@rle said in Intel X710 Issues: I also had to replace the file completely in boot/kernel otherwise it would not load the newly compiled driver. You could have also added: if_ixl_name="/boot/modules/if_ixl.ko" To make it load the new module. Steve

@stephenw10 said in APU --> SG-1100, Faster at IPSec; Slower at Everything Else: Both the MBT and the APU are capable of running the current pfSense CE version, 2.6. I found my null modem adapter, so I now have one of my APU units up and running 2.6. I need to run over to my 3rd site and swap it into place of the other APU, and then upgrade that one to 2.6, and then all of my devices will be at the latest release. Thanks!

To close this out, I bought the Zyxel switch and an Intel SFP+ NIC for pfSense and connected them with a DAC cable and it works exactly as expected. I haven't upgraded my AT&T service yet but I gained about 300Mbps on the upstream in a speedtest (?!) just from not being limited by the port speed. It's 10Gbps from pfSense to the switch and 5Gbps from the switch to the AT&T CPE. I'll call that a win even if I don't go for a package above 1Gbps. I'm getting 940Mbps down and ~1250Mbps up now. Even 2.5Gbps to the AT&T CPE would yield the benefit. Obviously YMMV but it's worth a look if you have AT&T fiber.

With that DAC cable there is no option to set a fixed speed in the Chelsio NIC. It can only be autoselect. That is quite common and in those situations it will often only link at 10G. Using fibre modules instead of DAC will probably allow it if you can test that. Steve

Thanks for the information and yes i agree that the man page might need an update.

The default Realtek NIC support is no worse in 2.6 than in 2.4.5. If it was working fine for you in 2.4.5 I wouldn't expect problems in 2.6. The only thing that changed is that the alternative driver was removed from our repo making it slightly more difficult to install. However if you weren't using it then there's no significant difference. Steve

@AW-pfsense The different hardware will allow be to test the capabilities and allow some limited estimations of performance for my use cases when the hardware is compared.. Ok This is more than just a perforce comparison. If either the s/w or hardware is not capable its not for me. Ok I understand I have tested with Ubuntu to confirm of the network and h/w i'm using is capable of the speed. Ubuntu is doing normally the following, if configurated! SPI = netfilter in Linux NAT = Network address translation It is fast and not really comparable to an firewall, it is what a pure router is doing! Please don´t forget this. pfSense has also NAT, but it a later part of the packet filter (pf) where the names (pfSense) comes from. And the packet filter is doing more, it is working over any packet firewall rules based action, so it needs more time and power. The hardware should be a little bit stronger! That's the only reason for that. Given the hardware I'm using is more powerful than the 6100, if it cant cope this is not generally good for lower powered h/w In some cases we use here the following setup, matching nearly any needs and/or without any problems running no, some or featured UTM (pfSense), you can really trust on. Intel Xeon E3-12xxv3/4/5/6 with 8 / 16 / 32 GB You can add all adapters you need ~500 € - 1000 € Supermicro Intel Atom C3000 8 / 12 / 16 Core Power saving and fast enough, with M.2 and WiFi slot ~1000 € - 2000 € Supermicro Intel Xeon D-2100 series With, M.2 SSD, WiFi and modem + SIM slot Supermicro Intel Xeon D-2700 series With, M.2 SSD, WiFi and modem + SIM slot ~1500 € - 3000 € It is not cheap, but if you need the power you may not looking in the cheaper corner and if this must run 24/7 you may not willing in Intel Core iCPU series. But the most think is that you may fiddle out one or two days that all is matching to your hardware and this comes normally on top of all! What is some ones hour price? What is one or two days price on top of all, and now the prices from the Netgate appliances are not anymore so high as many state here in the forum often. You may be not missing something you want to install! Squid & SuiqdGuard, ClamAV, Snort, pfBlocker-NG, tinc, stunnel, acme, lightsquid and vpn packets runningfast! I'm just trying to solve some technical issues i am coming across as I test the capabilities. Then I would really suggest to go with an installation of pfSense either 2.6 or 2.7 to get a better feeling to this given power of the hardware.

Yes. As long as it's supported by the hypervisor.

FreeBSD has no MBIM support. Nor does it support other proprietary interface types like QMI. So you can only use the PPP interface which is limiting and the modem must be configured to present an AT port which most rebranded ones are not. (they can usually be reconfigured to do so though) I usually see 30-40Mbps. I've seen others report >60Mbps. You won't see the claimed 150Mbps or 300Mbps. Steve

I just revied my 6100 a couple days ago and using info here was able to get the interfaces/ports assigned the way I wanted. Just made up a table for myself in MS word so I have a quick reference on the box. [image: 1664730057810-2e22130d-f9f2-40c5-807b-3eb091562a47-image.png] [image: 1664729488001-20221002_091620-resized.jpg]

Hello, long time ago, there was a SDK from IBM under OpenSource license free for public usage, so you or all others may be interested in, could be write there own applications to use the TPM modules as they need and want it. If you may be getting your hands on a TPM module that comes "not" sorted with a key or certificate inside, or plain a piece that let you write on (in) your own "stuff" it might be you reach your goal.

@sledge replied .)

@davecullen86 Hey guys, many thanks for your response. The more I look into this, the more I see so many others with the same issue. I have some, a couple of PC ENgines APU boards, and I run MikroTik RouterOS, OpenWRT, pfSense on them, all Linux comes more to 1 GBit/s with lower powered hardware, it is a little bit more near to the hardware due to better driver support and here and there not so "hardware hungry", but a router and a firewall that can be turned into a real UTM device is als not the same! As I see it personally, you could try out as @stephenw10 was suggesting to tune your pfSense a little here and there. With DanOS you might be getting nearly two streams with full GBit/s on the same hardware (PC Engines APUx), owed to DPDK capable LAN ports such Intel i210 / i211. As you say the issue is implicit to the PPPoE single core > factor and the clock speed of an individual core of my small appliance. Like me, but I was high up the cpu frequency to another level and play now around with some other tuneable`s, to get here and there more out of my hardware pointed to the entire throughput. But I also know that my appliance is better cooled then other and will never goes higher then 65 C° - 70 C°!!!! The CPU is normally capable of 1400 MHz and runs even only at 600 MHz - 1000 MHz and now it is running from 1000 MHz till 1400 MHz, but if something goes wrong, I don´t complain and be angry! I have a solution! With another identical appliance, I have installed OpenWRT x86 and I am not getting close > to 900Mbps throughput. And with DanOS you may be bidirectional getting fully 1 GBit/s out! But not a fully UTM in your Network!!!!!!!! Firewall Captive Portal with voucher system (voucher over sms) FreeRadius with certificates and encryption Snort or Suricata for IDS/IPS pfBlocker-NG for less spam and other unwanted things Squid & SquidGiuard as a caching proxy in fron of LAN ClamAV scanning the entire network flow for viruses (perhaps at one day WiFi a/b/g/n/ax) Now, THIS IS good enough for me :-). So I suggest is a good potential solution for others who are happy to offload the PPPoE function to another inline appliance. I run a AVM FB 7590ax in front of the pfSense and behind I am running the pfSense firewall! No PPPoE anymore, but double NAT situation! But all CPU cores in usage! AVM is offering some interesting APPs (VPN, telephone,..) Really nice to connect from outside (internet) and being secure on the LAN side! Now I just need to work out if I can pass through the WAN IP somehow to my PFSense :-) 1 LAN Port as "exposed host" to the WAN interface of the pfSense firewall ("Experienced") Double NAT Situation Router: network (net) 192.168.178.0/24 (255.255.255.0) Router IP 192.168.178.1/24 (255.255.255.0) Static IP Address to the pfSense a.e. 192.168.178.10/24 DHCP off: all IPs will be static given to the clients pfSense: WAN IP 192.168.178.50/24 (255.255.255.0) static IP LAN Net: 172.xx.xx.0/24 (255.255.255.0) LAN IP 172.xx.xx.1/24 (255.255.255.0) static IP DHCP: on/off (Like you need it and want it) Thanks for your help again - I really appreciate the pointers that ultimately led me to get a working solution. Not that problem, you are one from xyz sitting in the same boat. I would also have a look on another appliance if I`ll getting more then 50 MBit/s Internet speed!!! P.S. Please don´t forget in the WAN setup to disable the following point! [image: 1663859395891-wan-settings.jpg]

@stephenw10 Thank you for your time and your team for the product. Fantastic.

It is supported by the mlx4 driver. I tested one a while back and found it to be a little odd in my particular hardware. Others are using it successfully. If you need 10G I would be looking for an Intel x500 series NIC. Steve

Important parts of that are: The backtrace: db:0:kdb.enter.default> bt Tracing pid 41110 tid 100731 td 0xfffff8039f557740 kdb_enter() at kdb_enter+0x37/frame 0xfffffe00a7eb7eb0 vpanic() at vpanic+0x197/frame 0xfffffe00a7eb7f00 panic() at panic+0x43/frame 0xfffffe00a7eb7f60 propagate_priority() at propagate_priority+0x282/frame 0xfffffe00a7eb7f90 turnstile_wait() at turnstile_wait+0x30c/frame 0xfffffe00a7eb7fe0 __mtx_lock_sleep() at __mtx_lock_sleep+0x199/frame 0xfffffe00a7eb8070 qlnx_ioctl() at qlnx_ioctl+0x528/frame 0xfffffe00a7eb80d0 ifhwioctl() at ifhwioctl+0x596/frame 0xfffffe00a7eb8150 ifioctl() at ifioctl+0x4bc/frame 0xfffffe00a7eb8210 kern_ioctl() at kern_ioctl+0x2b7/frame 0xfffffe00a7eb8270 sys_ioctl() at sys_ioctl+0x101/frame 0xfffffe00a7eb8340 amd64_syscall() at amd64_syscall+0x387/frame 0xfffffe00a7eb8470 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00a7eb8470 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x800b54d4a, rsp = 0x7fffffffd198, rbp = 0x7fffffffd210 --- The panic strings: Sleeping thread (tid 100919, pid 62482) owns a non-sleepable lock KDB: stack backtrace of thread 100919: sched_switch() at sched_switch+0x630/frame 0xfffffe00c741ddf0 mi_switch() at mi_switch+0xd4/frame 0xfffffe00c741de20 sleepq_timedwait() at sleepq_timedwait+0x2f/frame 0xfffffe00c741de60 _sleep() at _sleep+0x1c8/frame 0xfffffe00c741dee0 pause_sbt() at pause_sbt+0xf1/frame 0xfffffe00c741df10 qlnx_stop() at qlnx_stop+0x4b5/frame 0xfffffe00c741dfa0 qlnx_init_locked() at qlnx_init_locked+0x2a/frame 0xfffffe00c741e070 qlnx_ioctl() at qlnx_ioctl+0x53a/frame 0xfffffe00c741e0d0 ifhwioctl() at ifhwioctl+0x596/frame 0xfffffe00c741e150 ifioctl() at ifioctl+0x4bc/frame 0xfffffe00c741e210 kern_ioctl() at kern_ioctl+0x2b7/frame 0xfffffe00c741e270 sys_ioctl() at sys_ioctl+0x101/frame 0xfffffe00c741e340 amd64_syscall() at amd64_syscall+0x387/frame 0xfffffe00c741e470 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00c741e470 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x800b54d4a, rsp = 0x7fffffffd198, rbp = 0x7fffffffd210 --- panic: sleeping thread cpuid = 3 time = 1663318115 KDB: enter: panic There is a bug report open for this: https://redmine.pfsense.org/issues/13028 And it looks like you've opened a bug upstream: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266480 Steve

@keyser A bit late but answered for the records too. APU6B4 might be the best choice together with the SG-6100.

Ok now after reboot the message with the Intel licenses are not any more to see at the boot prompt. Thank you all.

Well.... that could be fun!

The public 2.7 snapshots were built on FreeBSD 12 but will be rebased soon. We are testing internally to find and fix all the show stopping issues before making them public again. Steve