Hi folks,

there are often two camps if someone is talking about running pfSense VMs, the only ones love this
and consider but the other ones hate it and don´t want drive it in productive networks.

@kroberts
Did you perhaps thought about installing OpenBSD and let pfSense running in a jail?
Could be a solution for as I see it right.

Intel CPU

Intel Xeon E3 or Xeon E5 or the new one D-1500 would be great to know at first
for us to come closer to the point and guess you something.
For what exactly this pfSense appliance should run? Tasks? Users? Throughput?

Intel nics – 2 of them.  I wouldn't mind more being present but don't
intend to use them right now.

Tyan S5530
ASRock D-1500 Platform
Supermicro D-1500 platform

4g RAM, preferably can max at 8

Using ECC RAM can be good because the VPN keys are generated in RAM.
Alix APU 1C4 - little dog
Soekris net6801 (Q4/2015) - small bear
Lanner FW-8895 - great beast

Use embedded image, log to another box.

In some cases related to the security it will be good, but then you can install as
recommended pfSense on one "normal" box and the Squid, snort, logging and AV
tasks on another one.

At least one 8-lane pcie-v3 slot to handle a 10gbps nic just in case my scenario changes.

HotLava Systems Multiport NICs
High port density and much power by using original Intel chip sets can savemoney and PCIe slots
as I see it right.

Cheaper than QuickAssist hardware

Ok at this point I want that we both think about what you really want and/or
what you really need! The word "cheap" contingent on 10 GBit/s is here clearly
a thinking false of yours! 10 GBit/s is not cheap and will not be cheap. related to
the backside of the pfSense, I mean the connection to a DMZ or LAN Switch it
will perhaps going, but 10 GBit/s at the front side, the WAN side I mean, we
are talking about two different things and both are not cheap!

pfSense is still OpenSource but this means not it can handle every stuff on a
35 € hardware.

1u or possibly desktop, 1u preferred
Probably going to be Linux

As a Squid Proxy with AV, SquidGuard, snorting and logging ok, therefore Linux will be
also great, perhaps ClearOS or CentOS based. But this is not related to the pfSense
hardware you are asking here.

How urgent is vpn encryption in your scenario?
For how many peoples you have to set this box?
What kind and how much traffic is running through this Box?

Is a smaller Box for pfSense and a greater one behind this box
as a Squid, Snort, AV and logging proxy better for you?

Hello,

The problem I have with them now is, that all I can do is sending them back for a replacement or
buy new ones.
For sure you have to do this also if you are using other brands, as I see it right.

However soekris being based in CA and I sitting in Germany makes this somewhat difficult.
Not really, you are able to buy them here in Germany also, did you know this?
Tronico - Soekris dealer
Passman - Soelris dealer
Varia-Shop - Spare parts dealer

I also can not effort to have one spare box in storage for any occassion when
I just want to run a small office.
But you could run pfSense on two boxes simultaneous by using the pfsync over CARP or VRRP
so you would never standing alone there! Otherwise if a box dies it is not related to the brand
on it. Dead is dead!

Alix APU and Lanner FW-7525, 7535 or 7541
Will do the job also good enough for you, if crypto support for vpn is really important I suggest
to go with the Lanner boxes, they are quiet silent and sufficient enough for a home usage up
to 50 MBit/s VDSL or 100 MBit/s VDSL Vectoring. They can hold soekris vpn1411 cards or
comes with native crypto support (7725).

Hello HodKenneth,

this year you would have good luck and many choices to realize this project.
But it is in mey eyes more owed to the circumstance what this Firewall must
handle out for you.

Soekris is bringing out at the Q4/2015 a new net6801box and you will be able to add
2 quad port NICs so you will get 12 GB LAN Ports at total! Is this sufficient enough for you? If not or you want to go by an X86 device that is more powerful and/or you need more
GB LAN Ports I suggest to go by an Intel Xeon 4 Core likes Intel Xeon 1286v3 3,x GHz
and a multi port HotLava Adapter, based on the total WAN speed of 300/30! Otherwise two different vendors are bringing out new Boards, shown at the CeBit in Hannover
this year, at the moment they where no prices out for those both boards but they can fill the space
between the Atom and real Intel Xeon, here are two links to them, right to buy at Q2/2015.
Supermicro  X10SDV-TLN4F and X10SDV-F
ASRock Rack D1540D4X

Both comes with dual 10GbE LAN interfaces and would be powerful enough to handle your WAN stream.

Like want to go, from top till down:

Intel Xeon E3-1286v3 / 4 Core Intel Atom C2758 2,4 GHz / 8 Core Intel Xeon D-1500 2,4 GHz / 8Core Intel i5 / 4 Core Take one SSD or more as share see above at point 1 or go to Supermicro an serach the site for chassis No Squid, AV, Snort and other things it would be enough but as I see it right
you can also pimp many boxes by and mSATA or SSD later with no problems, also.

Try TP-LINK TL-MR3020 and put OpenWRT on it.

@edwardwong:

@mevans336:

@edwardwong:

My 1037U also come with case + PSU (not just a mobo), with CF card installed. But I have to agree that price on AliExpress is not that attractive (because the one I bought from Taobao is only USD 150)

I guess we just need to wait for x86 to catch up. :)

They do, look at those Rangeley platforms (C2358/C2558/C2758, some of them are selling in pfSense store), they are targeted for communication and really a good one, but too expensive, and that's the reason I built with C1037U instead.

Hello,

in the Q4/2015 Soekris will be placing his new net6801 model also with an Intel C2758
(8 Core / 8 GB) this could do this job also silent as I see it right, if you want to have a
look over here is a Link to them Soekris net6801

ok thanks, I have emailed them to see what I can do

Thanks

Righto, I'll give that a look later.

I've switched to Hybrid actually (you'll see reasons why in a DM is sent you).

Thanks :)

As far as I know the existing driver(s) only add support for the leds and reset switch. No other gpios. You would have to modify the driver or probe the gpios directly.

Steve

for $400 just buy something from the pfsense store.

Just did another test in early morning, I can see that it's pushing to the limit (during speed test CPU usage bumps up to 50-70%)

speedtest.jpg
speedtest.jpg_thumb

If your home is wired for Cable TV, use MoCA for either another wireless access point in a better location or to plug into directly.

For anyone that might find this thread again;
  - after a complete reload and more careful install of the various FireBox add-on's the box appeared to have become stable again, at least with no traffic load on it.

The only conclusion I can make, which isn't very scientific, is that during the first install I must've gotten something configured sideways, or my particular box has a hardware issue, or that the network interfaces hang after load.

Unfortunately, I couldn't risk another freeze like that and because I don't have enough time to troubleshoot it properly I ended up just switching to different embedded appliance I had laying around.

Thanks to those who offered input.

@Pidjey:

By the way, there are many linux services I would like to use (not avalible in FreeBSD)

'many' : Any of them something you should be running on a firewall appliance? Or not already available as a package format?

"load balance with one wired and 2 wireless connection".

That just sounds as a recipe for disaster! But if you insist on using WiFi as WAN connections :
< I would personally never use a setup like this for anything resembling business use / high uptime required >
I would plainly use "stable" AP's/receivers that receive the signal, and move it down the line by wire and feed it into your firewall.

Your wifi is no longer bound to FreeBSD drivers. Signal/noise ratio will be better in almost every case (range of most USB wifi dongles are f* horrible). No USB adapters (really, why even try..). 1 onboard nic / 1 dual port NIC expansion and you are set. or vice versa.

As to your opening post. Hyper-V seems to be functioning quite well for some people. A usefull thread might be : https://forum.pfsense.org/index.php?topic=75549.60
You will loose performance in any case. Especially on lower end hardware.
And I would still recommend against the use of USB adapter of any kind, let alone combined with a hypervisor / virtualisation layer.  3G/4G is a different matter.

I can confirm the onboard broadcom nic on the N40L does get detected.

You have powerd running on the cooler laptop.

Steve

It looks like that Supermicro board you posted is one of the best right now that I could find, alongside possibly one from ASRock (or a future unreleased board micro-ITX board).

I also started reading that E3-1200 V4 may be coming out soon, along with new micro-ITX boards for socket 2011 or 1151? Yet who knows when the processors to match will be released either. Who knows if they will be faster then V3 right now though.

There are still parts that confuse me now going away from ESXi and towards another piece of software/different CPU&form factor. The most important part now is to understand which is the best setup for running a virtual environment (mind you all, this is in a home and downtime isn't a problem from time to time). Its just a fast internet connection; thus I want to match it with something I can abuse if necessary and not be affected by high PPS networking or high demand either.

I see you mentioned that Xen is the best and fastest most likely. Would PVHVM be a way that a VM is created under Xen? Kind of lost here as I have only used ESXi before.

Also, the motherboard mentioned from Supermicro says HD4600 while one of the processors I could get says P4600. Would this matter or cause a conflict?

@Phishfry:

Quote:
"Is the up and down throughput on those fast enough to use as a primary connection?"

Kind of subjective. I use my mifi at work and i am happy with it. Mostly CAD stuff so nothing intense.

On ATT i see good speed at work. At home i see better speed with T-Mobile. Both locations less than 2 miles from respective tower. So i would say depends on towers and your local LTE coverage.
You need both antenna's for max speed.

I will PM you with module details….Bought mine from ebay seller "cheapslob" but they need flashing to DIP.

Alright I will look for the message, I though you said you had some that were already converted to DIP though?

thanks jason and steve..