I was just wondering if PFsense benefits from using quad channel memory. Not alone from that and at second not only based on the channels! But, if your CPU is able to push an amount of network load and your memory system (RAM) gets saturated you will be able to limited by that let us call it slower RAM modules. So if your RAM will be fu**ing fast and your are installing more then one of the common available packets for pfSense is makes also sense to have much RAM inside of your pfSense box. As an example we talk about an installation likes, pfSense, Squid, SquidGuard, SARG, Snort, pfBlockerNG & DNSBL + TLD ClamAV and perhaps a/dpinger on top, this might be good to be right sorted with enough RAM. Because if you then will (perhaps); high up the mbuf size shorten down the network queues high up the Squid (default) RAM limit setting up in pfBlockerNG many lists for many IP addresses and so on and so on, so you might be happy with much RAM too. Fast enough it should be for the most things because all will be running through the memory system and this should be not saturated at all. My hardware: Super A1SRi-2758F 8 core atom processor intel x540t2 nic currently single channel 8gb ram. I was gonna upgrade to quad channel 32gb ram 120gb samsung ssd If you will install pfBlockerNG & DNSBL + TLD it might be a good choice but if not the amount of RAM is perhaps to high, and 16 GB will be then more then enough, also if you increase the amount of the mbuf size. the router is connected to the ubiquiti us16xg 10gb switch To the DMZ and or to the LAN side this might be a fine think. I saw on another forum post that 10gb uses more ram as buffer between nic and cpu. It is pending on the used NICs and the used driver for that cards, I have seen and read about that some users where shorten down the amount of mbuf size to 65000 (broadcom cards (NICs)) and for Intel cards nearly 1000000 was the best option there fore but also together with shorten down the amount of network queues too! 2 GB normal usage 4 GB normal, snort and Squid 8 GB normal, snort, Squid, VPN and high up the mbuf size 16 GB normal, snort, Squid, VPN and high up the mbuf size plus pfBlockerNG 32 GB normal, snort, Squid, VPN and high up the mbuf size plus pfBlockerNG & DNSBL + TLD (intensive)

Is there other way to run PF sense on SBC boards? You can run pfSense nearly on each x86-64 hardware, it is a software firewall for x86_64 hardware. running on raspbbery pi, banana pi, etc? There are two ARM images but they are only running on the both pfSense (netgate) boxes called SG-1000 and SG-3100!

I would like to know if someone as ever installed a Pfsens on a ADSL modem router ? pfSense is a x86_64 Software firewall and so you may need to take x86_64 hardware for or as the underlying hardware! There are also two ARM images from pfSense developers team, but only matching the SG-1000 and SG-3100!!! All the HW I found to install Pfsens are only Router. ??? The hardware must be x86 64Bit if you want to go with the actual version 2.3.4-p1 or the newer version 2.4! I would like only one "box" for the 2 function (ADSL and Router) Then it would be nice to set up a "box" with an internal PCIe ADSL/VDSL modem likes the DrayTek VigorNIC 132 / 132F PCIe card. The netgate are very nice indeed but it is not what I called cheep ;-) Ok, that might be but there is also not a internal modem inside, you were talking about! There for you will need a external modem likes the DrayTek Vigor 130. With a ALIX 2D2 + a Wifi card I could have a Wifi Router Jep this is right but not a modem internal router you were talking about! If you are interested to get all in one box you might be walking the line together with the Vigor 132/132F PCIe card if this is now not any more so urgent to get box inside of the box, you may go with an external modem likes the most users and be free to take any other box you want.

Thanks, was wondering about running on a UBNT Edge router, that answers my question. It in the fact MIPS BE oder MIPS64 and not ARM!

@FranciscoFranco: Well primarily because I am booting off the SD Card. They have low cycle counts so I baby them with pfSense NanoBSD builds. The Phison cards from PCengines are a good deal for 6 bucks. I bought a handful for some of my troublesome Arm boards like BananaPi which like good SD cards. They seem durable. Using the nanoBSD version seems logical as you are booting from media with limited write cycles (USB stick, CF card, etc.).

As a standard rule: pfSense stores everything in an easy to transport XML file and reconfigures all services to the settings in that file at startup. It is practically always easier to reinstall pfSense in the desired fashion and simply re-apply that XML file (either from the installer or from Backup/Restore in the WebUI) than trying to customise what's already there.

Ah, good news.  :) The log message from Strongswan is normal. When the SA is rekeyed the old value is destroyed and if the other side sends further packets using it you see that logged. You would normally see the new SA negotiation complete also logged there and should not see any loss of traffic. Steve

It says on their page the controllers for those ports are supposed to be marvell?

Yeah I'm a big ESXi person but I'm with shutterBC on this one. I like to keep core network separate for just this reason.

Xeon D is now my first choice in router hardware recommendations. I think it even beats i3 processors when compared in terms of having multiple hosts in VM. Instead of going with the older Xeons, it’s best to invest in newer technology which supports pretty much all pfsense requirments and added functionalities.

@ghkrauss: Has anyone used the following Intel network card successfully with Pfsense 2.4.0 RC Intel PRO/1000 VT Quad Port Server Many thanks for any input. From the hardware compatibilty specifications it should work. Yes it works fine.

Made an account to say thanks!

The MBT-4220 board from Netgate is $195.58. The MBT-4220 system is $350. Please have a look for the brand new SG-3100! Its able to get for ~$350 from the netgate store or plain for ~430 € from voleatech europe and also similar likes the minnowturbot board if we talk about a pfSense installation this might be perhaps a better deal, or am I wrong with that. Why would the same case, the same 32GB SSD and (likely the same rating) PSU command double the premium between the dual and quad core systems? It can be different but then the next customer is asking another question! I agree, $77 is a good deal - but the same can't be said for $155. I saw or found the following parts: MinnowBoard Turbot Dual Ethernet Dual Core Board - ADI Engineering - MBT-2220 Board - Price: $171.39 This is the Dual Core CPU board only option MinnowBoard Turbot Dual Ethernet Dual Core System - MBT-2220-0000 system - Price: $249.00 This is the bundled option with psu and case and 32 GB SSD Difference is here $77,61 and there fore you get the psu, 32 GB SSD and a case, nothing wrong with it as I see it right. MinnowBoard Turbot Dual Ethernet Quad Core Board - ADI Engineering  - MBT-4220 Board - Price: $195.58 This is the Quad Core CPU board only option MinnowBoard Turbot Dual Ethernet Quad Core System - MBT-4220-0000 system - Price: $350.00 This is the bundled option with psu and case and 32 GB SSD Difference is now $155 but the same psu 32 GB SSD and case. please let us both now thinking about that they (netgate or the pfsense development team) will be or must be get something on top of all devices such the both named here by you. And let us now think about the both very small differences based on the dual core cpu vs the quad core cpu and you are willing to buy now a dual core cpu bundled system and you have to pay the same amount on top of your unit likes the dual core cpu unit, what you are thinking is then written by the customers??? Why I have to pay on top of this smaller unit the same "fee" or contribution as the guy who is buying the greater unit, this is not fair! And so they where splitting it to a less fee for the smaller unit and a greater fee for the greater unit, nothing more. For sure this can be also based on other or different points, like the smaller units will be not so hard on sale and the bigger ones a running to fast out of stock and they (netgate) will be pushing that in another direction by taking more or less fee. So we will never really able to get an answer why or why not this will be like it is and for sure this can be also based on many other points and arguments. If there must be in former days something like $99 on top of all devices, it makes sense for me that they (netgate) perhaps now have split this fee. One port dual core + $55 Dual port dual core +$77 Dual port quad core + $155 Makes then all in all or total $287 and so they walk to us and it is total $23 fee they (netgate) where taking! Or do you not consider and you may prefer to pay $99 on each device from them? What makes it worse is I'm in the UK so I have to consider import tax too (not Netgate's fault, but I have to consider it for the total price). This might be also not being less or lower buying it at a partner such voleatech, they take more units for less money and save perhaps here and there something at the tax, but need to sale this units to get on top their income too.

Too bad it's crazy expensive compared to Qotom $759 at Walmart! Supermicro SYS-E300-8D ~670 € Supermicro SYS-E200-8D ~820 €

A bit late but perhaps it helps out @belgarath. I have an issue where PFsense on the smae hardware gets about 2-4 GB/s out of those interfaces but FreeBSD is getting 9.5 GB/salso load on the FreeBSD side is lower. Linux and FreeBSD is not doing any NAT job and passing pf rules on top of this so it must be faster. And the second thing is that you will be able to play around with some and/or more settings to get different numbers of this tests. But the main and most urgent thing is here to test with NetIO or iPerf 3 through pfSense, either from LAN port to LAN port or between the WAN and LAN ports and not on the machine itself. By the way I really think that pfSense is not only FreeBSD plus some new GUI running like an ordinary program , it is more then that, too many changes and other things will be turn it into its own group or level. It seems that cpu is exhausted while doing the work with PFsense, as the cpu seemed to be an issue I tried disable firewall processing on those interfaces but the results would improve by decimal parts so it does not look like it is the firewall issue. If you are using PPPoE you will be CPU core single threaded and if not CPU multi core  usage will be the result! For sure with a pfSense version that is using all core + HT you might be able to get once more again totally other results and numbers. Only this can be different! I tired different versions of pfsense and the results are more or less consistent, I'm getting anywhere between 1.8 and 3.5 Gbps As normal it will be something around 2 GBit/s and 4 GBit/s as real throughput between two 10 GBit/s connections based on the used protocols and/or used programs or offered services, but if you would see more between the test together with iPerf you could try out to produce more streams something like 8 or 10 streams could be doing the job. General: HT enabling or disabling in the BIOS PowerD (hi adaptive, adaptive or maximum) Fast and enough RAM Tunings: Now this section can as above tried out as a single change or all together or only some combined changing´s. mbuf size to 65.000 or to 1.000.000 Together with a broadcom NIC the 65000 was one times matching well and together with Intel NICs the 1000000 was fine changing the entire amount of network queues from 2 to 4 (less or more try it out) each cpu core (also the HT) is opening for each lan port one or more queues, driver pending! You can now try out to limit or high up this numbers, that it will be matching at best to your hardware and delivering the best results to you.

I found the link to that test - https://forum.pfsense.org/index.php?topic=127793.0 63Mbps while running OpenVPN @ AES-256 (this is pointless, run it at AES-128) + Suricata with a solid ruleset, + Pfbng + DNSBL. This part sounds perfect for you.

Details in this thread steve. https://forum.pfsense.org/index.php?topic=126637.0 Basically when PPS got higher than around 2000 I was seeing random dropped packets which even traffic shaping could not resolve. Also before the firmware flash I had discovered that toggling AIM had no affect on generated interrupts which I think whilst not the sole cause of the problem did make it worse.

I'd look at along the lines of a E3-1275v6 (for value) or D-1531 (or hold out for the newer D-1533N for future capability) for this application before looking at anything in the new medal color lineup.