Surprisingly moving the LAN2 interface to the MSK3 network ended up generating more IN errors on the LAN2 port than the errors that were being Generated on the SK interface.  LAN1 continued to receive 0 errors on the MSK interface.

So I went ahead and moved LAN2 back to the SK interface, where it slowly generates some IN errors, since my LAN1 and all other interfaces are working error free I am going to leave things as is. Not really sure why I am getting any errors, but with how little traffic goes through my LAN2 interface I am not really concerned at this point.

this is exactly what i did. esxi and pfsense as VM with VNXNET3 NICs

Where abouts are you? Shipping to?

Personally I already have too many of these but others might want to know that.  ;)

Steve

If it is a firewall issue you can temporarily disable the firewall entirely from the console with:

pfctl -d

Go in and disable or uninstall Snort, or whatever is causing the problem, then re-enable the firewall:

pfctl -e

During this time you will have no firewall or course!

You can also look at the logs from the console, for example:

clog /var/log/system.log | grep timeout

The firewall logs are stored as raw pf filter logs which are more difficult to read at the console but you can look:

clog /var/log/filter.log | less

You can also try to stop Snort frm the console but in my experience (which was admittedly a while ago) it has a habit of leaving the block rules behind after it's been stopped:

/usr/local/etc/rc.d/snort.sh stop

Steve

Seems like my thoughts on DMA and bus mastering express real issues and that there is exploitation and research going on:

"DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host.

"Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy."

The German Government funded research was closing in on its aim to develop a reliable detector for DMA malware.

"At the moment we have a proof-of-concept that proves that a detector is possible," Stewin said in an email to SC. "It can find DAGGER."

The proof-of-concept was based on a runtime monitor dubbed BARM which modelled and compared expected memory bus activity to the resulting activity, meaning malware residing on peripherals would be detected. [1]

1 http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx

Good to hear…  I would certainly upgrade from the RC to the final release.  So easy to do with Firmware, Auto Update.

@drew27c:

My internet connection is a measly 5/0.5 ADSL

The business park we are in has oooooolllld infrastructure and there is literally zero other option for our connection.

For this? I don't see the need for anything more than a Netgate 2D3. Add the HiFN crypto board if the IPSec brings you down. 15 users on a 5/.5? lets be real. That puts you at $300/site. Buy a third as a hot spare or buy 4 and go HA.

Nothing was said about squid, snort, AV, etc.  I've seen the Alix board handle 90 mbits (no proxy, no snort)

Also, the less packages you install and the more simple you make it, the more you can "forget it" and trust its just working.

Thanks all.

I've posted a more general question about hardware specs (http://forum.pfsense.org/index.php/topic,67351.0.html) and would certainly welcome your feedback there too!

The following worked for my setup:

Remove CF card

Set HDD as master

In bios: Select the HDD in "Standard CMOS Features" by pressing enter and set "Access Mode" to "LBA", the rest is set to "Auto"

That's it. PfSense starts in standard and verbose mode.

I would be tempted to go for something a little older. USB3 is certainly not supported and I'm not sure about SATA3.

Steve

This looks to be a similar-but-updated board (newer Atom, newer glue chip, same NICs) of the X7SPE-HF-D525, which I've used very successfully. Mine is packaged as a 5015A-EHF-D525 server.

Your board is lacking IPMI, which something I've found very useful.

Atoms are limited, see this post:

http://forum.pfsense.org/index.php/topic,60783.msg328911.html#msg328911

I'm actually quite surprised you couldn't get more than 450Mbps. I would have expected at least 500 with Broadcom NICs. With Intel NICs and some tuning you should see over 600Mbps with a 1.8GHz atom.

Steve

Mine is rocking at about 4Mbps all day and night…

Reliably too  ;D

Steve, my bad.  I see it.  I was expecting to see 8111e but I see it as 8111G.

Link should be:
https://forum.pfsense.org/index.php/topic,62032.0.html

Steve

Wrong to delete all files in boot/kernel.

But does not matter. Problem should be solved in the new 2.1 release. Upgrade or reinstall to fix issue. Probably a better solution.

i3 3220 does, and it's friends will work.
i3 4330 does as well and it's friends should work as well. different socket but same principle.

Intel's basically throwing low cost servers a bone.