@neggard:

But what make a CPU good for firewall use.

I use Geekbench for my desktop CPU
http://browser.primatelabs.com/geekbench3/4514496

If you go to that page you se alot of parameters test.
What parameter is most important for pfsense in standardmode
What parameters should be good when I use VPN or Squid?

If we know that, people could choose the right CPU for their system and be more satisfied.

What makes a CPU good for firewall use is the same thing that makes it good for general computing.  Faster (clock speed) is better, if you're comparing CPUs from the same family.  More cores?  Sure!  You can run pfsense on a server with 32 cores and 512GB of RAM and it will be a very fast firewall.  But that's clearly overkill.

My most heavily loaded pfsense system is a VM (actually two of them) in a failover pair.  They each have a single virtual CPU running on Intel Xeons in the 2.2Ghz range (they're on different hosts with different CPU familes).  They each have a single virtual NIC.  The hosts have bonded NICs  (one has four 1Gbps, the other has two 1Gbps).  They route traffic between 6 subnets internally and the internet externally.  They  also host IPSEC and OpenVPN tunnels between four sites.  The WAN at this site is 100Mbps symmetrical.  With careful network planning, they are never a bottleneck.

Once again, figure out your requirements first, and you'll be much closer to an answer.  Choosing hardware for pfsense is not like buying an appliance.  It's a general computing platform that happens to specialize in firewalling and routing.  The Cisco ASAs we use for client VPN access are old and run on (I think) pentium 4 technology.  But they work just fine in the context they were designed for.

Here are the Summits. They look good but around 3 years handles start falling off and other fun stuff.

http://www.summitmt.com/product-category/manual-lathes/

and hundreds of thousands of people use UFS without incident, too.

ZFS is in the system for a reason, and I'm not exposing it just yet.  (cmb was going to take it out, and I said, "No".)

cmb is right in that it's not a good fit for a typical pfSense box.

@rippz:

As I see it external WiFi access point is the way to go. The thing is all these "Access Points" you can buy nowadays are actually routers with a WiFi interface (at least the non-enterprise hardware). The only thing I found that supports the AC standard is: http://www.broadbandbuyer.co.uk/products/19129-cisco-smb-wap371-e-k9/

Not sure if this is available where you are but some of the "range extenders" from SOHO hardware manufacturers can function strictly as access points as well.  The  D-Link DAP-1650 http://us.dlink.com/products/access-points-range-extenders-and-bridges/wireless-ac1200-dual-band-gigabit-range-extender/ comes to mind, and includes a switch as well.

How about Intel "Driver  Health" I spotted in the BIOS on the Jetway???

Never heard of it?

Maybe an ethernet watchdog?

I contacted pfSense support directly and they noticed that the configuration file set the serial speed to 9600.  I changed the value of serialspeed to 115200 in the XML configuration file and it works perfectly now. Hopefully this will help others in a similar situation.

Which NICs are you using on the Firebox?
The box clearly doesn't fail entirely since it's still sending CARP advertisements preventing the Secondary taking over. It's not reachable on any interface?
That's an odd failure condition. However, unfortunately, as Chris says the age of the capacitors in those boxes means unreliability can creep in.

I'm running 2.2.X on the fireboxes I have FYI. No real issues upgrading other than the switch to DMA by default which can be worked around.

Steve

the board is superb…works and feels damn powerful :)
Tons of CPU settings that i never thought they exist  :P

@BlueKobold:

For sure they will have their own charm and would be perhaps also chosen by the pfSense store and ADI
to assemble some new boards for us, pending on the circumstance that this boards a capable to support
both new functions, AES-NI and Intel QuickAssist. Perhaps we will see some interesting new versions of
the XG-15xx appliance in the pfSense shop. I would be glad about to see something new coming in this
direction.

This https://store.pfsense.org/XG-1540/  is the early version, getting ready for this: http://www.adiengineering.com/products/bcc-ve-board/, and, quite frankly, this: http://www.silicom-usa.com/PE310G4DE488BS3_Quad_10GbE_Broadwell_DE_SoNIC_Network_Adapter_93

If you think we've not been involved in this since nearly day 1… you're mistaken.

I had thought that too but if you look at the video I posted, you can see the dash value is actually updating, it's just staying steadily elevated. I think I am missing the FreeBSD mojo to dig into what is causing this… interrupts??

I have changed NICs and get the same result.

$ ifconfig lagg0
lagg0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether 00:21:9b:fc:d4:fd
inet6 fe80::221:9bff:fefc:d4fd%lagg0 prefixlen 64 scopeid 0xb
inet 192.158.25.19 netmask 0xfffffc00 broadcast 192.158.27.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
status: active
laggproto lacp lagghash l2,l3,l4
laggport: bge1 flags=0<>
laggport: bge0 flags=0<></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast>

Awesome!  thanks again, works a treat

Mainly for reliability.
On my past experiences with raid software used as boot volumes, when a disk is breaking, the entire systems becomes unstable or there are unexpected behaviours, until the disk comes marked as broken.
Also, during boot process could be a trouble, overall when is broken first hard disk, the system could refuse to continue to boot from second hard drive.
Anyway, I have to admit I could be wrong with newer pfsense 2.x versions.

Update:
I have looked for better, and i found that Perc 5 is supported:
https://www.freebsd.org/releases/10.1R/hardware.html#support
Just scrolling down, close to line "[i386,ia64,amd64] The mfi(4) driver supports the following hardware: ".
So the trouble could be from different origin…  :'( :'( :'( :'( :'( :'(

This is good kit, have one myslef :-

http://linitx.com/product/linitx-apu-1d-4gb-3nicusbrtc-pfsense-msata-firewall-kit-black/14244

http://linitx.com/category/linitx-firewalls/1086

Alternatively just look at what these are built from i.e. APU 1D System Board with 4GB RAM.  TBH, you'd get away with 2GB RAM.  I have this setup, and with 50Mbit going via the firewall, with Snort & pfBlockerNG, it's around 50% CPU utilisation.

http://linitx.com/product/pcengines-pc-engines-apu-1d-system-board-with-4gb-ram/14344

Stu

Thanks for your comprehensive answer BlueKobold. Much appreciated!

I like how the RC batteries use a separate monitoring circuit for each cell. That must be better than gang charging and averaging.

@Atreides:

The 2220 says it has GbE, does it not support a gigabit network?

Where it says that? Here at the official homepage all hardware is shown and under each stands
that they have "gigabit throughput", but not under the SG-2220. Link

You sure a N2930 is going to nat a 1Gbit WAN?

Both, the Intel Celeron J1900 (04/2013) will do for 100% and the N2930 SOC will do it too, but it is newer
(01/2014) also a dual core Celeron G3260T @3,2GHz will be able to realize the 1 GBit/s at the WAN & Snort
but with more electric power usage.

I only knows that the PPPoE is only running on a single CPU core and that might be dropping the
throughput some, but if you are connecting to the Internet over a static public IP address it would
be no problem.

I would definitely upgrade them all. No reason not to, and a number of reasons to do so.