I've got an Atom 330 box (running Ubuntu) and given that you've got a pair of 1.6 GHz cores, plus hyperthreading, you'll be hard pushed to stress it on pfSense, even if you run Snort ;)

The built in NICs should be fine - it's only been Realtek low end (non Gbit) NICs that have been terrible.  Intel chipsets are generally a better choice though.

My Atom 330 box is using the built in Gbit Realtek chip and, other than a bug in the Linux driver that comes with my version of Ubuntu, the box has been solid as a rock.

Throughput and routing doesn't really even come close to taxing most of the newer systems these days unless you have really crappy NICs that flood the chip with interrupts.  You'd need the processing power & memory for things like encryption and snort.  Memory also required for Squid depending on the settings.

Well in our situation we have 5 public IP's. 4 are usable by us. So the ISP router has 1, my pfsense has 1 and I use the others for email, etc.

You don't need to do anything to the ISP's router just let the pf box do the NATing. Most of the time a T1 comes with 5 public IP's (4 for you to use). Some fake T1's don't have a csu, and route T1 speeds over ethernet I think Speakeasy does that. In that case your method would work too.

The T1 should cost about $400/month or so.

If you forgo the T1, then you could do it your way and ixnay the ISP's device. A bit like what I do for my Fios/cable/dsl clients. Skip the cheap router, and just stick the pfSense box there.

yes, old board was 8 or 9 years old and worked for quite awhile before I started having these issues.

Thanks, I'll see how it goes, but so far I've had much better results with that.

@Anathematician:

Yes, the VB8001.

Ok…  Cool!  Next item on my buy list then.

I'm using a 945GCLF2 at work and it works fine with pfSense 1.2.3RC2.
Do update the BIOS or you might have issues with ACPI and some SATA drives.
It runs just fine even without a BIOS update except with the following quirks:

The bootloader won't see a SATA drive on occasion and needs multiple reboots to get it to load once.

One of the 4 cores (2 physical + 2 HT) will be permanently loaded by ACPI processes.

In short, it works well but you should update the BIOS.

For my machine, I have a 3M/768K line and average CPU load is <1%.
No packages are running and I'm just using it as a simple router with massive state table, nearly unlimited port forwarding and Traffic Shaping.

A pfSense rig should suit your needs quite nicely.  They're quite similar to mine when I made the switch to pfSense.
I used to torrent to the tune of 25,000 connections per machine at home and nothing from Dlink/ Linksys with or without 3rd party firmware would survive for more than 5 minutes.
At work, I have 30+ computers in a cybercafe and some of the games open up quite a fair number of connections as well.  Easily 500+ active connections per machine.  So far, so good.  The traffic shaper does it's job well and a lot better than with some of the Linux router distros I've tried.

I looked at the BW graph as well as the transfer speed according to Windows (12.5MB/s ish) which confirms the 100mb/s.  I will time a file later but I suspect it will also confirm the 100mb/s.

FreeBSD may not have support for that chipset, unfortunately.

The real check is here, though:
http://doc.pfsense.org/index.php/What_Hardware_Monitoring_Is_Supported

If it showed up, something on your network added it. That's a subject for a new thread, however.

Enable the OPT1 interface, then bridge that to LAN.

You'll need a firewall rule to specifically allow DHCP, and one to allow traffic out from that subnet.

@rikrobson:

1, the new card is to big for the WG interface. will burn the old embedded system onto the card as the old one is working fine on a 128MB card.
2, The WG Bios doesn't like the dual boot thingy - not sure what to do if this is the case as there is not going to be a suitable bios update for the WB

Either of those are possible. It may have the same problem that the WRAPs have, where they require "nopacket" mode on the image for it to boot properly. Do you have another FreeBSD or pfSense system around?

If so, plug that card into a reader hooked to that system and see what device it is (probably da0) then run this:

boot0cfg -o nopacket /dev/da0

Then replace the card in the watchguard box and try it again.

Even when the WRAP is booted that way, it can only boot the first slice, so upgrades won't work properly. It's something to try though.

again tyvm for all your help.

I had time to play with it tonight and found out that it will only auto negotiate when both ports are being used. If I only used fxp0 then I needed to use a crossover cable, but if I used fxp0 and fxp1 then I can use a regular patch cable with no problems.

@Supermule:

If you want high throughput, do NOT use flash cards…. Use HD install.

CPU, I think, will suffer the most DoS attack.

SATA is the preferred disk, if you do not have SCSI available or SCSI is not an option at all.

Routing, NAT, firewalling, and shaping don't touch the disk at all.  In fact, you could boot pfSense from the LiveCD and not see a difference past boot time.

DoS attacks come in many flavors.  Some of them will be CPU intensive (single host causing an expensive calculation repeatedlt) and some will be memory intensive (lots of hosts all doing a single request will cause the state tables to grow wildly).  If in doubt, buy the best CPU/RAM config you can afford and hope for the best.  FWIW, I do high-bandwidth, few connection traffic with a 1GHz Celeron M and 1GB of RAM just fine.

@Skidoo32:

Thats an expensive board too :(

$ 310.00 AUD

Considering the Intel D945GSEJT
http://www.mini-box.com.au/purchase/browse-detail.asp?menuId=45&start=1&laCode=ENGAU&productId=189

Oh…  I was under the impression that the Avalue price was in US Dollars...    :D
I suppose the D945GSEJT-M350 kit would do great too.

The FreeBSD man pages can be accessed through http://www.freebsd.org/cgi/man.cgi

The ALTQ man page lists a number of interfaces which are "ALTQ capable".
Among them udav is a USB wired NIC, rum and ural are USB wireless NICs. The relevant man pages usually give more details of brands and models.

I'm currently using unembedded 1.2.3-rc1 on the original 128MB CF card. I've got an 8GB CF coming and plan to put a nanobsd installation on. The 128 will then go into a 6 port X700. I'll then try some carp :)

its just with 4 spare ports going spare. having an inbuilt switch would be cool. ::)