What service are you actually opening on the QNAP device? One thing that will immediately increase security would be to restrict port forwards to an alias of known external source IPs. That may not be practical in your situation, I don't know.

Out SG-3100 would do well in that situation. The SG-5100 would be better of you plan to run packages such as Snort/Suricata or pfBlocker.
https://store.netgate.com/pfSense/systems.aspx

Steve

Hi @ramses-sevilla - I have been using this exact system with pfSense and a symmetric 1Gbit fiber connection since early 2017. Zero problems since then and have been impressed with the performance of the machine. Hope this helps.

It's not an issue, it's normal.

ix is the driver. It is a 10G capable chipset and driver, but depending on the actual implementation, is perfectly happy operating at 1G or other compatible speeds/media types/etc. There are ports on the Netgate SG-5100 which are similar. They are detected as ix but the physical connection is 1G, not 10G. It will link up and run as expected at 1G.

Think of it similar to a 10G capable SFP port with a 1G module in it. Sure, the chip can go faster, but the media connection is only 1G.

No, atom n270 has a 32-bit instruction set.
The current versions of pfsense is 64-bit
https://ark.intel.com/content/www/it/it/ark/products/36331/intel-atom-processor-n270-512k-cache-1-60-ghz-533-mhz-fsb.html

This is a link for hardware distributed by Netgate that is definitely working with pfSense.
https://www.pfsense.org/products/

@sethelyon
I just worked through something similar--the tutorial I was following forgot to add the DNS on the new VLAN interface, which resulted in clients showing no internet. I got clued (after a solid 2 hrs of peaking through settings in unifi and pfsense) in when I typed 1.1.1.1 into my browser to stimulate traffic to sniff and it worked. I felt super smart.
If you can't laugh at yourself...

J

x520 is fine, also uses the ix(4) driver.

The NIC will not be the limitation in getting close to 10Gbps, the CPU usually is. But with that CPU... I've never run pfSense on anything that powerful personally.

Steve

I see. In that case I'll just continue using the adapter as a bridge in Proxmox and assign it to pfSense that way. That has been working just fine for about a year now. Was thinking about doing hardware passthrough because I want to get rid of my old router and let pfSense handle the PPPoE connection to my ISP and wanted to minimize any potential security risks.

Hi @PhiloEpisteme - my pfSense box is actually based on the Sumpemicro 5018D - F8NT 1U barebones system:

https://www.supermicro.com/en/products/system/1U/5018/SYS-5018D-FN8T.php

I believe they also make a stand alone or desktop version of this as well (i.e. with the same CPU). With respect to noise, I would not call this system quiet, and the primary reason for that is of course the small form factor. With a 1U chassis you are limited in terms of the types of fans you can use and to get any decent airflow you'll need several small fans operating at quite high RPM's (which means more noise). While this system doesn't sound like a jet plane taking off, one would definitely notice the noise in an office setting. I haven't measured the power consumption on just this system specifically (only on my entire network stack), but with a CPU TDP of just 35 Watts it will be on the lower side. Consider also that the CPU wont' be running at full speed the whole time (unless the firewall is consistently loaded down), but any expansion cards you add will contribute a few extra watts. If you are looking to build a system with this CPU (or similar) it might be a good idea to just get the motherboard and CPU combo and run the whole setup in a larger (2U or bigger) case, which would allow you to use bigger fans.

Now having said that, given that your use case involves wanting to utilize 10Gbit speeds between subnets, I would recommend looking at a higher frequency CPU than the Xeon D's as @stephenw10 already suggested. The quad core Intel i3-8100 or newer generation i3-9100 would make good choices and are decent bang for the buck IMHO. Couple that with a solid motherboard (that has appropriate expansion slots), a 4 port 1Gbit NIC, and a 2 -4 port 10Gbit NIC and you'll have powerful system that will also handle OpenVPN quite well. The i3's I referenced do have a little higher TDP (65 Watts) but again, unless the firewall is loaded down the entire time, the CPU will scale back the frequency and power consumption will be lower on average.

I hope this helps - please let me know if you have any other questions.

Tanks ... i try to boot from CD and escape to a shell

Tanks

Hi,
I know this is an old topic, but highly relevant to my problem.
Did you manage to fix it?
Here is my topic : Sophos SG330

@High_Voltage ,

I have seen this problem many times with Supermicro motherboards and Intel NIC's.
Remove all the extra cards, and configure one of the onboard NIC to login through the Web GUI.
Navigate to Diagnostics -> Edit File -> Browse to /boot/loader.conf
Add this line in your loader.conf file :

hint.agp.0.disabled=1

Save and shutdown pfSense.
Now add the extra NIC's and they shall be recognized correctly now.

Grtz
DeLorean

Its been on for 24 hours. about 22hours longer than it used to be on. It must be the l2tp Interface making it crash.

edit: its been up for the whole weekend.

Thanks guys.

Marking it as Solved.

Yup, x86 only currently.

Steve

@scoobey I forgot to add that after the install it hangs at the ACPI0: as well. I have manually choose safe mode from the boot menu to get it to boot completely.

Yes, please open a ticket. I would like to look at your config for this.

The crashes are all almost identical which indicates a software issue. And they are on all interfaces including both igb and ix which is very unusual.

For reference:

db:0:kdb.enter.default> show pcpu cpuid = 0 dynamic pcpu = 0x8a2100 curthread = 0xfffff8000704b620: pid 12 "irq296: ix1:q0" curpcb = 0xfffffe011c653a80 fpcurthread = none idlethread = 0xfffff80004958000: tid 100003 "idle: cpu0" curpmap = 0xffffffff82b8bc18 tssp = 0xffffffff82bbca90 commontssp = 0xffffffff82bbca90 rsp0 = 0xfffffe011c653a80 gs32p = 0xffffffff82bc32e8 ldt = 0xffffffff82bc3328 tss = 0xffffffff82bc3318 db:0:kdb.enter.default> bt Tracing pid 12 tid 100099 td 0xfffff8000704b620 pf_test_state_icmp() at pf_test_state_icmp+0x45a/frame 0xfffffe011c653160 pf_test() at pf_test+0x1a3a/frame 0xfffffe011c6533b0 pf_check_in() at pf_check_in+0x1d/frame 0xfffffe011c6533d0 pfil_run_hooks() at pfil_run_hooks+0x90/frame 0xfffffe011c653460 ip_input() at ip_input+0x441/frame 0xfffffe011c6534c0 netisr_dispatch_src() at netisr_dispatch_src+0xa8/frame 0xfffffe011c653510 ether_demux() at ether_demux+0x173/frame 0xfffffe011c653540 ether_nh_input() at ether_nh_input+0x32b/frame 0xfffffe011c6535a0 netisr_dispatch_src() at netisr_dispatch_src+0xa8/frame 0xfffffe011c6535f0 ether_input() at ether_input+0x26/frame 0xfffffe011c653610 vlan_input() at vlan_input+0x215/frame 0xfffffe011c6536c0 ether_demux() at ether_demux+0x15c/frame 0xfffffe011c6536f0 ether_nh_input() at ether_nh_input+0x32b/frame 0xfffffe011c653750 netisr_dispatch_src() at netisr_dispatch_src+0xa8/frame 0xfffffe011c6537a0 ether_input() at ether_input+0x26/frame 0xfffffe011c6537c0 ixgbe_rxeof() at ixgbe_rxeof+0x7fd/frame 0xfffffe011c653880 ixgbe_msix_que() at ixgbe_msix_que+0x96/frame 0xfffffe011c6538e0 intr_event_execute_handlers() at intr_event_execute_handlers+0xe9/frame 0xfffffe011c653920 ithread_loop() at ithread_loop+0xe7/frame 0xfffffe011c653970 fork_exit() at fork_exit+0x83/frame 0xfffffe011c6539b0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe011c6539b0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- db:0:kdb.enter.default> ps

Steve

☺

@stephenw10 @kiokoman we completed the move to a new X550 LAGG with 3 VLAN's. All works well and the no longer have the "macvlan err of death" when performing interface related updates!!

FYI, we spotted a bug related to firewall rules breaking when moving interfaces which might already been known, but if I don't find a post I'll do a separate post so it might help someone in the future

Thanks again

Hass

i would think about it, it's a VERY noisy server and maybe too mutch power consuming if you intend to run only pfsense