Snort eats memory like nothing else especially if you don't take steps to prevent it from doing so. In that respect your increased memory usage is completely normal. However you do not, ever, want to be swapping. It will bog down the performance dramatically. If you're not seeing that then it's likely the swap usage was not a continuous thing but it shows you are the edge of your ram requirement. You should probably either take steps to reduce Snorts footprint or add more ram.

@http://mikelococo.com/2011/08/snort-capacity-planning/:

RAM
Each snort process can occupy 2Gbytes-5Gbytes of ram. How much depends on:

Traffic – The more traffic a sensor handles, the more state it must track. Stream5 can use anywhere from a few Mbytes to 1Gbyte to track TCP state.
Pattern Matcher – Some pattern matchers are very CPU efficient, and others are very memory efficient. The ac-nq matcher is the most cpu-efficient, reducing CPU usage by up to 30% over ac-split, but adding over 1Gbyte of ram usage per process.  The ac-bnfa matcher is quite memory efficient, reducing ram usage by several hundred Mbytes per process, but increasing CPU usage by up to 20%.
Number of rules – The more rules that are active, the more memory the pattern matcher uses.
Preprocessor configs – The stream5 memcap is one crucial factor for controlling memory usage, but all preprocessors occupy memory and many can be configured to be conservative or resource-hungry.
A Snort process inspecting 400Mbits/sec of traffic, with 7000 active rules, using the ac-nq pattern matcher (which is memory-hungry), and a stream5 memcap of 1Gbyte uses about 4.5Gbytes of RAM. With a smaller ruleset and the ac-bnfa pattern matcher (which is memory-efficient), I’ve observed snort processes use about 2.5Gbytes of RAM.

Note that the operating system and other applications will need some RAM as well, and if you don’t have unusual needs 2G is generally plenty. A detailed discussion of RAM sizing for the database is beyond the scope of this post, but generally for a multi-snort deployment it’s worth putting the database on a separate server that has 1-4Gbytes of RAM.

Steve

If you have a look I got AX88179 working on 2.1 with some kernel modules I backported.

The other ones you will need to recompile kernel at least with the modules deselected as far as I understand.

@ozlecz:

does this mean pfsense whatever release cannot add or modify anything that is on freeBSD HCL it is based on

No, I just said the exact opposite of that. The base OS is FreeBSD 8.3. The dev team has updated some drivers to allow newer hardware to function, notably, as per this thread, the Intel em, igb, and ix drivers.

Once 2.2 drops the base OS will be changing to FreeBSD 10, bringing with it updated drivers across the board.

The Novatel shows up as a USB Ethernet interface.  You set it to DHCP and you're off.

If it was a bad drive then I would expect to see some errors in the system log. Check the SMART status.

What is in the log? I would expect to see some errors or warnings if the WAN connection went down for some other reason.

What NICs are you using? There were some driver changes between 2.1 and 2.1.1.

Also you should go to 2.1.2 now.

Steve

@Keljian:

@Harvy66:

@Keljian:

Pci-e 2, which is what the card is, specifies 500MB/s per lane (in one direction at a time)

Which should be enough for 4 port 1gb(125MB/s/port).

not really. As 1000mbit is actually 250 MB/s per port as it is full duplex. (down and up at the same time)

If you're going to count both directions, then we need to adjust PCIe 2 to be considered 1GB/s per lane.

Thanks for the responses. I’ve pulled extra unneeded hardware from the server, ordered 4GB ECC RAM for $15, and put in the intel NICs. I'll also test squid. I imagine the iops from those 15000 rpm drives should be good enough.

rizwan602, thanks for the reply.  On any of your boxes listed, did you take them through a bios reset?  Red jumper next to the battery.

With 2.1.2 now out I guess a reboot will be in order anyway.
Still left with the fact that the behaviour of the box is unexplained. What happens if someone hits scroll lock again in the future? Always better to solve things by actually understanding what happened.  :)

Steve

The real Intel i350-T4 cards work just fine in a x1 slot.  Personal experience.

There was actually a CP bug in 2.1.1 that will be fixed in 2.1.2 (coming hopefully today)

https://github.com/pfsense/pfsense/commit/bde74857a876ef87795f1cd09e12c33d160ce175

But that wouldn't necessarily have caused issues for everyone.

If it doesn't work on 2.1.x, then you'll probably have to wait for 2.2.

Hmm, that's….. interesting.
Some time ago there was an issue with the graphics drivers for the newer (at that time) Atoms such as the D2500. The driver was eventually fixed upstream and is now included in pfSense. I never saw the problem first hand but descriptions of it sound a lot like what you're seeing. There were work-arounds at the time I seem to recall.

You could try, just as a test, booting a 1.2.3 image. They didn't suffer from that problem. If that works you can probably upgrade in place to 2.1.1.

Steve

I have had issues with a similar Foscam camera where you need to "search" twice for the SSID before the list will properly display. I am not using the same wireless AP as you but just thought I would mention this.

Hmmm… well, maybe someone with hands-on experience on the xSeries HW can chime in.... A quick Google search shows huge amounts of ACPI-related trouble with this kind of HW and BSD.

@Jason : I have a quotation from fit-pc.com for an Intense PC 2 + FM-4LAN module. They don't require me to buy extra stuff…

@Nadrek : Thank you very much for the feedback ! I hope the FACE module is the same between FIT-PC3 and Intense PC 2. Can you confirm you have 4 X Intel 82574L network interfaces ?

Higher end NICs, like the i350, support having "virtual hardware" NICs. The i350 supports up to 8 virtual NICs per port, each with their own frame size, VLANS, and interrupts. They work exactly like separate physical NICs and report to the host as desperate NICs.

In this case, you can use the VT-D, or whatever, and pass through the "hardware" virtual NIC directly to the guest and get rid of the overhead of passing it through the host. Because guests are not really aware of each other, the i350 specifically, has an internal switch, and can switch traffic between these virtual NICs without having them go out to the switch and it does this at the full PCIe 2.1x4 speed(2GB/s full-duplex).

@stephenw10:

Interesting. CPU usage across 8 cores may be somewhat non-linear perhaps, harder to extrapolate.
They do have that data labelled as 'preliminary' so perhaps so test refinements are still to come.

Steve

I was talking per core.

@ouldsmobile:

Cool, which VM software would this kind of setup work with, or what is the recommended software to use. I only have experience using virtualbox. I have never tried any of the vmware products yet.

Thanks again.

Kevin

I'm not the right person to ask as I only use vSphere and I'm guessing you don't want to reinstall your existing system and make file services virtualized as well.  You should hit up this section of the site for help:

https://forum.pfsense.org/index.php?board=37.0

http://drivers.portwell.com/CA_Manual/NAR-5500/NAR-5500%20Manual%20v1.2.pdf

Would this link be helpful?  It talks about the LCD screen.