@vorgusa:

The main advantage is the 4 gigabit NICs.  Most boxes I have seen elsewhere have been more expensive or just have 1 NIC.  You will need more then that for a router.  I have a Lanner Box that has 2 NICs but it runs pretty hot and cost more.  Not sure we would need more then a 1Ghz CPU and 1 GB of RAM for a Pfsense box.  I like the thought of it being minimal with no Graphics

Agreed.  I would rather have this over a standard desktop Atom board…..for pfSense.

Can anyone in pfSense-land talk to PC Engines and see if they are coming out with an equivalent?

We've achieved this goal using 2 Cisco routers:

PLDT             BayanTel
   |                     |
CiscoR1           CiscoR2
   |                     |
SW1- - - - - - - SW2
   |                     |
 LAN1               LAN2

LAN1:
192.168.1.0/24

LAN2:
192.168.2.0/24

They now can ping each other and play LAN games, with one billing server. Now where can I put the pfSense in that setup?

@stephenw10:

Hi All,
Just thought I'd report that pfSense works great with BT's Infinity service here in the UK for anyone considering it. It's what they are calling FTTC for non UK readers.
BT say in their support faq
@BT:

Can I use my old Hub or any other router with BT Infinity?

No, you have to use the specially designed BT Infinity Hub to connect to the new service.

However that's not true. The VDSL2 modem they supply will accept a PPPoE connection from any router (or any machine). BT use your line for authentication so you don't need a password, however pfSense requires one so just enter anything. Username: bthomehub@btbroadband.com for residential connections.

Steve

Verizon FiOS customers who were early adopters had to use PPPoE for FTTH.  They did the same thing, any username or password worked (no VDSL2 needed though).  Thankfully though, they ditched PPPoE in favor of DHCP on all new deployments, and old customers can be switched at their request, or forcibly if they need the ONT replaced.

I did try that and I posted in another thread that I saw considerable (at least what I think) throughput loss compared to pfSense installed on bare metal (I was able to install pfSense on the R410 without any of the PCIe NICs installed).  I saw approximately a 50 mbits/sec loss using ESXi.  For completeness here is my testing methology:

Using iperf ("iperf -s" on 1 laptop and "iperf -c x.x.x.x -t 30" on the other laptop) with a crossover cable between 2 vostro laptops yields an average of 172 mbits/s.  I did the same test thru the following firewall distros:  Here are those results:

Laptop -> Laptop via Crossover cable

172 Mbits/sec

pfSense on bare metal

Intel -> Broadcom = 140 mbit/sec

pfSense on ESXi using e1000 (with or without vm tools installed)

Intel -> Broadcom = 85 mbit/sec

Astaro

Intel -> Intel = 165 Mbits/sec
Intel -> Broadcom = 147 Mbits/sec
Broadcom -> Intel = 132 Mbits/sec
Broadcom -> Broadcom = 140 Mbits/sec

Vyatta

Intel -> Broadcom = 114 Mbits/sec

Untangle

Intel -> Intel = 165 Mbits/sec
Intel -> Broadcom = 160 Mbits/sec
Broadcom -> Intel = 200 Mbits/sec
Broadcom -> Broadcom = 200 Mbits/sec

Note: the NICs in use also made a difference.  When I did the pfSense test, I only tested going from Intel -> Broadcom.

This is my pfSense firewall project.

Supermicro P4SCi, P4 3.00GHZ (2threads) 2GB memory, 2x 120GB PATA WD1200JB-00GVC0.
ON BOARD;

em0, WAN 1:
em3, LAN 2:

EXTRA WITH PCI-X SLOT (DUAL NIC)

em2, WAN 3:
em1, LAN 4:

LAGG0 (Failover) em0 + em2 (WAN)
LAGG1 (LACP) em3 + em1 (LAN)

I had to modify the config.xml file to get my laggs set-up for the redundant ports :-) there was no way around to do this with a 'standard' install, now I only need to figure out how I can bind the 2 WANS to combine both speeds to one…

But this is a server config and so loud I had to take of the FAN and just put a silent FAN on it to be able to test with it... :-))

IMG_2942.jpg
IMG_2942.jpg_thumb

@GruensFroeschli:

So you're worried about the performance of the CF disk?
You do know that once it's booted it doesn't access the CF anymore? (except for config changes)
Everything runs out of RAM.

Not sure about the concerns of the original poster.  I found this post while looking for a way to add on an IDE disk on my ALIX board.  (Which has sufficient performance at this time.  However, I may look into a beefier box to allow me to do snort and squid.  Using squid on this box slows things way down…  --not a limitation or complaint with regards to pfSense)

Yea, i've been thinking about looking at intel NICs since the integrated ones are Intel and work fine.

EDIT: I went back to that 3COM OFFICECONNECT 10/100 LAN PC CARD 3CCSH572BT with the dongle, 1day 22hrs uptime, 16.2GB and only 3 errors so far on the NIC. The thinkpad is running great, so I think I'll just stick to this.

@bradenmcg:

@jasonlitka:

One thing I've found with my pfSense boxes when used with my Dell 62xx switches is that if I don't forcibly set the duplex mode on the switch to full I almost always get a mismatch.  Try forcing your Cisco to full.

If your pfSense is forced to full, and the switch is at auto, you will get a duplex mismatch by design.  Read the 802.3ab standard, or check Wikipedia.  :)
Full + full = ok
auto + full = the auto side will show half
half + half = ok
half + full = wrong (duh :))

Really, in today's modern ethernet chipsets and switching hardware, use auto everything, unless you have a very good reason not to.  I hate that some ISPs still insist on handing off ethernet at a "hard" setting, which means you then need to remember to configure your equipment to match…  :(

That's not what I said.  In fact, the second case you mentioned is what I need to do to fix the issue.  When both sides are set to Auto, I get the switch at Full and pfSense at Half.  When I force the switch to Full and leave pfSense alone it correctly negotiates to Full.

@markne:

I was wondering if this will be powerful enough for a FIOS up to 50Mbps along with Snort, Squid, and all that good packages. Would there be any performance problems?

I also read that SSD's are could die quick with pfsense?

Any help would be appreciated.

On the SSD, no.  If you manage your Squid settings well and make sure you clean up the SSD before installing (use Parted Magic to Zero write using the drive internal algorithms).  I doubt the SSD has had any form of garbage collection run on it since it was purchased.

This drive (SSDnow S100) has an unimpressive 4K random I/O performance.  You would want to beef up on ram and allocate a larger RAM cache for squid for smaller files.

Configure larger files, say 32KB and larger to cache on the SSD instead.  This allows you the reap the benefits of the SSD's better performance with large files whilst keeping small files in memory where no flash SSD can match up.

I wouldn't have thought of that, thanks. Hope i can dig up an old PCI VGA somewhere.

Hi All,
this is my first post here. I jut got a fitpc2i with the included 8G SSD and loaded 2.0rc1 embedded version on  it. The install went very well. The only difficulty is that the SSD cannot be easily removed so getting it loaded was interesting. I wound up creating a puppy linux version on a USB stick, booting off that, going online and getting the embedded file and copying that to the SSD. Having done searching here I knew I was going to need to use the serial port for the initial setup, that went very well, it took about 1 minute and I was up and running over the web interface. I had everything setup in about 2 minutes after that.

This has been the quickest, easiest install I have ever done! Hats off to the development team, I was really impressed.

So far everything is working great, I'm typing this message with my laptop hooked up to the LAN port so it does work! I haven't had time to do any stress testing yet, but so far the results are encouraging. Its handing out DHCP leases about 20 times faster that my previous router which is really greatly appreciated.

Oh and BTW the reboot issue seems to have been fixed. I've had no problem whatsoever rebooting from several different programs. I'm not sure if this is a firmware or hardware upgrade.

Next week my Cisco switch comes in at which point I'm going to get heavily intoVLANs etc. If today is any indication I'm going to have everything up and doing exactly what I want in a much shorter time than I had allocated.

So far I'm very pleased with the combination.

John S.

I'm not saying it's a bad idea just that you need to know what would happen.
It's not an uncommon situation so I'm sure there are many solutions to this already.
You just need to have some setting that will switch bandwidthd logs to /dev/null in case of a disk error.

Steve

@fableman:

NIC's on motherboard can share resources,if you looking for raw performance and want to be sure I would go external cards. 100Mbit not a problem but around 500+ Mbit it's another thing.

That is for PCI or PCI-X(tended) NICs.  The PCI-E(xpress) NICs do not share a common bus bandwidth like with the former 2 types and they can reach their maximum speeds each up to the limits of the platform or the capabilities of the host and client.

Yes I tried but is not working.

I'm going to buy a NIC with chipset 82571 and try it.

@Tremelune:

Hm, I see the Alix 2D13 as having VIA VT6105M 10/100 NICs…

Yes, and they are very reliable and compatible with BSD.

Please provide the output of the pfSense shell command:```

cmb,

The limitation is probably in the endpoints (Vostro 1520 laptops).  Using the same iperf test ("iperf -s" on 1 laptop and "iperf -c x.x.x.x -t 30" on the other laptop) with a crossover cable between the 2 laptops only yields an average of 172 mbits/s.  I did the same test thru the following firewall distros:  vyatta core, astaro essentials, & Untangle.  Here are those results:

Laptop -> Laptop via Crossover cable

172 Mbits/sec

Astaro

Intel -> Intel = 165 Mbits/sec
Intel -> Broadcom = 147 Mbits/sec
Broadcom -> Intel = 132 Mbits/sec
Broadcom -> Broadcom = 140 Mbits/sec

Vyatta

Intel -> Broadcom = 114 Mbits/sec

Untangle

Intel -> Intel = 165 Mbits/sec
Intel -> Broadcom = 160 Mbits/sec
Broadcom -> Intel = 200 Mbits/sec
Broadcom -> Broadcom = 200 Mbits/sec

Note: the NICs in use also made a difference.  When I did the pfSense test, I was going from Intel -> Broadcom.

@netphreak
You are right, but building up a pfsense in a VM on a normal desktop PC with Core 2 Duo will give you a hint how fast it could be on you new hardware ;-)

As far as I know the pfsense firewall isn't able to use multicore BUT if you run other services like squid or OpenVPN then these services will use the other free cores/threads.

-edit-

Take a look at this thread perhaps:
http://forum.pfsense.org/index.php/topic,35669.0.html

Luder…

You could always setup a test box and see how it goes... even perhaps on lesser hardware to get your feet wet...
I am in agreement with Tommyboy about the network setup posted also. If you have a good basic design with a quality switch and Intel cards you should be able to do this easily.
Reading some of the threads here and seeing people who are scaling PFS in larger environments your setup here should be no issue.

H.