Load balancing doesn't require much at all in terms of resources.  Squid, however, is a memory pig.  Plan your HD and memory allotment accordingly.

I'm using three Intel Pro/100M PCI NICs.

Good to know. Guess I only need to buy one 100ft cable then.

Yeah, thanks… I just read a while in the 2.0 part of forum... Ill stay at 1.2.3 cause untill load balancing seams stable, but i will update asap since i want the 64bit adressing space...

Thanks for the quick replies ill be back if i need further assistance... when i need further assistance! x)

awesome piece of software tho... Torrenting in 2mb/s at the old connection with 2-3k states dont even bring 1% cpu usage...

Well, I went ahead and pulled the trigger on it– so far, working like a champ:

@rd:

Hi dreamslacker! Thank you for your reply!

Yes, media will be streamed by a Synology NAS Box (UPnP media server, NFS or CIFS). Actually I mainly bought it to improve data availability (RAID5), but it comes with several features one might want to use, once they're around. :-)

Currently my pfsense has 3 NICs, one is simply attached to a WIFI access point. I can keep it like this to reduce the CPU load of my future pfsense appliance. Will a D510 then be able to put through (from NIC to NIC) around 200 Mbps (if I understood your post right)?

I do not need caching, I only want the feature of forcing to login, as this prevents software from "calling home" and even can reduce the impact of malware that found it's way to my computer. Sorry that I forgot to write that earlier.
Currently my proxy (apache on a about 15 years old desktop) keeps a log file because there are some legal uncertainties in my sweet home country and keeping an access log can help you in case of false accusations. I thought that I would have to give up logging when using squid on pfsense, but having it run from a hard disk can be an even better option.

Thanks again for your help!

The D510 will be capable of 200Mbits/s throughput in total when filtering.
In any case at all, you can simply run the proxy without caching and also running a syslog server for logs if you wish to run embedded on a flash drive.
If you just want to force users to authenticate, then you'd use Captive Portal functions instead.  Both are available for pfsense.

Their website or the manual for it are more likely to be helpful.

Filtering has vastly more overhead than simply routing, a drop along those lines is to be expected and those numbers are close to what I've seen on similar hardware.

I actually have about 12 of the older Rackable Dual-Xeon systems. There were a few revisions of them.

The older versions have four SCSI drives mounted around the inner / upper edge of the machine. These machines (at least the ones I have) do NOT have a top on them. Yes, the top of the machine is exposed.

The newer versions have hot-swappable SCSI trays accessable from the front, those are actually fully enclosed.

Both systems are LOUD. There are no speed controllers on the fans, they just run, constantly. Also the MB is front-mounted, so the only connection on the back is power. Everything else is on the front. The ones I have also have a front-mounted LCD which can be programmed via Serial Port. I'm sure you can load 'current' data on them but I never really got into the programming of it other than putting the system name on it.

The one major complaint is the PSU. It's a non-standard deal that can be a pain to find on eBay. The pinouts and stuff are standard, but there's an extra connector in it that only works with the rackable power control thing in the unit. You may be able to replace the PSU with a non-rackable version and pull out the extraneous power control board / stuff, but I haven't tried.

Other than that, they work. Depending on which version you may or may not have space to actually fit a PCI card in, and you may need to purchase a PCI riser separately to make them fit.

@wallabybob:

One issue that comes to mind (and is probably common with a number of Atom based boards): Is the data path to memory big enough to sustain the required NIC bandwidth? The Intel NICs named have PCI bus interface. Under optimum conditions a standard PCI bus MIGHT be able to SUSTAIN 1Gbps in ONE direction.

Are the Intel NICs on a shared PCI bus? (Probably, because that is cheaper. But you'll probably need to do some more extensive research because its not common to see this level of detail in web pages describing systems.)

I expect this system would be more than adequate for many applications but if you are looking for high sustained bit rates from the NICs it may not be the solution for you.

If you're looking at the Advantech or the MSI 945GSE, then the onboard NICs are PCI-e x1 based.  In which case, you get 250MB/s per direction (for a total of 500MB/s) per NIC since PCI-e is not a parallel type bus like with PCI or PCI-X.

That said, you'll  probably find that the ATOM/ Pineview will saturate before you can push 2Gbps even without any other services like Snort or Squid running.  Interrupts alone will soak up processing power at high throughput.

As it is, I get about 2 ~ 2.4Mbps of throughput per 1% of processor load on both my Atom 330 (D945GCLF2) and Conroe-L 220 (Intel D201GLY2) with both running Intel MT Dual port NICs.  The bulk of the loading comes from interrupts on the NICs.
Low throughput but large connection states/ PPS doesn't cause either processor to flinch though.  I've torrented in excess of 12,000 states and 4k pps but at 4Mbps of throughput on my D201GLY2 and saw only 2% of load - the same load as when I download at 4Mbps via 10 connections on HTTP.

The ports on this card do not get seen as being VLAN compatible by pfSense. I assume the hardware can do it, since this is Intel's latest ethernet chipset for server use. Not sure if the problem is with the driver provided by Intel, with FreeBSD or with pfSense itself.

On another note, I checked http://www.freebsd.org/releases/8.1R/hardware.html and this chipset is still not being supported out of the box.

@common:

Sorry for my ignorance, but would a usb wireless card enable a pfsense box to act as a wireless router?

Ralink has at least a couple of chipsets for USB devices that can act as an Access Point under pfSense but there are some issues:

pfSense 1.2.3 includes the rum driver for devices such as the TP-Link TL-WN321G. Unfortunately the rum driver is broken for hostap mode in pfSense 2.0 BETA at least in snapshot builds to around mid August (the last snapshot build I tested).

pfSense 2.0 BETA snapshot builds include the run driver for a newer generation of Ralink chipsets. Use of this device requires a simple tweak to load the firmware. I've used a Tenda W311U which seems to be satisfactory but another user has had less satisfactory experience with other devices supposedly supported by the run driver. See http://forum.pfsense.org/index.php/topic,27744.0.html for more details.

@wallabybob:

Did you read the comments on the GS105e about the ping behaviour and the management interface. Either issue would be enough to cause me to look further.

yeah apparently it's got some firmware problem. I'll probably go with what jimp is using.

Also look at the possibilites to have more playroom, a random server with ESXi will give you a lot more possibilities with running multiple servers, with x-number of nics and other goodies.

Atleast if you are interested in tinkering with different OS´and services.

They'll both work just fine. As a rule of thumb, I always disable [in BIOS] anything that I don't use [COM/LPT/FDC/whatever else I can find], just so there are as few things that can cause any conceivable issue.

OK thanks guys, I will take a chance with the SAS 6/iR controller and report back when I get it.

Thank you for that.

For comparison against similar pfSense boxes near the same speed category, look at this:
http://www.hacom.net/kb/ipsec-performance-pfsense-firewall-appliance

Also found a high Load Cycle Count, new laptop drive that went straight into pfsense, a few days on 2.0 but mostly 1.2.3:

smartctl version 5.38 [i386-portbld-freebsd7.2] Copyright (C) 2002-8 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF READ SMART DATA SECTION === SMART Attributes Data Structure revision number: 16 Vendor Specific SMART Attributes with Thresholds: ID# ATTRIBUTE_NAME          FLAG    VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE ...   9 Power_On_Hours          0x0032  100  100  000    Old_age  Always      -      314 ... 193 Load_Cycle_Count        0x0032  195  195  000    Old_age  Always      -      15102 ...

I've disabled APM so hopefully Load Cycle Count won't increase at the previous rate.