This is not an easy task. There is no FreeBSD driver that includes support for that hardware.

So to make that work in pfSense you need to add that hardware ID to the driver then compile it in FreeBSD and move it to pfSense.
If that hardware device has any different requirements to the other chips you will also need to add code to support that in the driver.

Swapping it out for a supported NIC will be waaaaaay easier!

Steve

I'm interested in ballpark IMIX and IPERF over IPSEC throughput for these older models

8 core CPU - C2758 any results from models SG-8860, C2758 4 core CPU C2558 SG-4860, E3845 MBT-4220 C2358 SG-2440 2 core E3826 MBT-2220 C2338 SG-2220

Or -

Where do these older boxes line up against the 4100 and 6100 appliances in terms IPSEC throughput?

For ipsec throughput, are there general trends / corellations with core counts vs base cpu clockspeed vs number of tunnels

acknowledging in practical terms, we're probably bottlenecked by the ISP's offnet traffic shaping

Qualitatively, how does Wireguard throughput compare against IPSec without QAT acceleratoin on CE ?

I'll assume past C3558 based appliances, perform roughly about the same as the 6100, assuming 1 gbit interfaces.

I got side tracked with IPERF3 - the top google result points to an out of date windows binaries from 2016.
Future readers looking for an IPERF3 Windows client, should visit the IPERF3 author/developers at https://software.es.net/iperf/ for a link to current binaries.

Here's a data point from a pair of SG-2220 's

2 core atom C2338, no QAT
Running Plus ( 23.01 )
Through NAT , minimal firewall rules, 500 to 600 mbit throughput ( Iperf3 , and netflix's fast.com )

IPERF3 over IPSEC
IPERF3 3.13, Windows clients on interface ETH1, and IPSEC ( async crypto on, AES-128-GCM VTI ) on ETH0
I get between 275 and 350 mbit, depending on IPERF3 options, number of streams (-p) , uni vs bi directional etc.

Packet capture of the IPSEC interface showed a 1360 byte TCP payload, in agreement with a 1400 byte MTU
A back of the envelope calc yields about 33k packets per second.

I couldn't get the windows binarier of IPERF3 to generate smaller frames. The MSS option may not be implemented on the windows version.

(With AES disabled / misconfigured as QAT under system, advanced, misc, throughput was about 110 mbit. )

@riahc8

I believe so

Thanks
Dan

@stephenw10 said in Intel I226-V: Good or bad?:

If it's possible someone will try it. 😉

Well, that is true. Good leaving a disclaimer.

This: https://forum.netgate.com/post/969072

Can be worked around with this: https://forum.netgate.com/post/983284

So at the first boot interupt the boot at the loader menu to reach the loader prompt OK>

Then enter:

set debug.acpi.disabled="apei" boot

Then once it's booted create the file /boot/loader.conf.local and add the line:

debug.acpi.disabled="apei"

Steve

My network interfaces are now being detected! I restored the BIOS config to "Optimized Defaults" and on the next reboot all interfaces were available and I got the expected configuration menu with pfSense 2.6.0.

For reference my system was shipped with BIOS 1.7.

@madbrain said in How to blank the screen to save power ?:

"something went horribly wrong" case is one where I would need the console

Couldn't you just then plug it in? I have been using pfsense really since it first came out, and I don't recall ever anything going wrong where I needed console. Not saying it can't, I might of had a remote update go belly up once - which is why I didn't do remote updates during covid and not able to be local, etc..

The console isn't all that different then just sshing in - which I do all the time.. The only time I ever plug in a console is so I can watch it upgrade, etc. Or I do a clean install.

My point is if your having some issue with the monitor turning on when you don't want, etc. Seems to me the simple solution would just not plug it in to pfsense. The odds of you actually needing console are really slim, gui is where you do all your config - and if you want to play on a "console" you can just ssh in, etc.

The only reason I am on ssh all the time, is running commands to to show users stuff, like how long unbound is been running, unbound control commands, which really could be done from the gui for most of the stuff. But I am a command line guy at heart, etc.

@stephenw10 Thank you stephenw10. May not be worth the trouble. 1gb with existing nic works fine (slow). elmo

Mmm, I would expect that to be supported by re(4). We'd need to see the PCI IDs to know for sure.

None of the cards listed there really look that great. You want to use something Intel based if possible. Used OEM rebranded cards are almost always available.

See: https://forums.servethehome.com/index.php?threads/list-of-nics-and-their-equivalent-oem-parts.20974/

Steve

@stephenw10 said in NEW SFF Intel build with 4 NICs that can handle symmetric 1Gb download/upload?:

You have three topics open covering basically the same thing here.

Not really

One is asking for clock speed.

Another a SSF build

Related sure, same no

@pietrushnic said in Our Response To PC Engines Open-Source Firmware Sponsorship Discontinuation:

@dobby_ Dasharo is open-source firmware distribution maintained by 3mdeb company.

Thank you for enlighten me over that.

@patryan Thanks, Good to know.

I've been nervous about Dev builds in my live environment though TBH. Were it not so critical as your firewall, then I might have been less concerned but given the potential security risks, it's not something I am immediately attracted by.

My issue right now is anyway not on my live environment, it's merely my backup onto which I cannot (easily) install pfsense. So I am OK for now on 2.6 (ending of FreeBSD support notwithstanding). But if I have a hardware failure, I am toast since I have nothing to fail over to.

@f4-0
@stephenw10

A lot of interesting progress, I am going to start a new thread since I am facing a new set of issues, but in general the Ubuntu base install + KVM + pfSense works (partly so far).

I learned a lot about KVM... great piece of kit for Linux, running natively that way.

@abent32 is your connection PPOE? How's the CPU usage?

There's a long thread on ServeTheHome about these boxes and I'm sure it's on there someone had an issue like this. Cant remember how they fixed it but the entire thread is a good read. Just don't fall for the upsell of the N5105/J614x. Most pushing that are either virtualizing the firewall or letting alot of CPU power go to waste.

@monstermaxx said in Tmobile 5G hotspot and PFsense:

Should I set the tmo interface to be tier 2 so it's on the cable modem unless there's a fail?

Yes, I would do that.

Also be aware that some types of connections can maintain their states indefinitely so will not fail back to the cable modem if they get pushed to the cell link.

Steve

Ah, right I'd forgotten it ran correctly in Linux.
Hmm, bizarre indeed. Only so much time you can spend diagnosing stuff...

Yes, our FreeNAS uses a X520-DA2, I will try hard-coding the speed/duplex on both the pfSense box and switch to see what comes of it and reply back after, thanks!

@stephenw10
Will give it a try when I get some time. For now, first step of moving pfsense to bare metal is done.

Thanks Stephen!

You could watch the repo for updates:
https://github.com/pfsense/FreeBSD-ports/commits/devel/net/realtek-re-kmod

@john24634 said in offline backup box in case main box fails:

Does Spectrum ISP Router provides NAT?

No idea. If you plug a laptop directly into their router does it get a private IP address?