The driver had been ported into 11-stable in July 2017.(https://lists.freebsd.org/pipermail/freebsd-stable/2017-July/087387.html) And this driver had been in the FreeBSD quarterly report.(https://www.freebsd.org/news/status/report-2017-04-2017-06.html#Intel-10G-Driver-Update) Even FreeBSD 11.1 release didn't have it, I think 11.2 release will got it.(https://www.freebsd.org/releases/11.2R/schedule.html) The pfSense team needs to build a kernel from FreeBSD 11-stable. I think Netgate may be using customized Atom C3000 boards which may have switching chip than the standard version of Supermicro bardbone.

Thank you.

@curtisgrice: Based on the feedback from johnkeates. An Alternative build CASE: https://www.newegg.com/Product/Product.aspx?Item=N82E16811139022 MOBO: Some Supermicro Motherboard CPU: Intel E5-26xx Processor (6 core / 8 core) RAM: 64GB DDR4 Memory NIC: I have Dual / Quad Intel NICs SSDs: 100GB / 200GB HDD: 3TB for Logs, which will be uploaded to my Google Drive. If you're Running this as a VM under ESXi (or any hypervisor) a single HDD of any kind will make you sad. even for a handful of lab VMs I would recommend a RAID10. If you have => 5.5 vCenter then you can use the SSD as read cache (configured per VMDK in vCenter) otherwise you would be stuck using for swap (total waste) or as a small datastore is which case I would spend less on the HDD and more on the SSD and get the biggest one you can. As for running running your home gateway/router as a VM, don't. Especially if your using vlans. Its just a pain in the arse. You get stuck changing you PC IP and switch port all the time to fix little things like needing to reboot your host. For your home gateway/router, just spend the $$ and build or buy a separate router. Also if you don't mind getting your hands dirty in CentOS and need the best possible speed you could take a look at the new tnsr platform. but that's a whole nother animal. ;D Edit: added closing quote tag. I have ESXi 6.5+, being friends with VMWare employees has its perks. I've thought about tossing it into a VM, but that's more complicated. I'm going to install it baremetal.

Thanks gents!

@curtisgrice: Doing a bit more reading and I found the following article that seems to suggest that the PHY resides on the HBA/NIC. This means that all the extra electronics are there to support the physical media itself be it UTP (RJ45) or some form of fiber. The module (aside from perhaps doing some line filtering where applicable for the media (cat5/6) and perhaps rudimentary link detection) does nothing to the data stream itself, no extra encoding. Therefore using SFP(+) as a DAC patch cable MAY work as its just serial data out and serial data in. 10GbE SFP+ PHYs: Requirements and leading solutions That is correct, it should not mess with the data stream. It does have a tendency to require some capabilities on the HBA side, and sometimes there can be a challenge-response.

That ^ is the best way. Will give you full LTE bandwidth and removes all the hardware issues. Steve

@johnkeates: @stephenw10: The SG-1000 would probably not cut it at 150Mbps. And definitely not if you need to run Snort and Squid. Steve Oops, didn't see the IDS/IPS part. Gonna need i5 power or better for that, 8GB RAM and perhaps a small SSD as well. I run the older SG-2440 with Snort, ntop and 200 MBPS down. Its cutting it close but if you moved to the SG-4860 you would have room for growth. All for less than 20w! Infact, I installed on for a site with about the same specs, less users but more bandwidth consumption (lots of BIG PDFs 20MB+ being emailed in and out). We also did offsite backup replication over VPN granted that was limited to 40mbps by the remote site.. We never had issues with performance.

The drives attached to a PERC controller don't need to be assigned to an array in order to be available to the OS. But yes it's simple enough to set up a mirrored array. It has a little speed penalty but since HDD speed is not important for pfSense that doesn't matter. I was actually thinking of using one of the older PERC 6i controllers I have. They can only do up to SATA-II but as stated previously in this thread the should be plenty fast enough. It will still work alright just setup two RAID0 vdevs and be sure to set them to write through and no read ahead. Its not ideal but your not running a file server with 20+ drives constantly being abused. I'm not sure if pfSense includes the mfip driver at boot but that will still provide some smart data. Speaking of ZFS. When installing pfSense would that by my preferred file system over UFS? I don't know enough about it to make an informed decision on what to use. From what I have read ZFS seems to be more robust and easier to recover from errors? Not sure if I have that right. ZFS all the way. There are so many reasons to use ZFS over the old UFS setup.

@johnkeates: I wish you had some more consumer-friendly stuff compared to that asian minisys/qotom stuff. The SG-3100 is simply a bad deal for most home users. It's not a bad device, but for the price point and reduced reliability requirements (in both device, operation and supply chain) for home users, it doesn't get you a lot of bang for the buck :-( If only you could use one of the ODM/OEM suppliers for non-commercial-grade boxes, you'd get a lot of more sales and I could just point pretty much 100% of questions to the netgate store. Also, general numbers on what to expect (IPSec speeds, OpenVPN speeds, Wan-Lan NAT speeds of IPv4 traffic, maybe a table with some variations in packet size and amounts) would help a lot of newbies. Problem is, those ODM/OEM suppliers always sell their devices with pfSense pre-installed, directly hurting the project. DIY will always be cheaper, so I don't get the "bad deal" comment. If one wants a supported and complete solution, built for pfSense then SG-3100 is the way to go. We will have a lot cheaper options early summer.

Hey XRay If your Internet connection from CenturyLink is being provided over DSL, you won't be able to get the rid of the Actiontec altogether. You will likely wind up doing what I do and putting your Actiontec in bridge mode and doing the PPPoE authentication using PFsense. My setup setup uses a Zyxel C1100Z modem/router/AP combo which I have turned into just a modem. I let PFsense do the authentication, routing, NAT and firewalling and have a Ubiquiti APC Lite for wireless duty. If you're actually getting fiber to the home, then you should be able to dump it completely. Carlos Edit: I just re-read what you wrote and it does look like you're getting full fledged fiber to the home. Please disregard the above. One thing to keep in mind though is that PPPoE throughput on PFsense can run into issues at high speed. You might not be able to use the full gigabit on downloads without a high clock speed CPU.

Thank You!

If it is just for playing around you would be fine, but it is highly unlikely that you have a board with a 3.3v pci slot. PCI are keyed for 3.3v and 5v cards, and that card seems to be pci 3.3v only. The intel pro mt dual is a safer bet. Just make sure you have enough clearance to accommodate a longer card. What board are you using? Another option is to use a smart switch with vlans.

I think I'll try just replacing the drive first.

Yup, still not supported AFAIK. Feel free to reverse engineer it and write a driver though.  ;) Steve

If your hardware might be the issue, you need to test it. Memtest, CPU burn in, etc. If you have hardware issues, there's nothing the software can do.

@SammyWoo: How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem. They won't because setting up the infrastructure, support, manuals, service endpoints isn't worth the cost. This is how it's always been, and why we still have shitty DOCSIS, DSL and G.PON. And providers that MITM modify traffic legally (well, that's mostly in the USA and BRIC).

@ivor: Let's try again :) @jahonix: I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then. And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways. What did you mean by this? He is aiming for: netgate is making new software, some of it might require new hardware.

Yeah I would still expect you to see Gigabit easily but it's a much better test to use other devices for the iperf client and server. Just as an example I can see line rate Gigabit (~940Mbps) with pfSense as one end of the iperf test, as you're doing, on an old E4500. That's using em NICs. Steve

It's almost certainly an MTU issue. The additional overhead PPPoE introduces limits the packet size. This was clients running pfSense as an IKEv2 endpoint over a PPPoE connection vs other clients running the same setup on cable say? And other traffic was OK, just IPSec failing? All traffic over IPSec? Pings still passing at small packet size for example? Steve