very thank for your reply, brother.

@edwardwong: J1900 definitely able to deliver 1Gbps NAT (my friend has 1, but his board with Realtek chip can only do 600M under pfsense, but with Linux 1G is good, so in terms of CPU J1900 should be fine) @BlueKobold: Please need some advise could a J1900 core do this ? The 200 MBit/s for sure, the 500+ MBit/s I really don´t know it, but all together with WLAN and Squid and perhaps pfBlockerNG or Snort on top it will be very unrealistic to me that an Intel J1900 can handle that load nicely. More a SG-4860 would match in my eyes to that. Only looking on the GBit/s at the WAN port and not seeing or counting then the rest of all installed installed packets om top of this and/or running services might be sounding good, but is nothing in real life if things went to the south. For commercial AP like Ubnt, Aruba, Mikrotik, 50+ users on 1 single AP should be fine (except for large area or too much blind spots due to concrete walls) I am counting 20 users for normal WiFi APs and as highest number 30 for each WiFi APs controller based from the enterprise class as the highest number for getting a good and fair throughput or connectivity for all users. Only by using Xirrus WLAN APs this is not the case, all others are mostly promising more then they are able to deliver later! Well wifi are a bunch of ap to cover the whole area. And this is the good way walking with UBNT and/or MikroTik devices they can be bought step by step and over their mAP or UniFi WLAN Controller they can be managed all at one time, also for home users and customers. These are connected to a switch which is hooked to pfsense

Trying to boot from the built-in SD card reader, but it aborts with an error 19: Mounting from ufs:/dev/ufs/pfsense1 failed with error 19 Mountroot doesn't see any GEOM managed drives, and when trying to install to it form a usb, it also doesn't see it… Anything I can do to make it work, or am I out of luck on the built in SD reader?

@BlueKobold: I'm getting stuck with each NIC only loading a single core as it is and the interrupt queue basically saturates the entire core at 1 Gbps. In the version 2.3.1 this could be now working as a so called workaround but in normal this might be not really true, or am I wrong with this now!? Not sure. MSIX is working but for what it's worth, I can't seem to get the IRQs to go beyond a single core per NIC.

@karaznie: Why don't You consider GA-N3150N-D3V with additional Intel NiC PCI card? "Good" old PCI limits the throughput to around 800 Mbit/s total (i.e. 400 Mbit/s per direction if running full duplex), so putting a NIC there isn't very useful.

This box originally started with pfsense 2.2, but has since been upgraded to 2.3.1 (Patch 5) along the way. Perhaps something was strange during the update or upgrade process or plain was going wrong pending on one or more packets that where installed on your pfSense box. I would try to install version 2.2.6 clean(without any packets), fresh and full (mSATA, HDD/SSD) and see if there will be a problem or not if all is fine running and working well it could not based on that version Then after trying out that I would try out then to install the latest version 2.3.1.5 but also clean(without any packets), fresh and full (mSATA, HDD/SSD)and if there will be any kind of problems then you would be clear to say from where it comes And then you might be sure to say with which version you might be going along the next time until it will be updated and/or a newer version will be there, so you can test this from time to time until you will be seeing any changes in the support, stability or other things.

pfSense is a x86 based firewall and if there is a x86 hardware inside you might be having luck to install pfSense on it without any issues. Here are two success stories about that doings; pfSense on Astaro ASG 320 (english language) pfSense on Astaro ASG 110/120 (german language)

yes, max 32GB but 4GB is not enough? Yes but together with 8 GB RAM you will be able to high up the mbuf size if this is needed and then you will be having much free space or amount of RAM for other things such like; Squid default RAM usage high up more RAM for heavily traffic and VPN sessions running Snort or Suricata and they need (eats) also some RAM Much RAM can´t be wrong if a small amount is enough and since you will be able to high up the mbuf size to 1000000 you will never end up in a booting loop based on to less RAM inside.

Its not the traffic we are talking about, it is the number of CPU cores that will be used in each case. together with PPPoE only one cpu core is used for the WAN interface Not using PPPoE and all CPU core will be in usage for the WAN interface So if PPPoE is single CPU core threaded you get perhaps lower throughput at the WAN interface, but you might be thinking that this is pending on other circumstances or points! So you say that because of the low cpu speed my throughput is lower on the wan side. But why is my upload speed correct? I did the testing with a freshley installed APU and only lan en wan configured this is the result: [image: c6038b6dda3fb57356cd575215cff860.png] Update: [image: d8b2f11ac874e661db896709d26e5811.png] So there is then a modem in front of the WAN interface from the pfSense ? No only an NTU they call it here. It's just an Fiber to Ethernet converter. When I place PfSense behing the FritzBox: [image: 4831801c97caa5dd0e439cf13d78f71b.png]

If the budget will be expandable to something likes ~$350 - $399 I would better go with another set up; Jetway NF9HG-2930 ~$200 2 x 4 GB ~$40 mSATA ~$60 WiFI ~$40 M350 case ~$40 PSU ~$15 – ~$395 with WiFi and 60 GB mSATA SSD -- ~$330 without WiFI and 32 GB mSATA SSD and only a $10 PSU No AES-NI and Intel QuickAssist, but powerful enough to built a strong small UTM device that is power saving and silent or fan less. It is able to route without PPPoE nearly 1 GBit/s at the WAN and together with PPPoE nearly >500+ MBit/s and running Squid, SquidGuard, SARG and Snort will be also on top of this able to realize without any pain! OpenVPN and IPSec is not really pimped or tuned by that hardware but nearly ~100 MBit/s - 200 MBit/s would be enough for sending taken photos from the smartphone or camera to the home network NAS or storage. It comes with 4 Intel LAN Ports (NICs) and works well with PowerD (hi adaptive) and TRIM enabled. The mubuf size can be highed up to 1000000

Well darnit! If nobody can tell me, I guess I'll have to do it, just for the sake of getting the numbers!  :o

Cheers, folks. I appreciate the response. Sounds like I need beefier hardware for 1gbit nat. Off to migrate to Hyper-V I go! Thanks!

@sparky_3: @BlueKobold: I have a Netgear 728TPP. Can you please link me to that switch model from Netgear I couldn´t find it over Google.de http://www.netgear.com/business/products/switches/smart/GS728TPP.aspx It is a L2, L3 "Lite" switch that I believe does support VLAN routing.  The Web GUI is awful and if you click on certain options I get locked out and have to to back to the initial login screen to navigate.  It also gets very warm and is the loudest thing in my rack.  But it does support 24 gigabit ports, POE, and 1U configuration. @BlueKobold: If you have the money, I would recommend you go for the C2758. It will definitely last you 5+ years given the WAN speed remains under 1 gigabit. On one side this might be right, but in another thread here in the forum there was talked about the really poor inter VLAN routing speed or power of that board too. And if this may be important for him, because he owns not a real Layer3 switch what is able to route between the VLANs with nearly wire speed, its worth to talk about. My home is just my wife, our toddler, and I.  I don't think I would be doing heavy VLAN routing with the exception of maybe video.  I plan on setting up IP cameras and a NVR. In the NVR I could use two NICs in the NVR so that one is on the VLAN of the storage server and the other is on the VLAN where the cameras are located. That would negate the routing from the pfSense router or the L3 switch. We also watch movies, but really no more than one movies at a time.  The toddler doesn't get screen time yet. Cool Switch (GS728TPP) from Netgear, then I would let it routing the VLANs it selfs and you can also go with the smaller APU2C4 for that WAN Speed. I am leaning towards a Supermicro c2758 build (5018-FTN 4) or a PC Engines apu2c4. But if oyu want to install more packets and you will need more horse power for the entire system (pfSense) you should also be fine with the Supermicro C2758 variant. Its small, power saving and fast on top.

Thanks.  I did contact support and they confirmed the chassis was a prototype and that changes in FCC regulations prevented that design and integrated wifi going forward.  My location is very small and my current wifi is in the rack and works fine.  If I move though, then I will look at the ubiquity.

@edwardwong: I don't think so, DC-DC PicoPSU is also a kind of switching regulator, just like what I mentioned before, the efficiency will be somewhat lower when your output is far below from the designated load. It's a lot better than if you use a conventional supply. It's a bit difficult to explain the intricacies of it all (especially once you involve double-forward regulation and such) but it's built to actually handle low loads and you're more likely to be in the 'efficient' region by virtue of the fact that the PicoPSU is rated at much lower power ratings. For example, if you had a system that needs 30W and you use a 300W PSU, you are at <20% loading. A PicoPSU would start at 60W where your loading is 50% and even if you go up to the 120W model, you are still at 25%. As mentioned, most PSUs are certified for their 80+ ratings only at 20%, 50%, and 100% load.  Drop below 20% load and there are no guarantees on the efficiency anymore.

@edwardwong: And to avoid failover, if mission critical, building one more set of firewall and let them work in CARP failover model would be definitely better than running only 1 firewall. Absolutely.  I run 6 pfsense firewalls at work.  Four sites, with only 2 of them having enough IP addresses for CARP.  Where it's available, it's invaluable.

I'm getting a full gbit line and well wanted to buy a 2558 board but it seems to be getting EOL. Here in Germany the C2358, C2558 and the C2758 are all to get the hands on! From where you are (country)? so speed 1000/1000 over PPPOE. Then go with an Intel Core 2 Duo or Intel Core i3, i5, i7 (embedded) or Xeon E3 CPU that is handling that speed with eases and more on top. at least 2 intel ports minimally 100mbit VPN preferably higher. packages like snort and squid. Then a qaud core CPU or SoC might be the better option for you! It might be better for all together I mean the 1 GBit/s, the Squid and Snort on top. now I have 2 roads I can walk 1 is Celeron G4400 with a Gigabyte GA-Z170N-WIFI board You are prisoner of your own mind, you have more options then that, but often not in the same price range like the named by yours. This one might be to low or not string enough. The other is Supermicro X10SDV-4C-TLN4F Xeon D1518 The difference is that the 1st option is 3x cheaper. This board is able to get here in Germany for ~597 € + shipping fee ASUS Q87T ~150 € 2 x 4 GB RAM ~60 € 1 x mSATA 120 Gb ~80 € Intel i350-T2 ~120 € mini-ITX case ~60 € or 1U case + PSU ~130 € 1 x Intel Core i3 @3,0GHz ~200 € All in all nearly ~800 € and able to serve your network as you need and wish it.