Just an update, I ordered this kit yesterday, went for the isk 300-65 in the end so it's silent and should serve my needs for power. I'm sure once the kit arrives I will be needing lots more help!

@stephenw10:

Robi's two year experience was, I think, running a standard install from a flash drive which is not recommended, at all!

That actually was not a pfSense installation. It was an Optware package system added to a DD-WRT router, extending the capabilities of an Asus WL-500GP router with standard DD-WRT firmware to lots of clever things (including Asterisk).

Dropped that setup mainly because it wasn't able to handle the increasing WAN bandwidth available (Asus WL-500GPv1 has a 266 MIPS CPU with 32MB of RAM and 8MB of NAND Flash).

Now I'm planning to re-use these Asus routers with DD-WRT-based Linux firmware as OpenVPN clients to pfSense, on smaller remote sites. For this I won't need any USB sticks at all, OpenVPN binary is already compiled in the fw, and there's about 500kB of free space in the NAND which can be mounted as JFFS partition to hold custom configs. Disabling logging and it will run just fine for a couple of years…

8 Intel Gigabit NICs, $30.  :o
Nice!

Steve

Sadly I ended up goign the MikroTik way.  I frankly spent far too long messing with the kernel etc. attempting to get additional performance.  All those efforts failed :(

Did you replace this with another alix board? I'm having a similar issue with mine. It doesn't want to auto negotiate to the cable modem. Well, it tries, but the link goes down after about 10 seconds. It tries again, and the link again goes down. I can get it to connect by forcing the interface to 100mbps half or full duplex in pfsense.

What's weird is that it auto negotiates on boot, and works just fine. However, if you unplug the cable while pfsense is running, then it'll never auto negotiate again until the next reboot.

Monitoring your gateway is fine. If it's something that is generally very steady over long periods of time, like as shown in the quality graph, and only changes when you change things local to your end, then it is probably safe to pinpoint that back to local changes you've made. I didn't realize you were referring to the quality graph over long periods of time, sounded like you pinged things on occasion and were accounting a 1-2 ms change as something you did - even for your gateway you'll commonly see more than 1-2 ms variance from one time of day to another depending on many different factors, but that won't necessarily always be the case. Checking a ping time on occasion is much different than comparing repeated ping history like the RRD graph shows. So you probably do have that kind of difference from going to ESX in that case. Why I don't know, there isn't that much difference generally. Pinging from the physical server this site runs on, through a firewall in ESX, out of ESX up to the datacenter's router, adds 0.2-0.3 ms vs. pinging the LAN IP of the firewall (and has response time in the neighborhood of 0.5 ms, close to what LAN to LAN pings commonly are), and that's nothing more than adding the ~0.2-0.3 ms response time from the firewall's WAN to that router. That's more or less the same as a fully physical network would see, so it's not typical of ESX.

read:
http://www.pfsense.org/index.php?option=com_content&task=view&id=45&Itemid=48
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49
http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43

That answers everything except whatever you're referring to by "MAC vulnerability", you'll have to explain that one. In general, anything bad you can do at layer 2 is impossible for any router or firewall to prevent, must be done on the switches or APs for wireless.

hmm thats true cmb

considering the box was a rare find @ the auctions, i cant complain

might look for 2 intel gigabit pci-e cards, the board supports them

I figured it out, I found in another FreeBSD forum (lost the link) that I need to add:

to the /boot/loader.conf.

Once again, I am a noob, but I would imagine this would be because I cannot modify the bios settings for acpi etc.

Now it boots perfectly!

Certainly i would give this test if i had the test hardware, which i don't.

If someone wants to donate an IX… for testing it certainly would help.

If you want to use a firebox use either the X-Peak, which has all Intel NICs, or the X-e box, Marvell Gigabit NICs. Both are far more powerful than the X700, both are way less powerful than a PE1850.
There are plenty of people using the X700 (or equivalent models) without issue but the Realtek NICs in them are flaky:
@rl(4):

The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
probably the worst PCI ethernet controller ever made, with the possible
exception of the FEAST chip made by SMC.

::)

Steve

Ok, you've put my dreams to manage the entire connection in one device to sleep.

Thx Jimp.  :D

@jimp:

I've seen way too much DSL equipment fried by power surges/lightning strikes, even when it's been properly grounded, to ever put a DSL or Cable modem directly in any piece of equipment I care about. (Worked with a DSL ISP for years)

DSL CPEs are a dime a dozen. There are really no good reasons to put a DSL card in a pfSense box that are not offset by the disadvantages.

Replacing a DSL CPE may cost you $20 or so. Replacing an entire box because the card fried the entire system can be a couple hundred.

Snapshots are here:
http://snapshots.pfsense.org/     (currently seems to be down for me  :-)
In fact though the Intel NIC drivers in 2.0.1 are backported from newer versions of FreeBSD for this exact reason. There's a good chance it would be supported in 2.0.1. (Edit: Looks like it isn't)

Steve

Yes, that's what I would do.

To minimise hardware and hence power consumption it may be possible to do something clever. If you are running OpenWRT/DD-WRT on the wrt54 (if not why not!) you can probably have a VAP running to support your guest wifi. Then you could route each wifi AP via VLANs in the wrt54 and send all the traffic via a vlan trunk to the pfSense box. One cable, two devices. Probably a nightmare to get right!  ;)

Steve

You'll get 50-60Mbps VPN throughput but that will max out the CPU. Thus you can have, say, 25Mbps or VPN and 250Mbps of other throughput.

With that many clients you will need to use some form of bandwidth limiting to ensure everyone gets something.

You should at least consider a Core i3 based machine. They are often around the same price and with similar power consumption but far higher computational ability.
See: http://forum.pfsense.org/index.php/topic,45452.0.html

Steve

@sacman:

Hi, everybody.  This is my first post.  I thought I'd give you a short story of how I got pfSense installed and working on an old laptop.

I had a 7-year old D800 (Dell laptop) that was sitting on the shelf, gathering dust.  It was perfectly functional, but too old for any serious work.  I wanted to try and install pfSense on it.  When I made that decision, my router/firewall was a WRT-54G running DD-WRT.  The main reason for replacing it was so I could turn it into a dedicated wireless access point, and more importantly, get it out of my home server closet and put it in a better location.

Obviously, the laptop had only one Ethernet port, which was an issue.  So I stuck in a Linksys PCM100 PC-card 10/100 Ethernet card to provide a second RJ-45 jack.  PfSense installed on the laptop…seemingly without a hitch.  It detected both the internal and the PC Card devices.  But, curiously, the Linksys device seemed to be power cycling.  I was using it as my WAN port.  In the pfSense interface, I could see it cycle from "down" to "up" to "up and with an IP address" to "down" again.  And there was no functional connectivity - I couldn't get to the Internet.

Thinking that I had a defective PC card, I swapped in another Ethernet PC card (SMC8040TX).  This, too, was detected by pfSense.  This, too, was exhibiting the up/down, up/down behavior that I was getting with the Linksys.

Putting on my basic troubleshooting cap, I was leaning toward a bad PC Card slot in the laptop.  I'm a Windows guy, not a BSD guy, so before I started digging through BSD PC Card documentation, I wanted to try something I knew.  So I installed Windows XP on the laptop to test whether the PC Card slot was any good.  And it was.  Once I had the correct drivers installed, both PC Card Ethernet devices worked immediately and perfectly.

Shoot.  Not a bad PC Card slot - it's some issue with the pfSense software.  I did a little Googling to see if there was an obvious answer, but came up empty.  As a last resort, I reinstalled pfSense and tried a Linksys USB300M USB Ethernet adapter.  Lo, pfSense detected it and connected!  Thank goodness.

So now I have this ancient D800 laptop running pfSense, with the LAN port assigned to the internal Ethernet (gigabit) and the WAN port assigned to the USB dongle (10/100).  As much as I prefer not to use USB for networking, I have to say it's working perfectly.  In addition, Internet speeds are actually BETTER than with the WRT-54G.  And now I'm well on my way toward setting up a vLAN, although it may be a better option to simply get another USB dongle and run my wireless access points on a totally separate subnet.  Any advice is welcome (I have no managed switches though).

Anyway, the main purpose behind this post was to let anybody else considering repurposing an old laptop that it CAN be done fairly easily, provided you have the correct hardware.  In other words, had I been able to find a post such as this, it would have saved me a chunk of time.

-sacman

Thanks for the heads up. I am looking to do the same. How is your new rig working out for you?

Just for update, because it's RESOLVED!!!
This is very strange, however..

For ANY Cisco router/device at first line please disable "SPI Firewall protection", especially "Block IP Flood Detection".
on WAN of this device, since it's interferencing with pfSense somehow and causing delays/disconnections.

For me, it happends 2 times on 2 different Cisco routers (not only with HP server).

pfsense-Cisco-device-firewall.png
pfsense-Cisco-device-firewall.png_thumb

@Ianes:

I'm thinking of buying this atom board, but i'd really like to make sure the integrated ethernet is supported in pfSense. Anyone using this board by any chance?

I'm using D2500cc with pfsense. The advantage is two ethernet ports. So you can have physical WAN and LAN port without need to use VLAN. Unfortunatly I do not know if it is exacly the same ethernet chip on both boards. But the graphic chip makes trouble with the the 64 bit version of pfsense. So you should have the same issues with the D2500HN I assume.

This is still noted on the man page:

The AES capability of the BCM5823 is not yet supported; it is awaiting public disclosure of programming information from Broadcom.

Not sure if that applies to the 5825 also but it could. Not really a problem though unless you can't use 3DES for some reason.

Steve