@whosmatt Thanks for that, the smart switch does seem like a better idea, and they only cost around 25UKP, about twice he cost of the usr->ethernet thingy.

i am actually running the beta now. i have narrowed down the problem to the powerd option. leaving it disabled keeps me from getting the watchdog timeout. looks like the network driver does not like the power savings features.

Those devices are very power sensitive, especially 4G models.
I'm not sure I've tested 3G sticks with pfSense earlier, but I have some older modems and potentially can try them.
So, trumee, if you have a modem available - I suggest to give it a try with pfSense.

Simple:
If you have one set of end points which you don't want to speak to the outside world, have them on a switch together.

If you have one set of end points which you do want speaking to the outside world have them on a switch together and route them through a pfsense box on the way out.

Don't overcomplicate this

a) is Voleatech

ok right it was a typo, but it was linked to the right website.

b) is not listed as Retailer (only MSP & VAR) and

This was not the question and @cmb was linking it before.
The question was "Where in EUROPE to buy new SG-xxxx or RCC-VE units?"
and not who is qualified reseller

c) is Deciso Sales B.V, the company behind OpenSense. They don't sell pfSense/Netgate hardware, only "replacements".

Yep, this was a really bad failure of mine.

fixed the typo.

Thank you there fore.

and removed the link to con artists who are trying to sell inferior products marketed as if they were better

Thank you once more again.
Here are three more of them who sells the SG- units from the pfSense store in Europe
Hardwarefiewall.net - Italy
IMAGE IN NETWORK - France
Mindconnect - Germany

guess I should stick to a supermicro case.

It is not a must be and all is pending on what case size you will need, a desktop case or a 1U case.
Desktop:
M350 very popular mini-ITX case
SC721TQ mini-ITX tower
SC101i mini-ITX

1U rack mount:
If you want to get a original SuperMicro 1U chassis that is matching and fitting well you should
go to the website where your exact mainboard is shown and then please scroll down and have a
look at the right side there will be all matching 1U chassis named with links. Watch for front and
rear I/O ports. A1SRi-2758F

Other popular 1U options:
Mini-ITX
PlinkUSA

Thanks Derelict and BlueKobold :)

Most of those crashes have a backtrace that I've only ever seen be a hardware problem.

"Both IPERF hosted by my ISP as well as OOKLA hosted by my ISP"

I have my doubts on the ISP hosted bandwidth tools since you don't have any visibility on how they implement tools in their enverionment.

Use the Sergey Nosov's table "iperf - Mbits/sec - Window size: 64 KB" and do the actual test.

here's the link for the table -> https://www.orderfactory.com/articles/pfSense-Snort/network-perimeter.html  and let us know the result.

@nib01:

@BlueKobold:

Celeron N2930 doesn't have AES-NI support.

For sure and now? As I am informed AES-NI will actually support only AES-GCM but not AES-CBC
and OpenVPN is only using AES-CBC! And the starting point to get a strong enough hardware for
the following parts are not only based on OpenVPN alone.

If so, AES-NI only support AES-GCM but not AES-CBC which is openVPN would only be the most important for me on this purpose.

I would love to see a list of mini-itx board with AES-NI supported, and uses external power supply only (like the Jetway N2930).

Thanks.

I don't mind if you ask questions in my thread, but please don't hi-jack it for your own build. In fact, you would probably get more responses tailored to your build if you just make your own thread anyway.

I wonder how it is being experience with the Dell PowerEdge R430 + PFSense 2.2.

There are some nice and also strong appliances in the pfSense store that can be taken better for a
native installation, but if this server must be taken I would hardly recommend to install ESXi at first
and then pfSense in a VM instead of play try and error at the work inside of productive networks.

Does anyone had any problems in using the PFSense 2.2 on a Dell R430?

Either what all peoples are answering now, you must guaranty that the network is running well
and is on top secured. What does it make that someone answers here is all very well running and
then you might be getting even new trouble with this hardware. For sure in a lab network besides
for testing it out, it will no problem then.

Problems related to CARP, IPSec, Load Balancer, or else ….

So you will have to own two of this Dell R430 servers, as I understand it right?
Then better go with the ESXi and set up on each side a pfSense firewall in a VM.

The criticality of this environment is very large. So we can not have failures.

In the pfSense shop are many appliances are able to get.

C2758 1U (Intel Atom C2758 SoC) XG-2758 (Intel Atom C2758 SoC) XG-1540 (Intel Xeon D-1500 SoC)

I just want to know if the GA-9SISL is a good option to run the Pfsense firewall.

It is an Intel Atom C2x50 (Avoton) based board that comes with AES-NI and TurboBoost that is
more made for building servers like Samba, Apache or hyper visors such as ESXi and the other
Intel Atom C2x58 (Rangeley) SoC is coming with AES-NI and Intel QuickAssist that is
perhaps later then better for pfSense or so called more future oriented.

I work at a company that has 20 users and I would like to secure our network with a Pfsense firewall.

And the WAN throughput is how much?
Which additional packets you want to install on top?
What else you want to run on the pfSense firewall?
(Snort, Squid & SquidGuard, ClamAV, SARG and pfBlocker-NG)

Gigabyte GA-9SISL only is for ~520 €
compared against the other board
Supermicro A1SRi-2758F is for ~380 €
2 x 8 GB ECC RAM will be for ~110 €
M350 case is for ~50 €
All in all for ~540 € only a SSD and the PSU is needed then to close it up!

And both are coming together with Intel i354 quad port GB NICs and pfSense
supports that NICs with the igb(4) driver by default.

Thanks for the replay. By the way, how much memory do you think I will need? 4GB, 8GB 0 16GB?

This is not so easy to answer because it depends all on your configuration and use case plus workload. 
2 GB pfSense firewall only
2 GB - 4 GB firewall & Snort & Squid as http proxy
4 GB - 8 GB firewall & Snort & Squid as a caching proxy & SquidGuard & pfBlocker-NG
8 GB - 16 GB firewall & Snort & Squid as a caching proxy & SquidGuard SARG & pfBlocker-NG & ClamAV

Ill shed some light.

I'm not really fussed about power or noise as its getting tucked up out of the way into a sound proof room :)

It will be fed by a dedicated 1Gb  symetrical fibre line.

It will also be linked to a 10Gb  switch Via SPF+  which will also see a 25 x 3TB hdd server ( 70TB ) attached.  This will also connect to the net and have a FTP running off it.

Id like to know it will be able to cope with the internal demand and demand from the net.

I will no doubt also be running  a little  wireless lan off this also for local gaming partys , so being able to cope as max speed as possible would be reassuring.

Plus i want it to be future proof, as to when i fibre my home network as the kids never seem to go out and love watching films, downloading crap 24x7.

Keyz

Having bypass is pretty much the antithesis of a the basic purpose of a firewall.

If you just want to use the security/scanning/logging options of pfsense passively it would be a lot better to use a tap. I would start to point you to software more specifically designed for that though, such as security onion etc.

@ddarlington36:

OK I was thinking of taking a shuttle barebone DS81 combine it with Intel i3 4170 an adequate ssd

The config should be fine.

@ddarlington36:

An run pfsense from a vm as there will be multiple VM in my setup.

Apart from the typical "not to do it in VM" reply, for an i3, I would not recommend VMs. I have tried it and you will not be happy with the response times, unless the other VMs are not too CPU intensive.

@ddarlington36:

I was thinking  the main os/ should be windows server 2012 r2  and from there through the VM hyper-v dedicate pfsense to assign both  lan / vlan    along with a VPN and a freepbx on the same box. Would I be able to assign the physical wan nic(ISP) to pfsense in this scenario using hyper-v/esxi 5.5 as the vm

Doable but, as I said above.. don't expect it to fly

@ddarlington36:

This is just my own setup here just looking for the easiest solution to meet my needs
Shuttle ds81 dual 10/100/1000m RTL 8111g
CPU Intel i3 4170  picked mainly for AES-NI for VPN
ssd crucial mx200 250gb

ISP 100m/20m
Would this be capable of this type of load for the hardware chosen?

Capable.. yeah. You can throw SQL Cube configs on it. It would provide you the results.. but not speedy response. You also didn't mention the RAM on it.

Your config would be good (with 4GB RAM) for a pfSense installed directly on the SSD. For VMs I would recommend at least i5/i7, preferably Xeon with sizable RAM to accommodate the number of VMs you intend to host. Look into vmware rather than Windows VM.

I like this approach because many modern hardware although they have onboard speaker, or at least they do have speaker header connector, they don't play any sound at the beep command.
It's somehow related to the onboard soundcard.

For example, on an HP t5730 thin client, you don't get any beeps - using beep command (not even in Linux) unless you keep the onboard soundcard enabled on BIOS.

ac WiFi is not supported under pfSense!

1. Which device is recommended for my application? 2220 or 2440? I assume 2440 because of the ability to add extra storage for Squid, but I'll let the experts chime in.

Building a fully UTM device, for ~14 users, with VPN & gaming on top and a future climbing
up Internet connection till 1 GBit/s is not really the point, but more how many throughput you
will get out after passing all this things!?

So if i am in your situation I would more deal with the SG-4860 or SG-8860 or alternatively;

Netgate RCC-VE 8860 (budget hint) self made SuperMicro C2758 self made Xeon E31225v3 self made Xeon D-1518 or D-1528

2.  Purchasing from Pfsense direct offers two support calls - Does it also include access to the 2.1 book that comes with Gold?    While I am not clear on its content, my hope is it include some 'recipes' for setting up and tuning configurations.  Most of what I've done has been based on Google-fu and forum reading, and I'm sure the book will cover topics not found easily in search.

The most you will get out of the pfSense Docs because they are even maintained and a book get fast outdated

The 2.1 book is available to get hands on The older book will be also nice to dig out informations about pfSense Also nice to have and getting much out of this Squid performance tuning

3.  Will the AES-NI of these devices help VPN clients on the network, or is it just for pfSense-based VPN?  Same question applies to the future implementation of QAT.

Just for pfSense based VPN with best results using IPSec (AES-GCM) Intel QuickAssist is actual not present in the pfSense code or activated, but could be a real gain.

4.  Futureproofing is top of mind for me, as I expect line speeds to increase from my provider.

Routing the 1 GBit/s will be not so far away, at the moment the PPPoE part is only single threated but not
for ever and they are working on this I am pretty sure, because many peoples are getting 1.000 MBit/s or
plain 1 GBit/s at the moment.

I've spent a good part of the past two weeks reading about the SuperMicro 8-core builds, which the general consensus is it's massive overkill for my needs,

I am not really sure about what we are talking here now, but let me explain it backwards for you.
Please go and Google-fu for UTM devices and their price if they are able to deliver 1 GBit/s after
passing the following tasks;

NAT firewall rules Snort (IDS/IPS) http proxy (squid) AV Scan (CalmAV)

And then we should talk once more about what is overkill or right sorted to handle this for;

14 users (likes a small or SMB company) Gaming, VPN, streaming, QoS, VLANs (perhaps) firewall, Proxy, IDS, AV scan (full UTM) tasks
And then on top perhaps 1 GBit/s routing at the WAN port would be not really overkill to go with a
8 Core Intel Atom SoC in my eyes. Others might see it different.

but my concern is when I do get gigabit and want to run all these services - will I need to upgrade again,

No you don´t must do this, but if then only 200 MBit/s - 500 MBit/s throughput are there you
must live with this.

or would these devices keep me in firewall/content filtering bliss for years to come?

Could be or not, this is not so easy to answer, because the development team is really hard working
on the pfSense code!!! It could be that you were better gone with an Intel Xeon E3-1225v3 or, and
this is the part no one could answering you today;

netmap and DPDK will speeding up the entire routing process massively really CPU multicore usage also on the PPPoE WAN part will be jumping in Intel QuickAssist will be enabled to speed up OpenVPN & other VPN connections AVX/AVX2 registers will be used for some other parts to be acting faster or more strong Other unknown things are occurring and pushing the entire system based on there capabilities

Again if I would be in your situation I would really thing about first or twice and the decide to go
with something what is really nice, power saving, but strong enough to handle all this load and tasks!
My favorite would be a SG-8860, Netgate RCC-VE 8860, Supermicro C2758 or a self made Intel Xeon
E3-1225v3 system that is able to handle all of your wishes and fitting your needs. Being future proof
I would suggest to go with AES-NI and Intel QuickAssist or on top ready for DPDK enabled software.

To all of you:

Thank you for your replies - very useful.

It looks like the SG-2220 is just what I need.

I will order it one of these days from Voleatech.

Thank you again.

Vargr

Thank you for all the support. You guys come to rescue when ever I am struck.

All these while I used to install using CD, typically it used to take ~20 min. And with this particular motherboard it completely failed.

As recommended by BlueKobold I installed from USB pen drive and zoom it went with out any issue. It took just 90 sec for the whole installation.

Thank you.
Ashima