I replied in your other thread that you posted on the topic, and the same question applies here:
You say that a crypto device was detected but don't say which one. Post the line from dmesg to show what it says.

You should be seeing a much greater difference in OpenSSL speed tests if you really had a crypto device available. Look at the difference in the numbers that even an ALIX sees from its built-in accelerator:
http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

understood.

thnx.

… but you also can do full setup without vga port. i have full setup at home on alix

Just for the archives, as this is the first hit on google.

Console redirection can be accomplished by the following steps:

1. Add these two lines to /boot/loader.conf (adjust speed to your liking) console="comconsole,vidconsole" comconsole_speed="115200" 2. Change the console entry in /etc/ttys like this console    "/usr/libexec/getty Pc"        cons25  on  secure

3. Create the file /boot.config with the sole content "-h"

4. Reboot

Have fun,
Carsten.

I recommend Supermicro boards (or barebone servers) simply because they include Intel NIC's on the motherboard.  They are one of the best choices for pfSense.

As to which one depends on your budget and needs.  When comparing against an incumbent appliance though, you'll want to go a little higher on the CPU to match it.  Despite what the BSD zealots will say, FreeBSD is a full multi-purpose operating system and thus is not quite as tuned as an appliance vendor like Cisco, Juniper, Sonicwall etc.

If you want something pre-built with a warranty, this company is known to use Supermicro boards.
http://www.ironsystems.com/products.asp

excellent guys.  thanks for the info.  in the end i was a bit hasty and picked up a CM9 which packs an atheros 5004 (5004G i think to be specific).  we'll see how it comes out.

at the least it should get me one one more access point before i have to add a vlan-aware switch.

the package from netgate showed up last week but is still sitting behind my desk.  i'm hoping to get dug out from some other projects later this week and start tinkering.  i'll post anything i find.

-p

How much bandwidth are you pushing on your rsync transfer?

@valnar:

@jasonlitka:

If you're looking at something that will draw ~25W then you should be looking at a mobile Celeron rather than an Atom.

Such as?

It's my understanding Atom's have a great speed-to-power-to-price ratio.  I have a mobile CPU in my firewall, but the board + CPU was expensive.

Yeah, the Atom itself isn't too bad, though they don't deal with multi-tasking all that well thanks to a relatively long 16-stage pipeline & in-order execution.  The problem is the chipsets used draw two to three times the power of the CPU.  The newer Pinetrail systems are a bit better but they are still not in the same league as an Alix when it comes to power consumption and are nowhere near as fast as a system powered by a modern Celeron-M or a specialty low-power desktop chip like the Athlon 64 2000+ that might draw 3-4W more overall but are twice as fast.  Where they shine is the price.

sweet! defiantly somthing I am gonna look into my self!

Just as an update, the ALIX 2D2 has no problem so far with my 35/35.  I've not done any traffic shaping or IPSec though.  I've been fumbling around with stunnel not working.

What I have thought about is a SSD or WD Velociraptor for Squid caching.  I definitely will only buy Intel NICS, not sure if I need 2 separate or 1 dual NIC.  ATX or miniATX, hardest part to choose, case doesnt matter, will have 4GB of ram, with a core 2 duo atleast

LOL! well hopefully the OP will kinda let us know if the issue has reoccured at all after disabling the WOL…

ok ill try that when I am at the machine next time :) its a Netgear 54 (wireless G) card, I am currently using 1.2.3 but if needed I can switch to 2.0

well I got a inexpensive SSD (DOM) that is a 1 GB that I will put the embedded on and it was picked up for $21.00 USD off ebay (fleabay) so if you need SSD there are options out there but I would strongly suggest the embedded for SSD unless you know for sure that your full install isn't going to do any massive R/W of any kind, which most people are using the full to get more feature rich set up so depending on what they use will determine the configuration in some ways, and since some really would want a quiet system that makes little to no noise (like me) they would be more for the SSD option (SSD being any thing like CF, SSD HDD, DOM, etc) there fore limiting the use of things like squid, snort or any program that will constantly write logs or other info to the disk there by shortening the SSD device's life.

There are some USB NICs supported by FreeBSD including some that supposedly operate at 480Mbps on the USB side.

I ran smoothwall (based on Linux) for a while then switched to pfSense for the much better wireless support. I haven't had any reason to even look at going back.

OK Thanks for the reply. I will take a look at doing some benchmarks.

I did some more research and I guess the kernel can choose to use the Software RNG if the hardware one is busy. Seems logical I guess, but since the software one is not as "random" as the hardware RNG, you would think the developers would opt to wait for the hardware to be available again. I also read that there are some ipsec-tools that can be installed which help determine what's going on under the hood, but I'm not looking to modify my pfsense install at this point. I'm sure 2.0, which is based on FreeBSD 8, will have a newer version of the glxsb driver and all that, so perhaps that will utilize the glxsb more. I do use Rijndael for the IPSec tunnel to my colo. I was just hoping that there was some sort of easy way to verify that IPSec or opencrypto is actually bound to the glxsb device. One other thing that worries me is that since glxsb is loaded as a module, it's actually loaded after the ipsec support for the kernel is. I just hope that it sees that the new hardware is available after it has been initialized.

another interesting tidbit:

[1.2.3-RELEASE] [root@router]/var/log(23): sysctl -a | grep crypto
<118>(cryptodev) BSD cryptodev engine
<118>engine "cryptodev" set.
<118>openssl speed -evp aes-128-cbc -elapsed -engine cryptodev
<118>cryptosoft0: <software crypto="">on motherboard
<118>pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached)
<118><118>(cryptodev) BSD cryptodev engine
<118><118>engine "cryptodev" set.
<118><118>openssl speed -evp aes-128-cbc -elapsed -engine cryptodev
<118><118>cryptosoft0: <software crypto="">on motherboard
<118><118>pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached)
<118>kern.cryptodevallowsoft: 0
<118>kern.userasymcrypto: 1
<118>net.inet.ipsec.crypto_support: 50331648
<118>debug.crypto_timing: 0
<118>dev.cryptosoft.0.%desc: software crypto
<118>dev.cryptosoft.0.%driver: cryptosoft
<118>dev.cryptosoft.0.%parent: nexus0
<118>cryptosoft0: <software crypto="">on motherboard
<118>pci0: <encrypt decrypt,="" entertainment="" crypto="">at device 1.2 (no driver attached)vr0: <via 10="" vt6105m="" rhine="" iii="" 100basetx="">0
<118>(cryptodev) BSD cryptodev engine
*kern.cryptodevallowsoft: 0
kern.userasymcrypto: 1
net.inet.ipsec.crypto_support: 50331648
debug.crypto_timing: 0
dev.cryptosoft.0.%desc: software crypto
dev.cryptosoft.0.%driver: cryptosoft
dev.cryptosoft.0.%parent: nexus0

It seems like software crypto is specifically turned off in the sysctl controls. Anyway, just some stuff to tinker with :P</via></encrypt></software></encrypt></software></encrypt></software>

A simple search for 82576 yields fantastic answers.
http://forum.pfsense.org/index.php/topic,22986.0.html
http://forum.pfsense.org/index.php/topic,23550.0.html
http://forum.pfsense.org/index.php/topic,20009.0.html

nevermind, I just got my answer: http://forum.pfsense.org/index.php/topic,21981.msg123595.html#msg123595

Look at this thread and see if there is anything useful in there:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=17112&postdays=0&postorder=asc&start=0