBps).

What is the speed of your line? What is your VPN provider?
My mini PC with the same processor of your Zotac CI323 (Celeron N3150), which runs the latest version of pfSense, is able to reach full speed line (100Mbps) connecting to PureVPN or PIA.
It's capable to run snort, pfBlocker and a couple of OpenVPN clients smooth as silk.
Snort is the process that takes more CPU resources under heavy load, while downloading to 100 Mbps the CPU usage barely exceeds 90% if Snort is active, and 40% if Snort is off.
I don't know your needs, but maybe the problem is in the client configuration or in your VPN provider.
Here something about the OpenVPN performance:
https://forum.pfsense.org/index.php?topic=115673.0

Well right before a workout I had no internet connection.  After making my way through the house to my horror this machine was loop rebooting.

I just started a diet and let's just say my mind isn't 100% atm.

Anyway - I reconfigured an access point to be a router while I went to the closet and pulled an old machine off the shelf.
I took the same quad nic that was in the t3500 and put it in the "shelf" computer.  I loaded the lastest iso cd of Pfsesnse and with a usb stick including the /conf/config.xml the pfsense rig was up and running literally within 10 minutes.

Gave me time to figure out that the t3500's PSU died.
Something to note about this particular computer is it doesn't require a proprietary PSU and I slammed in something I had in a closet. (cooler master 750)  Works great!

Yes it's a mess in there - I was in a hurry!

boneyard.jpg
boneyard.jpg_thumb

About 100 users

It might be more interesting to know how much traffic they are producing!

Multi-WAN (load-balancing) scenario with 3 connection of 500Mbps each

Might be more tended to the rest of the clients and services that are offered!
Load balancing can be done in three different ways such;

policy based routing (many clients in/out sending) service based routing (different services by different ISPs in usage) session based routing (server session based and more for many devices in the DMZ)

Router redundancy: I would need extra Ethernet port and 2 servers

Ideally two identically units such 2 x 4860 or 2 x 8860 and using CARP then

OpenVPN server: roaming and point-to-point

Also an Xeon E3-12xxv3 system or an Intel Xeon D-15xx platform will be good then

Snort or Suricata IDS
Captive Portal
Squid (possibly, not sure yet)

50% - 50% I will say it is not really even clear to me what services are running, what protocols are in
usage and how many and what exactly of traffic will be generated, in some times it will be wise to buy
and go with a SG-4860/SG-8860 unit from the pfSense store and/or a self made Xeon E3 unit that will
be for sure hard and strong enough plus you may be able to add some RAM later on top if really needed!!

So it would be more or less a question what is really going on in that network.
I would assume that also the SuperServer 5018D-FN8T or the SuperServer E300-8D
would be ideally together with two D-Link DGS1510-24 layer3 switches!

enough power enough ports enough space enough RAM capacities

Intel Xeon D-1518 4 Cores / 8 Threads
up to 128 GB DDR4 2133 RAM
M.2 socket, mSATA or SATA-DOM
2 x SFP+ & 10 x  GB LAN Ports Intel based

Cool solution in my eyes.

so I was wondering if there was anything I could run on it that would use some of the extra ram to improve the network in some way? Thanks in advance for any help :).

high up the mbuf size to 1000000 high up the Squid RAM size more RAM disks or for caching

Using Squid, Snort, pfBlocker-NG and VPN will be fine with that amount of RAM
the first thing I would realize is the mbuf size increasing.

Do I really need AES and QI

Might be that you are not needing it really, but if you are using IPSec it will be perhaps better
to have AES-NI to speed up your IPSec VPN and if QI is fully integrated and will be used in
pfSense it might be fine pushing up more then only one or two things how knows it really?

As an WiFi ac AP you might be better sorted with your old one, that will be pimped up with
OpenWRT or DD-WRT regarding to the given functions and options. Otherwise UBNT and
MikroTik will be able to serve you better too in my eyes according to the range of WiFi options.

Bug has been open 1 year ago. Not much progress on this by now. Hope in the new major version to get some improvements.

Never mind. After putting 1 unit with the vent down and discovering it was a pop rivet, I did the same with the other and with a little gentle shaking, got the second one out as well.