Excellent! I will try to get one of this HP's or with Intel chipset, thanks for your help. Robert

I wouldn't load the spectre patches on a dedicated pfSense box. You neuter your CPU performance for very, very minimal risk. As @stephenw10 if virtualization isn't involved Spectre really isn't much of a threat, especially for something as minimal and tight as pfSense.

It's always been a good idea to let a firewall be a firewall, and use other boxes/resources to do IPS/IDS, content filtering, etc. UTM's and pfSense started to reverse that for the convenience factor of having everything in one box, but with gigabit speeds becoming commonplace people once again are running into performance problems. So split the load. Luckily pfSense is an appliance so it's easy to set up additional pfSense instances. I've started to split the load - doing a bare metal pfSense install that just does routing, NAT, firewall and QoS if I need it. For everything else (VPN, pfBlocker NG, DNS, DHCP etc.) I spin up a second instance of pfSense in a VM. It's a bit more work, but I suspect it's the only way you are going to be able to get max throughput on your Internet link, and also be able to do the other stuff you want to.

If you clear that and reboot do you see it again? If not it was probably just temporary during the upgrade when those php libs are updated. Steve

The CF card slot does not support DMA so if you are using a CF card that is UDMA capable (almost all of them) you need to disable it: https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html#pfsense-2-2-and-later Steve

Did you try all three ports? It's not necessarily the first one that provides modem access. Steve

No problem. Thanks for reporting the issue. The memstick should boot both UEFI and legacy, we are looking into it now. Steve

@obloned No problem, glad to hear it worked!

SATA lead is binned now. What got my head in a spin with this was it would install PF to the drive but really slowly (In hindsight it took that long i should have twigged on at that point something was wrong). Once installed it just wouldn't boot from the new install. This box makes for a really good PF bar the None AES-NI CPU. However the VPNs still max out my 80/20 connection happily. Thanks for all your input on this one.

Nothing too exciting to see there. Very unlikely you could ever get pfSense running on there. It's not x86 and probably doesn't have enough RAM to operate usefully anyway. If you want to experiment with it I'd look at openwrt/LEDE as a suitable target OS. Steve

@areynot Well I sure hope so, 'cuz otherwise they've been lying to us of all these benefits of solid state drives. Now whether 30 seconds is that important to you... but pfsense doesn't need a big SSD, am running on a 16G that cost me usd$10, was no brainer, now if you are running on a VM... ur decision.

We have a similar (probably the same) problem - plagueing us for a while now. We use IKEv2 EAP-Radius with aes256-gcm on an SG-8860 on a 1gb fiber uplink. When one of our users (he is on 100mbit fiber) tries e.g. speedtest.net while on the VPN, the pfsense box reliably crashes after a few seconds of upload (download works fine). When I try this at home on a 100mbit/40mbit DSL link, I can create all the traffic I'd like and can't get the box to crash. I now switched algorithms to AES-256 with SHA512 (still with AES-NI, I didn't disable that) and it seems the crashes have either gone away or we weren't yet able to reproduce them today. Kind regards, Lukas

On the Silicom site, yes. See: https://forum.netgate.com/topic/72769/silcom-peg4i-82571eb-based Do you not see the PEG part number on a label? But as I said they list only a driver for the bypass relays not NICs and those should always be connected. What does the output of pciconf -lv at the command line show? Steve

@thenarc Thanks! I will give iperf a shot and see how it affects Load numbers and check throughput. The "Load Average" numbers from "System Information" are typically lower than the following: Load average 0.36, 0.34, 0.28 The VM has 3gigs of ram but am receiving two 8 gig sticks for the QNAP today so I will probably bump it up to 4 gigs. Thanks again for the responses.

@stephenw10 said in High CPU usage on interrupt processing: Hmm, is the firewall actually idle? No traffic at all? Yeah, firewall is idle. The server is located in a small subnet and no one is currently connected to it. There’s some occasional broadcast traffic (e.g. DHCP requests) form other devices/servers on the network, but I doubt it can cause any trouble. I think you’re right about RAID. I moved /tmp and /var to RAM but still there’s a lot of interrupts on mfi0 device, yet gstat shows no disk IO except some rare writes. I’ll try remotely tinker with RAID-related settings in BIOS, maybe I find something I missed. Thank you for suggestions!

Ok some further reading later.... The MC7750 is a CDMA only card and it appears DIP does not support CDMA hence the MC7750 cannot work in DIP mode. I vaguely remember knowing that at one time previously but I seemed to have forgotten. It appears you may be out if luck here. There is no support for QMI mode in FreeBSD/pfSense. I suggest looking at a different card. Steve

You are adding 24 10GbE ports to the firewall in order to save power? As opposed to running a 24 port 10GbE switch? If so then definitely forget that and use a switch! You would only do that if you need 24 separate subnets or filtering between all of them. What sort of VPN speed do you need here? You won't fill 20G of WAN with VPN traffic with any hardware. Steve