@pyrodex:

@robi:

What do you use VNC for?

RealVNC with encryption. I think I found the problem as I had a dying SSD in the mix that carried over but didn't expose itself until re-image of the box during testing.

If you can ssh to the box you could try to check the logs or dmesg and see what it says. Probably some one else here knows more about this than I do, but: I am not sure but I believe that many SSD's can move around data if a block (on the SSD) is broken? Could it be that the problem is in the rules of the firewalls? Do you get strange RST:s or similar? If you set your rules etc to log as much as possible you should be able to see what happens. Also tcpdump or similar tools could help you to find the problem, open a connection and see what traffic is sent/recieved.
Any celeron is from my experience not a good choice. A P4 or Quad Core (if you use the 775 socket) would probably be a better solution?

/E

@packeteer:

For some reason there are some compatibility issue running X64 OS on a D2700.

Although the D2500 is the next logical choice, it only supports 2 threads.

I would go for the D525 or D510 CPUs.

I just wanted to confirm that the D535 is a very nice CPU to use and it can take a lot of load/traffic!
/E

@unplannedoutage:

(Now, I'm no mluti-thread guru, but this is how I always understood this)

On the contrary, I see you ARE quite the guru on this subject!  :)

http://forum.pfsense.org/index.php/topic,54475.msg294550.html#msg294550

Anyway, next time I have availability to take down the network I'll give it a shot. Do you have any references/links for "tests" that I can run to validate your hypothesis? Also, is there any way to tell whether or not processes are in fact spanning across CPUs?

Your knowledge of hardware is indispensable to many on this forum (myself included).
Thanks!

I was recalling, but couldn't actually remember where I made that post, now I can update it, thanks.  (Not that I made the effort to actually search for it, but now I have no excuse for not updating it.)

Really, though, I'm mostly just good at regurgitating research.  I have no need to be right, but I do have a need for the right information to be available.  Half of my posts end up being "Hmm, I think I might know, but it'd be good to check it out and find out, and if I've gone so far as to research it, I'll learn it better if I formulate it in to a post."

What I was getting at was, if you're up for testing that, dude, please do!  I would be very interested in the results.  Feel free to show my hypothesis wrong.  We had someone testing real world results of the various virtual nics available in VMWare, was great to have tested info rather than just relying on conjecture (turned out to not make as much difference as expected, but some.)

I don't know BSD well enough to help you with determining if a process is spanning.  I saw a post on another forum about a similar subject, a development forum, but the subject seemed to drop before any answers came out.

My pfSense box is built with 2 Intel Pro/1000 NIC's and an Ivy Bridge i3 3220 CPU. It runs from ~400Mhz up to 3.3Ghz and uses very little power, the whole box uses 30-40w max. I have a small 64GB Samsung SSD 430 in there for storage, and a seasonic 300W psu. Don't worry about getting a T series 35w cpu, as that only really matters if the CPU is pegged at 100% use all the time. When it's idle it will run on a few watts (like 5 or so) regardless of the model!! My i3 3220 is a 55w TDP cpu, however the entire box uses 30-40w at the wall max, measured with a Kill-A-Watt.

@tirsojrp:

@margen:

@extide:

FWIW, It appears that only the DN2800MT has mSATA and the D2500CCE does not.

D2500CCE has Mini PCI-e. Aren't Mini PCI-e and mSata compatible?

No, they both use the same connector.

MiniPCI-e doesn't guarantee mSATA support.

This is correct, while the connector is the same, they are electrically different. SOME motherboards will allow you to switch a connector between Mini PCIe and mSATA duty, however not all do this. You cannot assume mSATA is supported unless it is listed in the specs.

@yaxattax:

I don't personally think it is too expensive for what you get - wifi, dual gigE, audio for $149 (I can't find GBP). It could do with a RAM and processor upgrade though, seeing as todays phones surpass what is provided.

I'm not sure exactly which hardware you're talking about (I assume it's safe to say not the Pi), but either way it's hard to compare them to such dissimilar hardware, like a phone; unless your phone has dual gigE and can run an x86 OS natively, at which point I would concede your point.

In niche market segments like this, the price points may seem inflated, but that's an effect of volume, or the lack there of.  They're not selling a million of these, so the price per unit goes up.  Even if you compare [whatever hardware was $149], price wise, to new phones it's still likely cheaper than most phones without the subsidies (ala cart, no contract.)  Hell, it's cheaper than just about any new desktop, cheaper than many decent used desktops once you figure in the costs of a second good Gb NIC and WiFi.

@stephenw10:

I think you must mean P4 because the fastest PIII that Intel made was 1.4GHz.  ;)

Steve

Yes, you're right. They're both Pentium 4's. Time to go to bed. :P

My bother-in-law gave me both PC's this summer, they're several years old so I thought I'd give some input on what it costs me to run older hardware.

Exactly. pfSense is currently only supporting x86.

Since you're looking at the low power end of things have you looked at the ALIX boards?

Steve

I've run some tests on the 633MHz box (specs below) and with iperf on default settings it can route 84mbit from one client to one server. It's probably safe to assume that this is a best case scenario, and with more clients and connections the performance will probably degrade.

Specs:
pfSense 2.0.1
633MHz VIA Eden ESP 6000 CPU
VIA EPIA-CL6000E motherboard
512MB of DDR400 RAM
2x VIA VT6105 LOM (Onboard 10/100 NICs)

Hope this helps someone in the future. Thanks for all your help.

@Jason:

Yup, which is why I recommend that most people go with a dual-quad or quad-core with as high a clock frequency as possible unless they're going to be using snort, squid, vpn, etc. where you'd be able to use more than 2 cores.

There have been quite a few people here who've bought expensive dual quads or hexes with low clock speeds, only to find out that they're slower than an i3 or i5.

I would not recommend multiple physical multi-core processors for a physical pfSense box.  If you're stuck with single or even 2 threads, having 2 separate processor dies can slow individual processes down if there aren't enough threads to occupy the logical CPUs.  Many OSs will cycle the threads between logical CPUs, which, when on a single physical multi-core processor, that's fine since the cache is local to the cores, but when it cycles between sockets it has to transfer the cache over the CPU bus (or pull from main memory.)  While it can do it fairly quickly, it's not helping.  Some multi-core designs share a cache, but even if they don't, the cores can usually snoop in to the other core's cache really fast.

For a pfSense box, I would recommend to not have multiple physical CPUs; multiple sockets on the motherboard is fine, just don't occupy it.  Not only would you be spending extra on a CPU that you're not effectively using, both in the initial purchase, but also the power to run it, but you may actually be slowing the machine down.

Of course, if it's a VM host, cores are handy so the extra sockets may be beneficial, but that goes the other way from the original question, here.

I'm right behind your clock cycle recommendation, though.  So a fast dual or quad core is probably a sweet spot for a high volume pfSense install.  "Server" grade boxes will use a Xeon, but that's not going to buy you much here.  The main thing a Xeon really gives you is usually an option for more cache, better multiple physical CPU support, and the possibility of more cores, neither of which is going to make a huge difference for you.  It'll be hard to get away from it in a "serious" OEM server, like a Dell or HP, but you can find lower end servers with "desktop" type CPUs for less, it just might not have the options for dual power supplies and such; which I would want for a router with a bunch of people behind it.

I don't think the box needs to be parallel large, just singularly fast.  Same with other components, like a smaller amount of fast RAM rather than gobs of slower RAM.  (When I say smaller amount, I mean in the 16GB to 32GB range, rather than the 192GB+ side.)  You don't need a bunch of disk spindles, it's not a file server or a database, I don't think any data transfer tasks wait on disk reads or writes (after boot-up, of course), as long as there is enough RAM it shouldn't hit swap (much), so a single or mirrored SSD is good.

Fast NICs on a fast bus, but, and this may sound counter intuitive, maybe limit smaller alternative networks to 100Mb physical links (DMZ, guest wireless, etc.) to reduce the potential routing load.  Not a hard recommendation, just something to keep in mind, that "faster always" is not always helpful, there are other (if Low-Fi) ways to introduce bandwidth limits.  Especially with things like a Guest Wireless network with a bunch of APs that could easily introduce a lot of bandwidth at times; it takes CPU from your pfSense box to do bandwidth throttling, off-load it to "hardware".  Same with a DMZ network, or if you have a DEV network that's islanded and, well, no offense to DEVs, but ya'll do some wacky stuff sometimes and generate a lot of not always legit bandwidth, sorry, you get 100Mb.

If you don't have any of that, and you're really doing simple routing for 50k people, consider breaking it up in to multiple routers.  Even if large amounts of people need to be on the same broadcast network(s), you can still run multiple DHCP servers with overlapping subnets, just serving portions each, then each DHCP scope points to a different router.  You've effectively load balanced your routing without fancy hardware.  With 4 medium machines, each in a active/passive CARP pool, you've got some pretty robust routing for fairly cheap.  Need more, add more and re-organize your DHCP scopes.  You could do this with some fairly cheap 1U [insert OEM or whitebox manufacturer/reseller here] single core servers.  Many OEM servers have at least 2 good Gb NICs, some 4.  Hell, there's 1/2 U servers, or more accurately, 2 servers in 1U that might work well for this.  I would just be sure to separate the CARP pools across chassis so if a whole chassis went down you don't lose both the primary and secondary of a CARP pool.

Hell, you could put together a proof of concept with a few desktops, if you have 'em handy.  It's very common to find older desktops for very cheap.  Off the top of my head, you could get old Dell GX260's, I see 'em fairly often for $50 or less in local "old-stuff" / PC Recycler shops.  Toss in some Intel 100Pro PCI nics for the WAN side, the onboard should be an Intel 1000Pro (maybe Broadcom, mine are Intel.)  They probably have at least 1GB of ram, maybe 2, should be enough for some light proof of concept testing.  Oh, these should have Hyper-Threading P4's, around 2.8Ghz.

For the most part, that's mainly testing failover and load balancing scenarios.  The DHCP servers should be a first respond decision, so, assuming the machines are roughly similar, they should balance themselves decently (if a machine is getting hit hard, odds are, DHCP is going to respond slower anyway, so the idle machine should service the call.)

If you want more throughput testing, Dell GX280's have PCI-Express x16 slots and SATA, which means if you get the dual or quad port Intel cards now, you'll be able to simply migrate them to your production environment, same with SSDs.  Other popular options are HP DC7600's (P4 or Pentium-D, 4 GB of RAM, PCI-Express x16), HP DC7700's (Pentium-D or C2d, 8GB, PCI-E x16) HP DC7800 (Pentium-D, C2D, Quad, 8GB, PCI-E x16.)  All those are constantly available on ebay for between $70 and $200 shipped (C2Q might be a bit more.)

Congratulations if you've read this far ;)

It would be helpful if you gave more detail than @PijanyNietoperz:

PfSence can see all interfeces but it can't set it up

What are you doing to set it? What is happening? What are you expecting to happen?

There are some WiFi Router/Access Points out there that have an "isolation" setting.  Such as the NetGear WNDR4500.

Enable Wireless Isolation:
If checked, the wireless client under this SSID can only access internet and it can’t access other wireless clients even under the same SSID, Ethernet clients or this device. Other clients can’t access the wireless client, either.

So that sounds like it might be something to look into.

WNDR4500 also provides dual band 2.4 GHz and 5 GHz for both primary and guest WiFi networks.  And also an AP vs. Router mode setting.

Yes, mSATA uses the exact same connector as mini PCIe, but it is wired totally different.

-Some motherboards allow you to change the function in the BIOS of a port, between mSATA and mini PCIe
-mSATA uses the SATA protocol :)

I have an mSATA drive in my laptop, they are pretty sweet and really tiny! It's amazing to have 256GB of data in something so small!

There's a recent thread about this very thing:

http://forum.pfsense.org/index.php/topic,50904.0.html

ciss0: <hp smart="" array="" 6i=""> port 0x4000-0x40ff mem 0xfddf0000-0xfddf1fff,0xfdd80000-0xfddbffff irq 51 at device 3.0 on pci4 ciss0: PERFORMANT Transport ciss0: got 0 MSI messages] ciss0: [ITHREAD]</hp>

Doesn't seem to be a management util for that

http://www.freebsd.org/cgi/man.cgi?query=ciss&apropos=0&sektion=0&manpath=FreeBSD+9.0-RELEASE&arch=default&format=html

@stephenw10:

Not a show stopper just something to be aware of. Here's the thread:
http://forum.pfsense.org/index.php/topic,46489.0.html

Steve

Gonna have to buy you a beer :)

Last post on that thread is a success story and after reading throughout you were right, is not a show stopper.

Gonna go for that board, thanks again for your help :)

thank you Steve, this help me a lot.

best regards

pfSense is only installable on x86.
Since the G5 is a PPC….

It should do.
You will have to run a 2.1 snapshot to support the newer hardware and since that is still pre beta you may experience some bugs. Until very recently there were issues with the graphics driver for the new generation Atom chipset but I believe a patch has now been included. Unless you can find another user running that same exact board there may be unexpected problems.  ;)

Steve

Go with an Intel i5 3rd Generation. 16GB RAM should be well ahead of a good start. Typically 8-12GB RAM should be a decent start. Since you mention 650 users and running Snort on it, I recommend 16GB. the i5 should very easily handle 100Mbps routing. It can handle 1GB routing.

Don't think about going with Atom or Celeron processor for this kind of setup as there will be a lot of routing between WAN and 650 LAN users and the i5 can handle it smoothly. Internal LAN communications don't take much CPU and are handled by the switch.

Add a compatible quad port Intel gigabit PCIe NIC (if there is one.. I am not sure) OR just add 2 Intel dual port Gigabit PCIe NICs and you should have a good robust UTM. Do the same for a backup and you should be all set.

I have a 2U setup - 2.0.1-RELEASE 64-bit, Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz and 8GB RAM. Runs the below services with no issues

Asterisk Services 1.8.8.1 pkg v 0.1
HAVP antivirus Network Management 0.91_1 pkg v1.01
Lightsquid Network Report 1.8.2 pkg v.2.32
pfBlocker Firewall 1.0.2
RRD Summary System 1.1
snort Security 2.9.2.3 pkg v. 2.5.1
squid Network 2.7.9 pkg v.4.3.1
squidGuard Network Management 1.3_1 pkg v.1.9.1