OOPS.  I don't think you're going to be able to hit that box without a serial cable or IPMI (if exists).  Someone correct me if there's another method.  Having this external management ability by default, like many other off-the-shelf firewall solutions, could open the unit up to DNS re-binding type attacks.

In hindsight, you CAN add a simple rule to allow administrative access via WAN.  Even though I have done this myself at a couple locations on non-standard ports, this is still considered taboo by many security folks (even though the webserver isn't actually bound to the external interface).

Dan

Thank you all for your suggestions. The SuperMicro X10SBA seems to have a very good feature set for the price, however it looks that it only supports a 32 bit UEFI bootloader, see: https://forums.servethehome.com/index.php?threads/how-about-some-bay-trail.2828/#post28536

This causes problems when booting a lot of Linux distro's. I am surprised it works out of the box with FreeBSD 8.3, looks like FreeBSD supports the 32-bit UEFI mode. However, would this be the same for future versions? Perhaps SuperMicro may release a BIOS update which may fix this issue, but I have not seen any post anywhere confirming this.

Another option I am considering is an Asus H87I-PLUS ITX or Asus Q87T/CSM Thin ITX motherboard with an i3-4130T. Reports show it should run around 20 watts idle with a PicoPSU, probably lower for the Thin ITX. With some further undervolting and underclocking, this may even be further reduced. On the plus side, this CPU would be more future proof given its higher performance and it also supports AES-NI.

Thanks for the replies! :)

Yes I already have Intel ethernet server PCIe card
and a few of compatible 16 GB RAM non ECC
modules.

Q - Will ECC memory modules with a ITX server
Motherboard "better" for the small office setup?

Q - I am still deciding if I should go for i3 3120T or
Pentium G3450T. Your thoughts?

I need to go for SNORT and will need the
1Gb WAN and inter-LAN routing between
coming file servers to users' LAN.

I have not got the motherboard but thought
Supermicro a good choice, I was initially
going for a cheap MSI B81 ITX board.

I did review Supermicro C2758/2550/2558
SOC motherboard but thought the 2.4Ghz
CPU speed won't make the LAN-LAN/WAN
1Gbps routing. Moreover I already have the
Intel Ethernet Server card.

For security and simple setup I chose to keep
this PFsense on dedicated physical machine
and not on virtualize machine.

I read lots have success with their PFsense
virtualized but the idea of it connected to WAN
seems insecure. Moreover we don't have the in
house skills to support virtualization or even VPN
access hence the simplification.

Q - Given above are we (non IT people) short
changing ourselves? Our priority was security
and keep things simple for room to grow.

Appreciate your time and candid comments.

The BMC offering IPMI is a Linux computer bonding its dedicated interface and the first mainboard interface, using the mainboard interface as failover. You should generally configure it to only use the dedicated interface on a firewall.

And no, you can't use it for CARP.

@dmmooney:

@ Derelict: I don't think it's a MAC issue - connecting the new wireless router to the cable modem proved that.

Proved nothing.  Do not think that cable modem service DHCP works like anything close to normal.

do this on the switch:

VLAN 10 - port 1 Untagged, port 8 tagged
VLAN 80 - port 2-6 Untagged, port 8 tagged

Put the cable modem on port 1, factory config pfSense on port 8 (ONLY Exceptions to default: WAN em0_vlan10, LAN em0_vlan80)

Plug your LAN devices into ports 2-6.

If it doesn't work, it's not pfSense.  Look elsewhere for your problem.

It really is as simple as that.

the cpu has been out for almost a year an no one is making embedded solutions yet

Yes you have to use a module compiled on FreeBSD 8.3 and you have to load it at boot using loader.conf.local. You can't load it after boot with kldload, you will just get the 'already exists' error.

Steve

Im am not there its for someone else just been asked to come up with something.  and the odder the solution the better so if I can get away with the apu great but it must run those plug in if i am going that route.

several vpns at once.

Going with the dual core Pentium haswell @ 3ghz that I got for free. The ASUS H87I-PLUS looks like a good idea given its intel i217 lan. either 8 or 16gb of ram. An ebay Intel PRO/1000 PCI-e Gigabit Dual-Port Lan Card.

basic cheapy itx case and a seasonic psu I have here.

not sure what type of CF card/ssd to use, or just go with an old set of HDs

EDIT: just found this for 175$ basically what the board and network card will cost me. -> http://www.ncix.com/detail/supermicro-motherboard-mbd-x10sba-l-o-celeron-j1900-75-101469.htm

may go for this instead

Depends on your definition of "work."

https://forum.pfsense.org/index.php?topic=81448.0

@Jason:

@Wolf666:

I am building mine with the http://www.supermicro.com/products/motherboard/atom/x10/a1srm-2558f.cfm

The bill of materials includes:

1 - M350 (case)
2 - 8GB Kingston ECC
3 - Intel S3500 SSD 80GB

In EU it will cost around 600€ (tax and shipping included).

That board won't fit in the M350 case.  You need the Mini-ITX version.

Yup, my fault pasting….it is the A1SRi model of course.

It doesn't make any sense to me either.

I did not clear states before testing, but it's my understanding that when the queues are destroyed, there's nothing in the state that would affect it.

I have relegated re0 to my DSL backup WAN link. :)

Thanks for your help.  I can try other things but I'm left with the take-home that re in freebsd 8.3 needs some work.

Yes, you'll be OK with that setup (Pentium G3220), but some notes:

Modem must be "bridge" instead of router Wireless router must be set/used as access point

So that PfSense is the only router on your network.

Cheers.

Its odd that you had to do anything at all.  I'm using mint (ubuntu) and its unaffected. 
But I'm using Chrome Stable.

Who can prove the veracity of any vendor claim?  I don't want to get into that.

I can tell you that the AES-NI (AES-GCM) changes will blow the doors off AES-CBC (what you're seeing now).
http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html

I can also tell you that these changes are being tested against a C2758 and another, different Rangeley board.
That said, they should work on the i7 just as well.

Also, while it isn't running today, there is a "QuickAssist" part on the C2758 that will eventually run (I've just re-engaged Intel
about it.)  When that code is finished (and in pfSense), it will blow the doors off the i7 as far as crypto is concerned.

https://www.youtube.com/watch?v=M49TKu2cx-Q
http://lkml.iu.edu/hypermail/linux/kernel/1406.0/01810.html
https://01.org/packet-processing/intel®-quickassist-technology-drivers-and-patches

(I might get the regex stuff going as well, which could help (a lot) with Snort.

http://marc.info/?l=snort-devel&m=128396544311154&w=2

Quad core @ 3.4GHz, or 8 core @ 2.4GHz?  Hmm.

The price for the i7 (80 SSD, 8GB ram, single PSU) on that site is $1,830.35.  The C2758 is $1500.

Both are supported by the vendor, though the vendor for the C2758 is pfSense.

@Moosecall:

I think the old notions of atom processors need to re-evaluated or thrown out the window entirely with the silvermont architecture (avoton and rangeley).

From everything that has been posted by ESF recently, I expect the C2758 to be a workhorse for pfsense users

I've got a C2758 board here with embedded Intel 10G.  It's my new toy.  With luck, I'll get things 'tuned' (likely: rewritten somewhat) to be able to packet filter and VPN at 10Gbps throughput.

I'd go to the pfsense store link and just buy the c2758 based system all ready to roll.  Will easily support your requirements and comes with full support.  http://store.pfsense.org/c2758/

Or, you can build it yourself using the supermicro barebones system - it is listed a few times in the hardware forum.

My view is buying it from the store helps the project along and it's still significantly less than the commercial offerings from Cisco, etc.

John

@Tillebeck:

Hello

Can anyone suggest a board that should be able to run pfsense? 1Gbit line and 4-500 users. Prefer if it can be in a 1-2 unit box for rack mounting. Else just lay on a shelf in the rack, that is fine too.

At least matching our current hardware (Intel Core 2 Quad CPU Q9400 @ 2.66GHz) minimum 3 NICs (of these minimum 2 must be Gbit) will be on 24x7 so preferrable also long lasting To day we just boot from a USB stick. Open for suggestion on SSD storage is that is an advantage

Thanks

– Background --
I have tried this board: http://www.gigabyte.us/products/product-page.aspx?pid=5087#sp but could not make it work as it is. It has two nics, but only one is intel. And pfsense could only see one nic... so the "not-intel" is probably not available at all. That - off cause - can be fixed with a dual or quad Gbit nic for PICI-e. It actually never made it past th "configuring firewall" sted while booting from a live CD.

I have now turned the gigabyte board into a fine desktop machine (posting from it right now). In stead of buing different pieces of hardware I much rather piggyback on your experiences. Hope the forum can guide me to hardware that is much more likely to run pfsense than what I have tried to buy so far.

Yes I will need some spares now, I will look your recommendations up and check into trim feature, thank you.