Awesome! thats good to hear that OpenVPN supports AES-NI.

Now to build a pfsense firewall that can utilize its capabilities.

Steve,

Thanks for the info.
I will test it out and post my results out once I have time to work on it.

@midacts:

acoustiq originally posted about this CPU and motherboard

AsRock H87M i3 4330T [keep it low power]

I did post that, but my requirements have changed and my budget has gone down [other priorities], so my previous post will show my new dilemma. Any opinions on that?

LE - did a quick test with my 4 year old pfbox - Sempron 140, nForce430, 1GB DDR2, 2 x HP NC7770 and it's able to sustain about 250Mbps on both links. So the Xeon should be plenty for the new links… Or so I hope :)

@Jason:

I thought I replied to this yesterday but I guess I didn't.  Nothing jumped out at me in there (like I was seeing on 2.1.1 with the new igb driver).  If these just started recently and you didn't change anything then I'd suspect failing RAM or something similar.

It hasn't crashed today now that I'm home and checked it.  I removed the pfBlocker package last night because I found a better method to block some brute-force connections from external IP's.  So maybe it was caused by it.  I had only been running it for a couple of weeks.  Only changes were manual IP entries.

Will keep a close eye on it and see.  Thanks!

They go fairly quiet once you've turned them down. I don't run them lower than 32 but others have gone lower.

Steve

Interested in the Watchguard X5500e - is it still available?

Thanks for your reply, I was kind of expecting that.. Guess it'll a low-power mini-ITX atom motherboard.
The quest continues..

Maybe you got "lucky".  Some cores are from good yields where the VID would already qualify them for LV or ULV chips but the demand might not be there to package them as such.  Really depends on the actual VID of your chip though.  Alternatively, the board uses a fairly inefficient VRM so you don't see much difference.  I do know the 65nm chips tend to guzzle a fair bit of power (by today's standards), at least my E2160 did until so.

Just to answer your question:

if I receive 500 Internal server error, how I can get log file from console ?

Use menu option (8) to get a shell prompt, then the various logs are in /var/log, example commands:

You have already realized that 128MB memory is not enough to run packages. And actually I think 128MB will have trouble doing some built-in things also, so test first and "grep killed" in the log files to see if processes are running out of real memory.

If you look at a boot log from a similar box, for example this one from 2.1 on an X1250e: https://forum.pfsense.org/index.php/topic,71177.msg388754.html#msg388754

You can see that the next item to be initialised is the cryptosoft device. Something that may well cause an arithmetic error perhaps? Though because it's virtual it can't hang over from a previous config. Do you have any crypto hardware?
Then it's ACPI stuff and that could cause this. Do you have ACPI enabled in the BIOS?

Steve

Ok. Why are you using the USB connections? Do you have a USB keyboard?
Those Dell servers usually have at least 2 NICs on board you can use, probably Broadcom or Intel.

Steve

Thank You to everyone who gave replies here. Now have some manufactuer, part numbers to look for. Not sure which brand we will go for ?
Fibre stuff is new stuff to me. Needless to say, we are in the sticks.  :)

Thanks,
Barry

Those supermicros are better than my esxi hypervisor haha (asus p6t motherboard with 17 920 CPU, 24GBs of RAM). I looked at that 8 core machine (C27xx) and it uses 20watts…thats awesome http://www.webhostingtalk.com/showthread.php?t=1340107.
I am a tight wad. i try to keep an eye on watt consumption since this rig will be running 24/7.

I'd like to see how much a comparable jetway would cost. I do like that they have the NICs onboard, i just hope they work as well as a PCI NIC would.

In comparison to that GIGABYTE board mentioned in my last post, it would cost

$60+ dollars for the gigabyte board
$45 for 4GBs of RAM to start with
$60~ for a Pico psu (and a power brick)
$100-$150 for a 4 port Intel NIC
case
SSD/HDD

I think if i specced out the cost for the supermicro

$350 motherboard
$60 pico PSU
Ram
SSD/HDD

I think the gigabyte's celeron cpu and the supermicros atom cpu are clocked high enough to handle openvpn decently. Does more cores help out, or is it more like one core is used specifically for openvpn. Therefore having a higher clocked CPU would be better? The main downside to this ive seen is that the CPUs usually call for higher watt usage. like this guy has a dual core AMD, but its 65watts
https://forum.pfsense.org/index.php/topic,68741.msg376081.html#msg376081

I always weigh the odds and think about things for a while before i purchase them. Then i still get buyers remorse afterwards  :D

The cardbus works on intel cardbus nics but not the dlink for the dlink it also said reset failed.

You can put the 3/4G device on the lowest tier of a failover gateway group and it won't be used until the other gateway(s) go down. However by default pfSense pings evey gateway once a second so you'd have to disable apinger for that gateway. Even then could you guarantee not a single packet would use it?  :-\ Not sure.

Steve

With the BCM board removed…

/usr/local/bin/openssl engine -t -c

(cryptodev) BSD cryptodev engine
[RSA, DSA, DH]
    [ available ]
(dynamic) Dynamic engine loading support
    [ unavailable ]
(padlock) VIA PadLock: not supported
    [ unavailable ]

I cannot use cryptotest for a comparison as the output above shows that without the BCM board I don't have a compatible algorithm where algorithm is one of:
    des 3des (default) blowfish cast skipjack
    aes (aka rijndael) aes192 aes256 arc4

So using openssl instead for comparisons, testing without the BCM board first.
openssl speed

sign    verify    sign/s verify/s
rsa  512 bits 0.001150s 0.000122s    869.4  8214.2
rsa 1024 bits 0.005187s 0.000296s    192.8  3377.4
rsa 2048 bits 0.031142s 0.000894s    32.1  1119.2
rsa 4096 bits 0.196700s 0.003057s      5.1    327.1
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000893s 0.000970s  1119.7  1031.2
dsa 1024 bits 0.002461s 0.002825s    406.3    354.0
dsa 2048 bits 0.008048s 0.009546s    124.3    104.8

With the BCM board installed.
openssl speed -engine cryptodev

sign    verify    sign/s verify/s
rsa  512 bits 0.000350s 0.000038s  2854.3  26445.7
rsa 1024 bits 0.000555s 0.000053s  1801.6  18825.8
rsa 2048 bits 0.001310s 0.000107s    763.5  9315.1
rsa 4096 bits 0.647222s 0.003194s      1.5    313.1
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000389s 0.000415s  2571.9  2410.9
dsa 1024 bits 0.000584s 0.000511s  1711.0  1955.9
dsa 2048 bits 0.000760s 0.000684s  1316.0  1461.9

From my calculations there is a worthwhile performance increase using 512, 1024, 2048 certs, but a performance degradation using 4096 certs. 2048 bits is almost 24 times faster on signs and more than 8 times faster on verify. The BCM board was also tested in a regular 32 bit 33Mhz PCI slot when it should be in a 64 bit 66Mhz slot. CPU is 2.6Ghz Celeron.

rsa 512 bits   3.28      3.22
rsa 1024 bits   9.34      5.57
rsa 2048 bits 23.79 8.32
rsa 4096 bits 0.29        0.96

dsa 512 bits   2.30        2.34
dsa 1024 bits   4.21        5.53
dsa 2048 bits 10.59 13.95

So my conclusion is that the ubsec kernel module is working and I will be changing all my rsa and dsa certificates to 2048 bits. I will also be looking for a pair of Xeon based systems with PCI-X slots now.

@joltman:

@Jason:

Based on a search of the part number that seems to be a card for compression, not crypto.  It won't do anything at all.

Boy, am I glad I asked before buying!  So the question becomes, what would be a good card to add for crypto to my pfSense box?  It's an Atom with a free PCIe 8x slot (4x electrical).  Thanks!

None, I'm not aware of any PCI-e cards that work with pfSense.  The older PCI cards will likely be slower than none at all.

If you need more than throughput over a VPN tunnel then you'll need a faster machine.

You need to give more info on what you plan to do with it.

Ok. I see it would be nice to have a self contained appliance but I think you'll be paying a lot for a box with more interfaces rather than just using, say, a Netgear GS105. It will be much faster at switching as well.

Looking at smallnetbuilder review of the RV042 I see it's performance is broadly the same as an Alix (with VPN card) with pfSense.

Steve